How to create a multi-tenant Service Principal in Azure using Terraform
Question
I have a service principal in one tenant that needs access to an Azure Container Registry in another tenant. However, I am not sure as to how to create the azurerm_role_assignment for the same. Is there a way to configure the service principal as multi-tenant such that it can have role assignments in both the tenants accordingly?
2 answers
solution1
6 ACCPTED 2021-01-13 06:28:33
Firstly set available_to_other_tenants = true for the azure ad application and service principal in terraform.
Now that the service principal exists in your tenant, the quickest method to make the service principal created into another tenant is using admin consent .
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
Replace the {tenant-id} with the real tenant id of "another tenant". {client-id} is the application id of the azure ad app or service principal.
Access the url in a browser. Use an admin account of "another tenant" to sign in to accept the permissions. Then the service principal will be created in "another tenant".
Now you can create the azurerm_role_assignemnt for the new service principal (it's a different service principal from the original one and it is how multiple tenant application works) created in the "another tenant".
solution2
0 2022-06-30 10:09:24
The url in the accepted answer did not work for me, but the one that was deleted did work, so I will post it here for those who have same troubles:
https://login.microsoftonline.com/[new-tenant-id]/oauth2/authorize?client_id=[client-id]&response_type=code&redirect_uri=https://localhost
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.