Open in app

Sign in

Write

Sign in

AAD B2B Collaboration Users

Cloud Journey
4 min readMar 13, 2021

Overview

Azure supports across tenant VNET peering since 2018. Unlike provisioning connection to Azure express route, which uses authorization code for authentication, VNET peering requires RBAC permission on the network resources from both source and target subscription.

So in this article, we will invite a guest user from another tenant, grant RBAC permission to the guest user, and we will validate if the user has sufficient permission to do VNET peering between two AAD tenants.

There is no service principal involved in this experiment.

Lab

Lab Environment

There is one Azure subscription in tenant A and another subscription in tenant B.

VNet is created in eastus region in both subscription.

Invite Guest User

Here is the user from tenant A.

Let’s add it as guest user from tenant B.

Invitation Redemption

We will accept the invitation via direct link, use tenantAUser to logon to https://portal.azure.com/<tenant B ID>

Azure RBAC Permission

Grant network contributor built in role to both “Tenant A User” and “Tenant B User” at resource group scope in both subscription.

Validation

Now logon using the tenant A user to tenant A. From tenant A, let’s create peering to tenant B VNet.

You will have to input the VNet B resource ID and select tenant B from the drop down. (If the guest user is not created, or is created but is not redeemed, you won’t be able to select tenant B from the drop down)

Make sure click “Authenticate” button, after successfully authenticated, click “Add”

Additional Information

When do VNet peering, make sure there is NO IP address overlap between the peered VNet.

Azure VNet peering will only show connected after you add peering from both side.

  • VNet A -> VNet B
  • VNetB -> VNet A

That means you need to add guest user in both tenants, and also make sure the invited user has proper Azure RBAC permission to do the peering.

  • In tenant A, add guest user tenantBUser@<tenantB>.onmicrosoft.com
  • In tenant B, add guest user tenantAUser@<tenantA>.onmicrosoft.com

In this article, to keep it short, I only show to invite tenantAUser from tenant B. The process is same to invite tenantBUser from tenant A.

After tenantBUser is added to tenant A, you can add peering from VNet B to VNet A.

Now from both peering, the status shows “Connected”.

References

Virtual network peering across Azure Active Directory tenants | Azure updates | Microsoft Azure

Create a VNet peering — different subscriptions | Microsoft Docs

Add B2B collaboration users in the Azure portal — Azure AD | Microsoft Docs

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience#redemption-through-a-direct-link

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs#i-have-multiple-azure-subscriptions-associated-to-different-azure-active-directory-tenants-or-enterprise-agreement-enrollments-can-i-connect-virtual-networks-that-are-in-separate-tenants-and-enrollments-to-a-single-expressroute-circuit-not-in-the-same-tenant-or-enrollment

Azure VNet Peering across Azure Active Directory tenants using Service Principal authentication | by Arsen Vladimirskiy | Medium

https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#powershell

Azure Active Directory
Azure
Networking
Cloud Computing
Authentication

--

--

Cloud Journey

Written by Cloud Journey

140 Followers

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams