Azure multi-tenant app read/write to storage account using RBAC

Porsche Me 131 Reputation points
2020-12-19T18:50:42.97+00:00

Can two Azure Tenants (with RBAC) use a storage account for data exchange? We tried and getting 401 error.
Any help to resolve this is much appreciated.

Below is our scenario...

Tenant 1: tenantA
Multi Tenant App: appA (daemon app type)

Tenant 2: tenantB
Storage Account: storageB
Tenant Admin consent "appA" and grant 'Storage Blob Data Contributor' application permission on storageB. Below is how we set permissions (We choose Microsoft Graph User.Read.All for lack knowledge what else to choose)
49588-permission.png

Now, Can tenantA write to storageB using Azure Storage SDK?
Well, we are getting below exception when we tried!
*Azure.RequestFailedException: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:ab6e2992-001e-0089-16dd-d52538000000
Time:2020-12-19T08:07:07.8901668Z
Status: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)
Error Code: InvalidAuthenticationInfo

Headers:  
Server: Microsoft-HTTPAPI/2.0  
x-ms-request-id:*  
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,661 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,412 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,359 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Porsche Me 131 Reputation points
    2020-12-20T22:21:16.367+00:00

    This is now resolved, issue was...

    We switched using app host tenant ID (tenantA) to consented tenant ID (tenantB).