I have a service principal in one tenant that needs access to an Azure Container Registry in another tenant. However, I am not sure as to how to create the azurerm_role_assignment for the same. Is there a way to configure the service principal as multi-tenant such that it can have role assignments in both the tenants accordingly?
Asked
Active
Viewed 6,708 times
5
-
You can update the service principal to multi-tenant: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant – Carl Zhao Jan 13 '21 at 06:16
-
Can this be done through Terraform? – Akash Masand Jan 13 '21 at 06:17
-
Sorry, I don’t know Terraform very well, is this document helpful to you? https://azurecitadel.com/automation/terraform/lab5/ – Carl Zhao Jan 13 '21 at 06:26
-
Hi did you have a chance to check my answer? Is it helpful? – Allen Wu Jan 14 '21 at 02:16
2 Answers
7
Firstly set available_to_other_tenants = true for the azure ad application and service principal in terraform.
Now that the service principal exists in your tenant, the quickest method to make the service principal created into another tenant is using admin consent.
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
Replace the {tenant-id} with the real tenant id of "another tenant". {client-id} is the application id of the azure ad app or service principal.
Access the url in a browser. Use an admin account of "another tenant" to sign in to accept the permissions. Then the service principal will be created in "another tenant".
Now you can create the azurerm_role_assignemnt for the new service principal (it's a different service principal from the original one and it is how multiple tenant application works) created in the "another tenant".
Allen Wu
- 15,529
- 1
- 9
- 20
-
Hey, the only issue with this is that the service principal will have admin consent across the entire tenant which is definitely not feasible. If this can be done without admin consent that would be perfect. – Akash Masand Jan 14 '21 at 02:40
-
1@AkashMasand Please note that if you didn't assign any permissions to the original service principal, the new service principal in "another tenant" also has no permissions. You CAN control the permissions. And the most thing is **it is how multiple-tenant application works**. See more details from https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant. – Allen Wu Jan 14 '21 at 02:45
-
@AkashMasand No. If the new service principal is used in that tenant, admin consent is inevitable. As I have mentioned, it is how multiple-tenant app works. If you don't accept it, you cannot use multiple-tenant app. – Allen Wu Jan 14 '21 at 02:50
-
1@AkashMasand When we say a multi-tenant app, it doesn't mean the service principal in your tenant accesses the data in other tenant. It is in fact add a new service principal (with the same application id) into other tenant and use it to access the data in that tenant. No matter what method you use to add the new service principal, when you use it for authentication, the consent process will be required. Use admin consent endpoint is the quickest way to make it work. – Allen Wu Jan 14 '21 at 02:55
-
-
Hey. I tried this out today and it complains of an invalid Redirect URI. Seems it needs a Redirect URI – Akash Masand Feb 08 '21 at 03:51
-
@AkashMasand In general, we don't need a redirect URI. But if it requires one, just add it like this: `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={url}`. Make sure it is the same as the one you set in Azure AD app registration. – Allen Wu Feb 08 '21 at 04:05
-
What do I add in the value of redirect_uri? I do not have an application to redirect to. – Akash Masand Feb 08 '21 at 04:11
-
1@AkashMasand It doesn't matter. Just set it as `https://localhost/` for test. – Allen Wu Feb 08 '21 at 04:12
0
The url in the accepted answer did not work for me, but the one that was deleted did work, so I will post it here for those who have same troubles:
https://login.microsoftonline.com/[new-tenant-id]/oauth2/authorize?client_id=[client-id]&response_type=code&redirect_uri=https://localhost
Ilya Chernomordik
- 27,817
- 27
- 121
- 207
-
This is not the link to the solution, it is the solution itself, I am not sure about duplicates, but the answer to this question is not working anymore (or at least for me), so I have posted the url that works for me (it is the solution, not a url to solution) – Ilya Chernomordik Jun 30 '22 at 11:49
-
It is just the correct url to use for this use case at Microsoft, nothing much more to it :) – Ilya Chernomordik Jul 02 '22 at 09:52