Azure multi-tenant app read/write to storage account using RBAC

0
votes

Can two Azure Tenants (with RBAC) use a storage account for data exchange? We tried and getting 401 error. Any help to resolve this is much appreciated.
Below is our scenario...

Tenant 1: tenantA
Multi Tenant App: appA (daemon app type)

Tenant 2: tenantB
Storage Account: storageB
Tenant Admin consent "appA" and grant 'Storage Blob Data Contributor' application permission on storageB. Below is how we set permissions (We choose Microsoft Graph User.Read.All for lack knowledge what else to choose) enter image description here

Now, Can tenantA write to storageB using Azure Storage SDK?

Well, we are getting below exception when we tried!

Azure.RequestFailedException: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:ab6e2992-001e-0089-16dd-d52538000000
Time:2020-12-19T08:07:07.8901668Z
Status: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)
Error Code: InvalidAuthenticationInfo

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id:
1
azureazure-storageazure-storage-blobsazure-storage-account
Are you able to just use the storage account keys?Bevan
This is now resolved, issue was... We switched using app host tenant ID (tenantA) to consented tenant ID (tenantB).user3023949
If your issue was solved, you can post it as an answer instead of a comment.Joy Wang-MSFT
@user3023949 Hey, thanks for your contribution. I post an answer for others to refer. Of course I would delete it if you post the answer.Doris Lv

1 Answers

0
votes

The answer is yes that two Azure Tenants (with RBAC) can use a storage account for data exchange.

Thanks for user3023949's contribution, I post the answer here for others to refer:

What you need is make tenantB consent the application client id rather than tenantA. And you can do it through the URL:

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

where:

{client-id} is the application's client ID (also known as app ID).

{tenant-id} is your organization's tenant ID or any verified domain name.

Follow Construct the URL for granting tenant-wide admin consent.