แก้ไข

แชร์ผ่าน


Share gallery VM images across Azure tenants using an app registration

With Azure Compute Galleries, you can share an image to another organization by using an app registration. For more information about other sharing options, see the Share the gallery.

But, if you want to share images outside of your Azure tenant, at scale, you should create an app registration. Using an app registration can enable more complex sharing scenarios, like:

  • Managing shared images when one company acquires another, and the Azure infrastructure is spread across separate tenants.
  • Azure Partners manage Azure infrastructure on behalf of their customers. Customization of images is done within the partners tenant, but the infrastructure deployments will happen in the customer's tenant.

Create the app registration

Create an application registration that will be used by both tenants to share the image gallery resources.

  1. Open the App registrations in the Azure portal.
  2. Select New registration from the menu at the top of the page.
  3. In Name, type myGalleryApp.
  4. In Supported account types, select Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
  5. In Redirect URI, select Web from the Select a platform dropdown and type https://www.microsoft.com, then select Register. After the app registration has been created, the overview page will open.
  6. On the overview page, copy the Application (client) ID and save for use later.
  7. Select Certificates & secrets, and then select New client secret.
  8. In Description, type Gallery cross-tenant app secret.
  9. In Expires, change from the default of 6 months (recommended) to 12 months and then select Add.
  10. Copy the value of the secret and save it to a safe place. You cannot retrieve it after you leave the page.

Give the app registration permission to use the gallery.

  1. In the Azure portal, select the Azure Compute Gallery that you want to share with another tenant.
  2. Select select Access control (IAM), and under Add role assignment select Add.
  3. Under Role, select Reader.
  4. Under Assign access to:, leave this as Microsoft Entra user, group, or service principal.
  5. Under Select members, type myGalleryApp and select it when it shows up in the list. When you are done, select Review + assign.

Give Tenant 2 access

Give Tenant 2 access to the application by requesting a sign-in using a browser. Replace <Tenant2 ID> with the tenant ID for the tenant that you would like to share your image gallery with. Users can see their tenant ID using the Azure CLI command az account show.

Replace <Application (client) ID> with the application ID of the app registration you created. When done making the replacements, paste the URL into a browser and follow the sign-in prompts to sign into Tenant 2.

https://login.microsoftonline.com/<Tenant 2 ID>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F 

In the Azure portal sign in as Tenant 2 and give the app registration access to the resource group where you want to create the VM.

  1. Select the resource group and then select Access control (IAM). Under Add role assignment select Add.
  2. Under Role, type Contributor.
  3. Under Assign access to:, leave this as Microsoft Entra user, group, or service principal.
  4. Under Select members type myGalleryApp then select it when it shows up in the list. When you are done, select Review + assign.

Note

You need to wait for the image version to completely finish being built and replicated before you can use the same managed image to create another image version.

Important

You cannot use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the Azure CLI or PowerShell.

Create the VM

You will need the following before creating a VM from an image shared to you using an app registration:

  • The tenant IDs from both the source subscription and the subscription where you want to create the VM.
  • The client ID of the app registration and the secret.
  • The image ID of the image that you want to use.

Sign in the service principal for tenant 1 using the appID, the app key, and the ID of tenant 1. You can use az account show --query "tenantId" to get the tenant IDs if needed.

In this example, we are showing how to create a VM from a generalized image. If you are using a specialized image, see Create a VM using a specialized image version.


tenant1='<ID for tenant 1>'
tenant2='<ID for tenant 2>'
appid='<client ID of the app registration>'
secret='<secret from the app registration>'

az account clear
az login --service-principal -u $appid -p $secret --tenant $tenant1
az account get-access-token 

Sign in the service principal for tenant 2 using the appID, the app key, and the ID of tenant 2:

az login --service-principal -u $appid -p $secret --tenant $tenant2
az account get-access-token

Create the VM. Replace the information in the example with your own.

imageid="<ID of the image that you want to use>"
az vm create \
  --resource-group myResourceGroup \
  --name myVM \
  --image $imageid \
  --admin-username azureuser \
  --generate-ssh-keys