I'm trying to use the new Azure Virtual Network public preview of the peering feature to join two networks I have on two different subscriptions, i.e. different tenants. Is this possible, I've not seen anything to say otherwise, but when I try to peer them in PowerShell I get the following error.
The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers /Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant '{Guid3}'.
Full error and command
PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
Any help will be much appreciated.
UPDATE
From a MS tech Loydon
"VNet peering relies on ARM RBAC for authorization. However, ARM RBAC does not support cross tenant linked access checks. So Both subscriptions must belong to the same Azure Active Directory tenant. Therefore currently VNet peering is limited to customer’s subscriptions in the same Azure Active Directory domain. This gives them the same Tenant stamp which allows the peering to occur. We offer No support for linking VNETs across subscriptions in different AAD tenants."