Multi tenant App using RBAC for storage access

Multi tenant App using storage account RBAC access #

The purpose of this text is to describe the scenario where a multitenant App is created in tenant A, used in tenant B to grant RBAC access to a storage account. This scenario may be used by the Azure Data Factory to access a storage account in tenant B. There are operational and security advantages, since the App client secret is renewed only in tenant A. There is no need to manage storage account SAS keys or similar. Please consult MS documentation for multitenant App setup details.

Please refer to the picture below for a description of the scenario.

alt

Setup of Azure Data Factory in tenant A #

Azure Data Factory has something called linked service. It is a type of pipeline connection information containing e.g. tenant id, client id and client secret. For this scenario to work, use the tenant A client id and client secret. For tenant id, use the tenant B id.

The credit for suggesting this scenario goes to Robert Carlsson (Azure architect at a Swedish insurance company). We have tested this and it works.