Azure Private Endpoint Across AAD Tenant

Written By Ronnie Quan and Sam Rakaba

Overview

Azure private endpoint secures your data and mitigate data exfiltration risk. In this article, we will focus on accessing a storage account from another AAD tenant privately.

The goal is to block the access to storage account from outsider or external client from networking perspective.

Lab

Create blob storage account private endpoint from tenant A

When create private endpoint for a storage account of tenant B, you select “Connect to an Azure resource by resourceID” method.

The rest of settings are similar to private endpoint for a resource of same tenant.

Approve Private Endpoint Connection

It requires explicit manual approval from tenant B, go to tenant B storage account networking blade and private endpoint tab.

Configure DNS Record for Private Endpoint

From tenant A, complete the private endpoint configuration by adding DNS configuration.

Block Access Through Storage Account Public Endpoint

Validate Access from Public Network

Now even with authentication in place (SAS, access key or RBAC), outside of the private network, it won’t be able to access the storage account data. You will be only able to access storage account inside the private network and with proper authentication.

When open storage account blob file URL outside of the private network, it failed.

When open storage account blob file within private network, it works.

Conclusion

Azure PaaS service private endpoint supports Azure resource in same AAD tenant or in different tenant. With Azure PaaS service networking firewall settings, we can block all access from public endpoint.

In case you need open your Azure storage account for third party’s subscription to access, make sure secure your storage account with private endpoint and proper authentication.

For further hardening, consider to protect the private endpoint itself through network isolation, adopt AAD integrated authentication, have logging, monitoring and alert in place.

Multiple private endpoints can be created, support private access from multiple AAD tenant.

References

Configure Azure Storage firewalls and virtual networks | Microsoft Docs

Private Link Resource — Storage Account in Another Tenant · Issue #72045 · MicrosoftDocs/azure-docs (github.com)

Quickstart — Create an Azure Private Endpoint using Azure PowerShell | Microsoft Docs