[英]Azure AD share Managed Service Identities across tenants/subscriptions
Azure AD have B2B collaboration for inviting external users. Azure AD具有B2B协作以邀请外部用户。
But what if i wan't to invite an external Azure service that have a MSI. 但是,如果我不想邀请具有MSI的外部Azure服务怎么办?
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources? 是否可以创建一个Azure AD组并添加一个外部(Azure中的另一个订阅/租户)MSI,然后我可以使用它来授予对资源的访问权限?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login. 假设我不允许B2B合作伙伴数据工厂访问我们的SQL数据库,也不想给予他们SQL登录名。
MSIs are service principals which cannot be invited to other tenants. MSI是不能邀请其他租户使用的服务主体。 They are always tenant-specific. 它们始终是特定于租户的。
The scenario sounds like you need to give access to something connected to your tenant. 该场景听起来像您需要允许访问与您的租户相关的某些东西。 I would suggest creating an App registration (Application), adding a key, and giving those credentials to the other service. 我建议创建一个应用程序注册(应用程序),添加一个密钥,并将这些凭据提供给其他服务。 You can then give the application access to your Azure subscription etc. 然后,您可以授予应用程序对Azure订阅等的访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.