Azure Authentication with Multi-Tenant Application

Written By Ronnie Quan

Overview

In case to access Azure resources in other tenant, what identity to use and how to authenticate to Azure?

In this article, we will explore multi-tenant service principal, grant RBAC permission on resource in other tenant. After permission on a storage account from other tenant has been granted, we will use az cli and powershell to retrieve blob file using AAD authentication.

Regarding managed identity, it does not support to access resource in other tenant.

You will need to understand a key concept before proceed. The application object (AAD app registration) is the global representation of your application for use across all tenants, and the service principal (AAD Enterprise App) is the local representation for use in a specific tenant.

App registration and its enterprise app share same Application ID. When grant RBAC permission, we grant to enterprise app object id.

Lab

Lab Environment

There are two AAD tenant and one Azure subscription in each tenant. In tenant B, there is a storage account, and test file has been uploaded. In this exercise, we will download this test file through AAD authentication.

Register Application

From tenant A, register a multi-tenant app, in this example, we name it “multi-tenant”.

After app is registered, add secret.

Setup Enterprise App in Tenant B

We create service principal and assign “storage blob data reader” role.

Access Resource in Other Tenant

Use az cli to download blob file using AAD authentication.

So now, let’s try powershell, it works as expected as well.

The test file is downloaded to current directory.

Conclusion

AAD authentication provides fine grain access control, you don’t need to give out storage account access key, it’s easy to maintain. AAD service principal supports to access Azure resource in other tenant.

Besides az cli and powershell, you may explore azcopy which also supports AAD authentication.

References

Sign in with Azure PowerShell | Microsoft Docs

Apps & service principals in Azure AD — Microsoft identity platform | Microsoft Docs

Build apps that sign in Azure AD users — Microsoft identity platform | Microsoft Docs

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant

Choose how to authorize access to blob data with Azure CLI — Azure Storage | Microsoft Docs

Azure VNet Peering across Azure Active Directory tenants using Service Principal authentication | by Arsen Vladimirskiy | Medium