What Azure account to use to run a python script on multiple azure tenants resources?

Question

I am testing a python script that will check the tags of each resource in Azure. This script gets the list of resources from a CSV file where resources from different tenants are listed.

For testing purpose I am using my Azure account which is prensent in one tenant only so the script fail when I get to the resources in the other tenants.

What account/solution should I use to get information from different tenants from my script ?

Any ideas ?

I tried to connect with az login into different accounts on each tenant but the token that is kept is only the one of the last account where I logged in, so it is impossible to login into multiple accounts with Azure CLI.

I guess it would be the same with service principal as it is known in only one tenant.

Answer 1

Yes, you can make use of one multi-Tenant application to access resources on multiple azure tenants.

Create a Multi-Tenant Microsoft Entra ID application in TenantA:

Create the Enterprise application in TenantB by using New-AzADServicePrincipal -ApplicationId <AppIdOFMultitenantappFromTenantA> command.

Assign Reader role to the Enterprise application in TenantB:

To access TenantB resources, login like below:

az login --service-principal -u ServicePrincipalID -p "ClientSecret" -t TenantBID

And I used the below sample code to fetch resources and resource tags of TenantB:

from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient

credential = DefaultAzureCredential()
resource_client = ResourceManagementClient(credential, "b83c1ed3-c5b6-44fb-b5ba-2b83a074c23f")
resources = resource_client.resources.list()

for resource in resources:
    print(f"Resource name: {resource.name}")
    print(f"Resource tags: {resource.tags}")

Reference:

Azure Authentication with Multi-Tenant Application | by Cloud Journey | Medium