Share via

Access Storage cross Tenant

Harita Tiwari 20 Reputation points Microsoft Employee
2024-03-21T02:42:13.37+00:00

@Sumarigo-MSFT

Saw your blog post: w your blog post: How to share storage blobs across different tenants? - Microsoft Q&A

I have an ask to remove connection string from my code. I implemented that to replace with MSI and default creds for local scenarios, and env creds for pipeline. The pipeline and CLI is happy but MSI is failing, coz we have storage in one tenant and service which access storage using MSI in another tenant. I came to know MSI cannot work cross tenant. Now I am looking for alternative which can work just fine cross tenant

Error on MSI:

System.AggregateException: One or more errors occurred. (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.\nRequestId:5f55e135-601e-0052-07f5-65fcce000000\nTime:2024-02-23T01:13:02.0164198Z\r\nStatus: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)\r\nErrorCode: InvalidAuthenticationInfo\r\n\r\nAdditional Information:\r\nAuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,541 questions
Accepted answer
  1. Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator
    2024-03-25T10:00:31.5+00:00

    @Harita Tiwari Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Updating the offline conversation to provide value to other community members who may come across this thread.

    MSI cant be used across tenants: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant

     Alternative : So simplest way to achieve through  storage is use RBAC and SAS instead.

    Additional information:
    Utilizing Azure Storage cross-tenant functionality involves configuring Shared Access Signatures (SAS) and Role-Based Access Control (RBAC) appropriately. Here's how you can do it:

    Shared Access Signatures (SAS):

    By combining Shared Access Signatures (SAS) and Role-Based Access Control (RBAC) with appropriate configurations and security measures, you can effectively enable cross-tenant access to Azure Storage resources while ensuring security and compliance.

    Here are some more detailed steps to follow:

    1. Create a storage account in the tenant where you want to grant access to the other tenant. You can do this using the Azure portal or Azure PowerShell.
    2. Generate a Shared Access Signature (SAS) token for the storage account. You can do this using the Azure portal or Azure PowerShell. When generating the SAS token, make sure to specify the permissions that you want to grant to users in the other tenant.
    3. Create a security principal in the other tenant. This can be a user, group, or application that needs access to the storage account. You can create a security principal using the Azure portal or Azure PowerShell.
    4. Grant the security principal access to the storage account using Azure Role-Based Access Control (RBAC). RBAC allows you to assign roles to security principals, which determine the level of access they have to Azure resources. You can grant access using the Azure portal or Azure PowerShell. When granting access, make sure to specify the permissions that you want to grant to the security principal.

    Provide the SAS token to the security principal in the other tenant. This token will allow the security principal to access the storage account. You can provide the SAS token to the security principal using a secure method, such as email or a secure messaging platform.

    Shared Access Signatures (SAS):

    Generate a SAS token for the Azure Storage resources that need to be accessed by the service in the other tenant.

    Configure the SAS token with appropriate permissions (e.g., read, write) and expiry time.

    Share the SAS token securely with the service in the other tenant. This could involve securely storing and retrieving the SAS token as part of your application's configuration.

    Role-Based Access Control (RBAC):

    If necessary, set up RBAC roles in the tenant containing the storage account to grant specific access permissions to the service in the other tenant.

    By leveraging Shared Access Signatures (SAS) and potentially Role-Based Access Control (RBAC), you can establish a secure and efficient mechanism for accessing Azure Storage resources across different tenants without relying on Managed Service Identity (MSI). Ensure proper implementation and adherence to security best practices to maintain the integrity of your solution.

    Please let us know if you have any further queries. I’m happy to assist you further.  

      

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.