1

I want to access a storage account residing in Azure AD Tenant(say tenant id T1) from a subnet(say S1) residing in other Azure AD Tenant(say tenant id T2). Using azure CLI I was able to add this existing vent/subnet in Firewalls and virtual networks tab of Storage Account.

AZ CLI : az storage account network-rule add -g myRG --account myAccount --subnet mySubnetId

But the Endpoint Status of this subnet says Insufficient permissions instead of Enabled. Hence not able to access this Storage Account from the added subnet S1.

Error : Unable retrieve endpoint status for one or more subnets. Status 'insufficient permissions' indicates lack of subnet read permissions ('Microsoft.Network/virtualNetworks/subnets/read').

Detailed Error :

You do not have authorization to access this resource.

Resource ID: /subscriptions/****/resourceGroups/my-network-rg/providers/Microsoft.Network/virtualNetworks/my-vnet

Status Code: 401

Status Message: The access token is from the wrong issuer 'https://sts.windows.net/T1/'. It must match the tenant 'https://sts.windows.net/T2/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/T2' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

What necessary cross tenant permissions am I missing? How to provide them? Any help is appreciated. Although this might be trivial, as I am new to Azure I am not sure what am I missing here. Thanks.

abhi195
  • 55
  • 1
  • 1
  • 10
  • Does the subscription you are using match tenant 2? – Carl Zhao Apr 05 '21 at 09:45
  • You are using the token issued by tenant 1 to call tenant 2's subscription resources. – Carl Zhao Apr 05 '21 at 09:58
  • Could you elaborate more on what do you mean by "subscription you are using match tenant 2" ? Both resources(storage account and vnet) are in different subscription of different tenants. – abhi195 Apr 05 '21 at 10:14
  • And regarding "using the token issued by tenant 1 to call tenant 2's subscription resources" : explicitly I am not making any API calls, it's default storage account's backend. Is there any way I could mention storage account service that this particular vnet/subnet it from different tenant so that it authenticates with sts token of that tenant. – abhi195 Apr 05 '21 at 10:14
  • The subscription id you are using is in tenant 2, right? – Carl Zhao Apr 05 '21 at 10:36
  • Yes, in tenant 2. – abhi195 Apr 05 '21 at 11:05
  • But your token was issued by tenant 1, right? – Carl Zhao Apr 05 '21 at 11:29
  • So, try to use tenant 2 to get the token and see what the result will be. `https://login.microsoftonline.com/{tenant 2 id}/oauth2/v2.0/token`. – Carl Zhao Apr 05 '21 at 11:33

1 Answers1

4

You have performed all steps correctly, it's just the message which is confusing: You are logged into the Azure Portal with a user which got a token from tenant 1 but the VNet resides in tenant 2 and you don't have a token which can be used to read the subnet data in tenant 2.

To confirm that the network rule was actually set correctly you can run

az storage account network-rule list --account-name myAccount

and you should see a "state": "Succeeded".

The only thing left to do is to make sure that the user account which accesses the storage account coming from the subnet has an eligible role assignment to access the storage account. So for example, if the user should be able to read and write blob data, add a Storage Blob Data Contributor role for your user.

Christian Vorhemus
  • 2,396
  • 1
  • 17
  • 29
  • Hey, thank you! Due to misleading error message on from Azure Portal I never really tried accessing storage account via the subnet. While azure CLI is showing `"state": "Succeeded"` and I am able to access storage account. – abhi195 Apr 07 '21 at 10:47