Cross tenant support for managed identity
Please add support for cross tenant use of managed identities. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant
Thank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-case, end goal, what type of tenants/directories etc. this will help us to understand need and design this integration.
Managed Identity cross tenant would be huge help. We have Azure Kubernetes Service clusters that need to pull container images from Azure Container Registry. The built in aks attach-acr capability simply does not work if the ACR happens to not be in the same AAD tenant. There is nothing in the documentation for ACR or AKS that indicates this so it takes a lot of troubleshooting to even realize that this doesn't work. This couples the publishing and deployment of applications in an unfortunate way.
One of our use cases would be the execution of scripts on an Azure VM, the script retrieves the necessary credentils from keyvaults in other tenants via the managed identity
My use case is I have an Azure Data Factory (ADF) instance in AME directory. The ADF produces data to Azure Data Lake Storage (ADLS). The security group of ADLS is in Microsoft directory. I need to make ADF's managed identity authorized by ADLS. Crossing AME and Microsoft is not supported according to the reference in the description.
Is there a plan to support this and what would be the ETA?
This would be very beneficial for security, allowing secret-less configuration (e.g. a managed identity being granted an appRole on an app registration and no client secrets being required) along with the flexibility of projects being able to be in different tenants.