Kudu via Lighthouse delegated permissions

Phil Dye 21 Reputation points

I have delegated access to Azure resources in a third-party tenant using Lighthouse, and this works fine via the portal; users receive the roles expected (typically Contributor).

However, they are unable to access Kudu (at webappname.scm.azurewebsites.net), receiving an error;

Selected user account does not exist in tenant 'Tenant Name' and cannot access the application 'abfa0a7c-a6b6-4736-8310-5855508787cd' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

If the same user account is added as a guest to the third-party tenant and given the same role, they can access Kudu as expected.

It's clear that Kudu is expecting/demanding an account in the same tenant as the application, but Azure Lighthouse delegated permissions is all about not having to do that.

Is there something I'm missing, another role that needs granting, or is Kudu just not compatible with Lighthouse-delegated permissions?


Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
62 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,041 questions
0 comments No comments
{count} votes

Accepted answer
  1. ajkuma 18,941 Reputation points Microsoft Employee

    @Phil Dye , Thanks for the detailed description of the scenario.

    Currently, Kudu is not compatible with Lighthouse-delegated permissions.

    Our product engineering team is working on it; however, we do not have an exact ETA to share.
    We’re expecting it to be available in a few months. Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors.

    I have relayed the feedback internally to our product engineering team and it’s being tracked.

    -On a side note, as mentioned in this Kudu wiki :
    Only those with Contributor / Owner access (to be exact, with microsoft.web/sites/publish/action or, for slot, microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).

    Much appreciate your valuable feedback on this. Thanks for your patience!

1 additional answer

Sort by: Most helpful
  1. Phil Dye 21 Reputation points

    Some months on, is there any update on this being available? I don't see an issue in the kudu GitHub that I can track.