Cross tenant support for managed identity
Please add support for cross tenant use of managed identities. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant
Thank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-case, end goal, what type of tenants/directories etc. this will help us to understand need and design this integration.
Merkx, S.J. (Stanley) commented
We're using a centralized Azure Automation account from our CCoE subscription to run various runbooks in different subscriptions, some of which are in a different Tenant.
To improve security, we recently converted runbooks to use a User Assigned Managed Identity assigned at the VM level of a Hybrid Worker. Runbooks that need access to resources to the subscriptions in a different Tenant cannot be converted.
Felix Müller commented
Our subscriptions are tied to our enterprise tenant, whereas the we would like to allow a service to access the B2C directory in our "solution tenant" via Managed Identity / Graph API.
We have a DEV, QUA, PRD setup, with an AKS in each environment. Our DEV environment is coupled with a DEV AAD tenant, and our QUA/PRD environments with a PRD AAD tenant.
We however have a single ACR to pull the images from as we want to have 1 'version of the truth' and promote a single image through the different environments.
This all works perfectly as today we can use service principals for this. But AKS is moving towards using managed identities instead of service principals for pulling images from the ACR. And given that cross tenant managed identities are not possible, this would break our current setup.
Managed Identity cross tenant would be huge help. We have Azure Kubernetes Service clusters that need to pull container images from Azure Container Registry. The built in aks attach-acr capability simply does not work if the ACR happens to not be in the same AAD tenant. There is nothing in the documentation for ACR or AKS that indicates this so it takes a lot of troubleshooting to even realize that this doesn't work. This couples the publishing and deployment of applications in an unfortunate way.
One of our use cases would be the execution of scripts on an Azure VM, the script retrieves the necessary credentils from keyvaults in other tenants via the managed identity
My use case is I have an Azure Data Factory (ADF) instance in AME directory. The ADF produces data to Azure Data Lake Storage (ADLS). The security group of ADLS is in Microsoft directory. I need to make ADF's managed identity authorized by ADLS. Crossing AME and Microsoft is not supported according to the reference in the description.
Is there a plan to support this and what would be the ETA?
This would be very beneficial for security, allowing secret-less configuration (e.g. a managed identity being granted an appRole on an app registration and no client secrets being required) along with the flexibility of projects being able to be in different tenants.