Azure Multi-Tenant App create user / service principal with access to one subscription

0
votes

I have a multi-tenant application that manages Azure Resources on behalf of a customer. We have no issues managing resources using the app once the service principal is created and roles are defined.

However, we have a use case where we have a second system that works on a per customer basis and it only manages a single subscription. Is there any way I could make an account that only has access to that single subscription?

I attempted to set a password for the Service Principal that was created. Unfortunately, it appears that you cannot login to Azure using the Service Principal account, if the App associated with the service principal is not in the same tenant.

1
azure-active-directoryazure-ad-graph-api

1 Answers

0
votes

You need to have a service principal registered in the tenant with access to subscription resources via Azure's RBAC. With the multi-tenant app, a service principal is generated when a user consents to its permissions.

For your scenario, you'll need to create an application in their Azure AD tenant (which automatically creates a service principal for the app in the tenant). Then you need to give the service principal a role on the subscription. Then you can get access tokens with the service principal's application id and secret. You cannot login through the normal login form. You need to do client credentials authentication against Azure AD, and you will get an access token in the response, which you can then use to authenticate requests to Azure's ARM API.

Do ask if you need details on some steps :)