Azure Authentication with Multi-Tenant Application

Overview

In case to access Azure resources in other tenant, what identity to use and how to authenticate to Azure?

Lab

Connect-AzAccount -TenantId <tenant B>
Set-AzContext Active-02-27
New-AzADServicePrincipal -ApplicationId <appId for multi-tenant app registration from tenant A>New-AzRoleAssignment -ObjectId <object Id for enterprise app multi-tenant in tenant B> -ResourceGroupName cloud-shell-storage-eastus -RoleDefinitionName "Storage Blob Data Reader"
az login --service-principal -u <application id> -p "xyz" -t <tenant B id>az storage blob download --auth-mode login --account-name <storage account name> -c test-multi-tenant -f c:\users\rquan\mydownload.txt -n test-file.txt
Finished[#############################################################] 100.0000%
{
....
C:\Users\rquan>type mydownload.txt
test
test
$secret = ConvertTo-SecureString -string "xyz" -AsPlainText -Force

$pscredential = New-Object -TypeName System.Management.Automation.PSCredential($appId, $secret)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant <tenant B Id>$ctx = New-AzStorageContext -StorageAccountName <storage account name> -UseConnectedAccountGet-AzStorageBlob -Container test-multi-tenant -Blob test-file.txt -Context $ctx | Get-AzStorageBlobContent -Force
PS C:\Users\rquan> dir test-file.txt

Directory: C:\Users\rquan

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 11:46 PM 10 test-file.txt

Conclusion

AAD authentication provides fine grain access control, you don’t need to give out storage account access key, it’s easy to maintain. AAD service principal supports to access Azure resource in other tenant.

References

Sign in with Azure PowerShell | Microsoft Docs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and API security.