How to create a nested template to deploy resources to subscriptions in different Azure AD Tenants?

0
votes

I am trying to create a nested ARM-template to deploy resources to subscriptions in different Azure AD tenants.

For guidance I used this site: Deploy Azure resources to more than one subscription or resource group

There it says "If the specified subscription exists in a different Azure Active Directory tenant, you must add guest users from another directory." which leads me to believe that this should be possible.

I have an account in Tenant A (6f16...) which is Azure AD Global Administrator and Contributor to the CSP Subscription (04c5...) which is assigned to Tenant A.

I have added this account in Tenant B (1ffc...) as "New guest user" and assigned him as Contributor to the Pay-As-You-Go Subscription (ebda...) and also made him Global Administrator in the Azure AD from Tenant B.

To keep it simple I used the first example template on the site which should deploy two storage accounts in two different resource groups and two different subscriptions.

In the parameters file I indicated for 'secondSubscriptionID' the subscription ID (ebda...) assigned to Tenant B (1ffc...) and an existing resource group in that subscription for 'secondResourceGroup':

      ...
      "secondResourceGroup": {
        "value": "existing-resource-group-in-Ten-B" },
      "secondSubscriptionID": {
        "value": "ebda..." },
      ...

I am trying to deploy it through Azure CLI:

az login -u <emailaddress> -p <pw>
az account set --subscription 04c5...
az group deployment create --resource-group "existing-resource-group-in-Ten-A" `
--template-file stor.temp.json --parameters @stor.para.json

I receive this error message:

Azure Error: CrossTenantDeploymentNotPermitted
Message: The template deployment tries to deploy resources to subscription 'ebda...'. 
However, the current tenant '6f16...' is not authorized to 
deploy resources to that subscription. 
Please see https://aka.ms/arm-template/#resources for usage details.

I received the same error message in the Azure Portal or with PowerShell. I also tried it with with other tenants/subscriptions.

Am I missing some permissions? Is this even supported?

Is there a better way to deploy resources to multiple tenants than this one?

1
azuremulti-tenantazure-resource-managerarm-template

1 Answers

0
votes

You login into tenant A and set subscription to 0c45 to tenant A but you reference subscription ebda in tenant B in your ARM Templates.

You have to login and set Tenant B / subscription ebda.

https://github.com/MicrosoftDocs/azure-docs-cli/issues/667

az login --username <myEmailAddress> -t <tenantIDofTenantB>
az account set --subscription <TenantBSubscriptionId>
az group deployment create ......