Multi-tenant Service Principal for use across Subscriptions

0
votes

I have a Terraform plan that needs to provision resources in different Azure Subscriptions that use different AzureAD instances.

Is it possible to create a single Service Principal for Terraform to use across Subscriptions? The SP shadow copied to the all AD instances? And then assign that one SP RBAC on each subscription... If possible, what are the cli commands to create the SP and copy it to each AD?

Maybe I'm mistaken but I think that's the purpose of the AvailableToOtherTenants parameter??? https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadapplication?view=azps-4.3.0#parameters

1
azure-active-directory

1 Answers

1
votes

Service Principals are specific to your tenant, it's similar in concept to a service user. The "available to other tenants" parameter is for application registrations. eg. if you are developing a multitenant app, you activate that so that other tenants can authenticate to your application. they are 2 different and separate concepts.

in terms of terraform, https://azurecitadel.com/automation/terraform/lab5/ in here it describes how to do multi tenancy, basically what you need is a service principal for each tenant and put the details in provider blocks.

as per: https://www.terraform.io/docs/providers/azurerm/index.html#argument-reference the bottom says

It's also possible to use multiple Provider blocks within a single Terraform configuration, for example to work with resources across multiple Subscriptions - more information can be found in the documentation for Providers.

This is basically what you need to do.