Cross-tenant connection between Azure Data Factory and Blob Storage

Question

The scenario is as follows: ADF belongs to tenant A and Blob Storage to tenant B.

Is the use of a multi-tenant service principal supported by the ADF connector to Blob Storage?

The use of a multi-tenant service principal is preferred because in this way the secret is not communicated to tenant B and is managed exclusively by tenant A.

Has anyone used this approach?

Answer 1

As long as the ADF and blob are in seperate tenants,you can use service principal authentication as best form of authentication. And the service principal need not be multiple tenant,it must be of the tenant in which the blob is present

Answer 2

Hi Luigia Costabile ,

Welcome to the Microsoft Q&A Platform.
As mentioned by Nandan Hegde cross-tenant access is supported using a service principal.
and approach is:

1. App registration in Tenant A Create an app registration in Tenant A. If you want credentials managed only in Tenant A, configure it as a multi-tenant app.
2. Create a service principal in Tenant B In Tenant B (where the Blob Storage lives), create a service principal (enterprise application) for that app.
3. Assign RBAC roles in Tenant B Grant the service principal in Tenant B the required roles on the storage account or container (e.g., Storage Blob Data Contributor).
4. Configure ADF Linked Service in Tenant A In ADF, configure the Linked Service to authenticate using the app registration’s client ID and secret, and specify Tenant B as the authority/tenant ID.
5. Validate networking Ensure firewalls, private endpoints, and container ACLs are configured so that ADF in Tenant A can reach Blob Storage in Tenant B.
   Note: Managed identities from Tenant A cannot directly be used across tenants. Cross-tenant access requires a service principal/enterprise application mapping as described above.