Multi tenant app RBAC for reading Blobstorage

Porsche Me 131 Reputation points
2020-10-14T04:23:43.067+00:00

We wanted to register a multi tenant app in our AAD tenancy.

Other Azure tenants consent our app, grant read access to their ADLSv2 storage.
Is this a supported scenario?

If the answer is yes...
In the app registration, we should check 'Access tokens'; right?
What permissions do I set?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-10-19T08:07:44.127+00:00

    Hello @Porsche Me , I apologize for the delay in my response, as it took me sometime to setup a repro and test this scenario out, I wanted to make myself clear on the setup and hence spent some time testing this.

    Let me share the answers to the points you listed above:

    1. The app1, a multi-tenant app was created using the Azure portal in our tenant
      Ans: Understood this and took this point into account while setting up the repro.
    2. Other tenants will consent to our app and grant permission to read the Azure Data Lake instance present in their tenant.
      Ans: This is totally possible using a multi-tenant app as you mentioned. The service principal object of this app that gets registered in their tenant, they need to add that to their Azure Data Lake's RBAC and also to the File ACLs.
    3. A service (Azure Datafactory Pipeline) in our tenant will use app1 service principal to read data in other tenants Azure Data Lake instance
      Ans: Yes, a service (Azure Datafactory Pipeline) in our tenant will use app1 service principal(SP) to read data in other tenant Azure Data Lake instance(ADLS) once the necessary permissions are provided for app1 SP to ADLS

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-10-14T08:24:50.13+00:00

    Hello @Porsche Me , thank you for reaching out. In case you create a multi-tenant app and if that app uses an Azure Resource like Azure Data Lake in the backend, then you need to understand that when any user from some other tenant access your multi-tenant app, after authentication, they would be connecting to the Azure Data Lake instance in your tenant that your app connects to. Azure Data Lake Service has its own set of ACLs and hence all the users coming from the other tenants accessing your app, they all need to be added to the Access Policies section of Azure Dala Lake service and assign the "Storage Blob Data Contributor" role. You can find more details here: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

    This scenario is supported but only thing is that adding of other tenant's users to your tenant on your Azure Data Lake instance.

    For the app that you created if that uses OpenIDConnect, you would need to check the Access-Token and ID-Token option present in the app registration. Also, once you create the app registration, you need to add the Azure Data Lake Rest API. There is only one delegated permission available which you need to select.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

  2. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-10-15T05:50:07.41+00:00

    Hello @Porsche Me , Let me share the answers to the queries posted above:

    Before going to the answers to the questions, let me state my understanding of the application setup in your end. So you have developed a multi-tenant app lets say app1 in your tenant and the code written in your app1 references to an Azure Data Lake instance present in your tenant. Now there is another tenant that would be using your app to access the Azure Data Lake instance present in your tenant.

    With this understanding let me answer the queries:

    1. We create the App and other tenant will consent:
      Ans: True. The other tenant would provide consent for the app and once they provide the consent, a service principal object would get created in their tenant.
    2. Other tenants would grant 'Storage Blob Data Contributor' role to our App on their Azure Data Lake Gen2 (hierarchical namespace enabled) resource.
      Ans: True, to access that ADLS account your app would need to be sure to get the access token from the other Tenant i.e Tenant B, and use the URL for the ADLS account in the other Tenant i.e Tenant B,
    3. Our service (Azure Datafactory Pipeline Copy File Activity, not the user) would use our app to read data from other tenant's Azure Data Lake Gen2 store.
      Ans: I am checking on this and will update you soon.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

  3. Porsche Me 131 Reputation points
    2020-10-19T20:52:41.343+00:00

    Thanks soumi-MSFT for confirming this.

    0 comments