give access to service principal which is in another azure tenant

Question

we deploy resources in our Azure tenant through Jenkins which uses terraform to provision infra resources. and we use service principal for authentication and infra provisioning which are in same tenant. in our infra deployment we also create VNET peering with the new Vnet which get deployed and our central VNET which has all the infra resources like monitoring and logging platform. now we have a use case where by using the same Jenkins and terraform scripts we want to provision resources on different tenant. this can be done by using the service principal of remote tenant. but now issue is service principal of TenantB do not have rights to create network resources in TenantA. to make this happen service principal of TenantB should have access on Vnet in TenantA. i am looking for documentation or guidance how we can give access to service principal of TenantB in our TenantA?

Answer 1

• Hoping that you have created a service principal a service principal using multi-tenant authentication (if single-tenant please change the authentication method to multi-tenant) , add a redirect uri https://www.microsoft.com.

• After you have created the service principal you can open the below url in a private browser for adding it on another tenant:

   https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Application (client in tenant A)
  ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
  

  It will ask for authorization on behalf of organization , you can accept it.

• After the above is done , then you can login to portal of that tenant and go to enterprise application you will see that , provide role assignment for that subscription (owner/contributor).

• After this is done you can use something like the below terraform script:

provider "azurerm" {
    alias = "tenantA"
    subscription_id = "b83c1ed3-xxxxx-xxxxxx-xxxxxx-xxxxxx" #subid for tenant A
    tenant_id = "72f988bf-xxxxxx-xxxxx-xxxxxxx-xxxxxx"#tenantid of tenant A
    client_id = "f6a2f33d-xxxx-xxxx-xxxxx-xxxxxxxx"#client id of service principal in tenant A
    client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxx"#client secret of service principal in tenant A
    auxiliary_tenant_ids = ["ab078f81-xxxxxx-xxxxxxxx-xxxxxx"]# tenant id of tenant B
    features {}
}

provider "azurerm"{
    alias = "tenantB"
    subscription_id = "88073b30-xxx-xxxxx-xxxxx-xxxxxxx"#sub id of tenant B
    tenant_id = "ab078f81-xxxxx-xxxxxxx-xxxxxxxxx" # tenant id of tenant B
    client_id = "f6a2f33d-xxxx-xxxxxx-xxxxxx-xxxxxx" #client id of service principal in tenant A
    client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxxx" #client secret of service principal in tenant A
    auxiliary_tenant_ids = ["72f988bf-xxxx-xxxxx-xxxxxxxxxx-xx"] # tenant id of tenant A
    features {}
}

data "azurerm_resource_group" "tenantARG"{
    provider = azurerm.tenantA
    name = "reswourcegroup"
}

data "azurerm_resource_group" "tenantBRG"{
    provider = azurerm.tenantB
    name = "ansuman-resourcegroup"
}

data "azurerm_virtual_network" "GlobalVnet"{
    provider = azurerm.tenantA
    name = "ansuman-vnet"
    resource_group_name= data.azurerm_resource_group.tenantARG.name
}

data "azurerm_virtual_network" "tenantBVnet"{
    provider = azurerm.tenantB
    name = "test-vnet"
    resource_group_name= data.azurerm_resource_group.tenantBRG.name
}

resource "azurerm_virtual_network_peering" "example-1" {
    provider= azurerm.tenantA
  name                      = "peer1to2"
  resource_group_name       = data.azurerm_resource_group.tenantARG.name
  virtual_network_name      = data.azurerm_virtual_network.GlobalVnet.name
  remote_virtual_network_id = data.azurerm_virtual_network.tenantBVnet.id
}

resource "azurerm_virtual_network_peering" "example-2" {
    provider = azurerm.tenantB
  name                      = "peer2to1"
  resource_group_name       = data.azurerm_resource_group.tenantBRG.name
  virtual_network_name      = data.azurerm_virtual_network.tenantBVnet.name
  remote_virtual_network_id = data.azurerm_virtual_network.GlobalVnet.id
}

Output:

Note: In my test case , I have used 2 vnets present in different tenants. I created a service principal in tenant A and provided contributor permissions to it in tenant B using the above methods and then used terraform to perform the vnet peering.