Share via

AI Search to sql database and blob storage in different tenants

KT 190 Reputation points
2023-12-30T11:32:58.2+00:00

Hi,

I am trying to create a bot service using Azure AI search for customers outside of my tenant.

1, is it possible to connect SQL database and blob storage in my customers tenant in closed network? If yes, how can I do it? Could you please share the lists of the options? Private links can do?

2, I can connect a SQL database as a data source when another tenant whitelist the IP. But when I try to create Indexer, I got an error like this. How can I solve this?

Failed to update indexer "indexer170393", error: "Login failed for user '<token-identified principal>'. The server is not currently configured to accept this token."

Azure SQL Database
Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,364 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,213 questions
Accepted answer
  1. Konstantinos Passadis 19,596 Reputation points MVP
    2023-12-30T19:56:37.4633333+00:00

    Hello @KT!

    I understand you need Cross Tenant Access for your solution

    Yes you can achieve this by using Azure Private Link, which provides a private endpoint in your virtual network, enabling direct access to Azure services over a private connection. You'll need to ensure that private endpoints are configured and that public network access is restricted to your logical server. For SQL databases that reside in a different tenant, you might need to use SQL authentication or a service principal in the tenant where the SQL database is located. Managed Identities (MI) are not currently supported across different tenants for Azure SQL access

    https://learn.microsoft.com/en-us/answers/questions/1463772/cross-tenant-access-to-blobs-and-sql-using-mi-spn

    https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql

    The error message you're seeing suggests there's an issue with token-based authentication.

    you're trying to access resources across tenants, you might need to invite a user from the other tenant as a guest and assign the necessary permissions using Azure's IAM (Identity and Access Management). This doesn't require a Shared Access Signature (SAS) or shared access keys if the user is invited as a guest. Once the user from your tenant is granted access as a guest in the customer's tenant, you should be able to create an indexer without needing to whitelist IP addresses

    I hope this helps!

    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 19,596 Reputation points MVP
    2024-01-01T20:24:10.01+00:00

    Hello @KT!

    You can have a look at my answer , besides VPN i suggest Network Peering

    https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal#cli

    It is the best option with a combination of Private Links you can have Low Latency connectivity

    Hit me if you need assistance !

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.