Search code examples
azureazure-active-directoryazure-storagemulti-tenantweb-application-firewall

Whitelisting cross tenant subnet in storage account firewall in azure

I want to access a storage account residing in Azure AD Tenant(say tenant id T1) from a subnet(say S1) residing in other Azure AD Tenant(say tenant id T2). Using azure CLI I was able to add this existing vent/subnet in Firewalls and virtual networks tab of Storage Account.

AZ CLI : az storage account network-rule add -g myRG --account myAccount --subnet mySubnetId

But the Endpoint Status of this subnet says Insufficient permissions instead of Enabled. Hence not able to access this Storage Account from the added subnet S1.

Error : Unable retrieve endpoint status for one or more subnets. Status 'insufficient permissions' indicates lack of subnet read permissions ('Microsoft.Network/virtualNetworks/subnets/read').

Detailed Error :

You do not have authorization to access this resource.

Resource ID: /subscriptions/****/resourceGroups/my-network-rg/providers/Microsoft.Network/virtualNetworks/my-vnet

Status Code: 401

Status Message: The access token is from the wrong issuer 'https://sts.windows.net/T1/'. It must match the tenant 'https://sts.windows.net/T2/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/T2' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

What necessary cross tenant permissions am I missing? How to provide them? Any help is appreciated. Although this might be trivial, as I am new to Azure I am not sure what am I missing here. Thanks.

Solution

  • You have performed all steps correctly, it's just the message which is confusing: You are logged into the Azure Portal with a user which got a token from tenant 1 but the VNet resides in tenant 2 and you don't have a token which can be used to read the subnet data in tenant 2.

    To confirm that the network rule was actually set correctly you can run

    az storage account network-rule list --account-name myAccount

    and you should see a "state": "Succeeded".

    The only thing left to do is to make sure that the user account which accesses the storage account coming from the subnet has an eligible role assignment to access the storage account. So for example, if the user should be able to read and write blob data, add a Storage Blob Data Contributor role for your user.