Is it possible to give another tenant acces rights to a private link of a storage account for an Azure Files migration?

Diederik Janson 41 Reputation points


Is it possible to have another Tenant given acces to a private endpoint of a Azure Files Storage account?

We have a lot of data (150TB) that needs to be harvested/migrated to another tenant. Now they have public access based on a security key. More safe and possibly cheaper would be to migrate the data over the internal Azure network without reaching the internet.

Is there a way to do this?

Thank you very much for any help.

Best Regards,


Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,188 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,759 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,205 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
472 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee

    @Diederik Janson Welcome to Microsoft Q&A Forum, Thank you for posting your here!

    Yes, it is possible to grant access to a private endpoint of an Azure Files storage account to another tenant.

    To do this, you will need to create a Private Endpoint connection for the storage account in the Azure portal. Once the Private Endpoint connection is created, you can grant access to the other tenant by creating a Private Link Service in your Azure subscription and then sharing the Private Endpoint with the other tenant.

    Here are the high-level steps you can follow to accomplish this:

    1. Create a Private Endpoint connection for your Azure Files storage account using the Azure portal. This will create a private IP address for the storage account that can be accessed only from within your virtual network.
    2. Create a Private Link Service in your Azure subscription that represents the Azure Files storage account.
    3. Share the Private Endpoint connection with the other tenant by providing them with the Private Link Service endpoint and authorization key.

    Once the other tenant has access to the Private Endpoint connection, they can connect to the Azure Files storage account over the private Azure network without reaching the internet. This provides a more secure and cost-effective way to migrate your data.

    Grant access from a virtual network

    You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Azure AD tenant.

    Configure Azure Storage firewalls and virtual networks

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Silvia Wibowo 3,241 Reputation points Microsoft Employee

    Hi @Diederik Janson , as far as I know, there is no requirement of same tenant when creating a private endpoint. Azure Portal may not display the option of a different tenant, so you need to create the private endpoint using other method like PowerShell, Azure CLI, Bicep, or Azure ARM template.

    Please make sure that there is no policy that restricts cross-tenant private endpoint connection as described here.

    0 comments No comments

  2. Diederik Janson 41 Reputation points


    Thank you so much for helping me. When i am on point 2 (Create a Private Link Service in your Azure subscription that represents the Azure Files storage account.) I can't select my private endpoint from my storage account. I can only connect the private service to a load balancer. What am I doing wrong?

    Do I really need the private service or can I just share the resource id of the private endpoint?

    Best regards,


    0 comments No comments