How to create a multi-tenant Service Principal in Azure using Terraform

Asked 13/1, 2021 at 6:9 Answered 30/6, 2022 at 10:9

Solved azure azure-active-directory terraform terraform-provider-azure azure-rm

I have a service principal in one tenant that needs access to an Azure Container Registry in another tenant. However, I am not sure as to how to create the azurerm_role_assignment for the same. Is there a way to configure the service principal as multi-tenant such that it can have role assignments in both the tenants accordingly?

Monkey answered 13/1, 2021 at 6:9 Comment(4)

You can update the service principal to multi-tenant: learn.microsoft.com/en-us/azure/active-directory/develop/… – Flail 13/1, 2021 at 6:16

Can this be done through Terraform? – Monkey 13/1, 2021 at 6:17

Sorry, I don’t know Terraform very well, is this document helpful to you? azurecitadel.com/automation/terraform/lab5 – Flail 13/1, 2021 at 6:26

Hi did you have a chance to check my answer? Is it helpful? – Crone 14/1, 2021 at 2:16

Firstly set available_to_other_tenants = true for the azure ad application and service principal in terraform.

Now that the service principal exists in your tenant, the quickest method to make the service principal created into another tenant is using admin consent.

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

Replace the {tenant-id} with the real tenant id of "another tenant". {client-id} is the application id of the azure ad app or service principal.

Access the url in a browser. Use an admin account of "another tenant" to sign in to accept the permissions. Then the service principal will be created in "another tenant".

Now you can create the azurerm_role_assignemnt for the new service principal (it's a different service principal from the original one and it is how multiple tenant application works) created in the "another tenant".

Crone answered 13/1, 2021 at 6:28 Comment(9)

Hey, the only issue with this is that the service principal will have admin consent across the entire tenant which is definitely not feasible. If this can be done without admin consent that would be perfect. – Monkey 14/1, 2021 at 2:40

@AkashMasand Please note that if you didn't assign any permissions to the original service principal, the new service principal in "another tenant" also has no permissions. You CAN control the permissions. And the most thing is it is how multiple-tenant application works. See more details from learn.microsoft.com/en-us/azure/active-directory/develop/…. – Crone 14/1, 2021 at 2:45

@AkashMasand No. If the new service principal is used in that tenant, admin consent is inevitable. As I have mentioned, it is how multiple-tenant app works. If you don't accept it, you cannot use multiple-tenant app. – Crone 14/1, 2021 at 2:50

@AkashMasand When we say a multi-tenant app, it doesn't mean the service principal in your tenant accesses the data in other tenant. It is in fact add a new service principal (with the same application id) into other tenant and use it to access the data in that tenant. No matter what method you use to add the new service principal, when you use it for authentication, the consent process will be required. Use admin consent endpoint is the quickest way to make it work. – Crone 14/1, 2021 at 2:55

@AkashMasand If you have any other concerns, please let me know. – Crone 14/1, 2021 at 2:57

Hey. I tried this out today and it complains of an invalid Redirect URI. Seems it needs a Redirect URI – Monkey 8/2, 2021 at 3:51

@AkashMasand In general, we don't need a redirect URI. But if it requires one, just add it like this: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={url}. Make sure it is the same as the one you set in Azure AD app registration. – Crone 8/2, 2021 at 4:5

What do I add in the value of redirect_uri? I do not have an application to redirect to. – Monkey 8/2, 2021 at 4:11

@AkashMasand It doesn't matter. Just set it as https://localhost/ for test. – Crone 8/2, 2021 at 4:12

The url in the accepted answer did not work for me, but the one that was deleted did work, so I will post it here for those who have same troubles:

https://login.microsoftonline.com/[new-tenant-id]/oauth2/authorize?client_id=[client-id]&response_type=code&redirect_uri=https://localhost

Takara answered 30/6, 2022 at 10:9 Comment(2)

This is not the link to the solution, it is the solution itself, I am not sure about duplicates, but the answer to this question is not working anymore (or at least for me), so I have posted the url that works for me (it is the solution, not a url to solution) – Takara 30/6, 2022 at 11:49

It is just the correct url to use for this use case at Microsoft, nothing much more to it :) – Takara 2/7, 2022 at 9:52

Recommended topics

Hot tags