0

What I'm trying to do is use a foreign/outside AAD Security Group in a Role Assignment. I tried with az cli (because the portal does not give me the option to choose Groups from another Directory):

So, I have a resource in Directory # 1 and a Security Group in Directory # 2

az role assignment create --role <role_name> --assignee-object-id <securityGroup_objectId(from Directory#2)> --assignee-principal-type Group --scope <ressource(from Directory#1)>

The error that I get is:

Principal '' does not exist in the directory ''.

I have also tried using --assignee-principal-type ForeignGroup instead of --assignee-principal-type Group

My problem is that I do not understand how should I specify the AAD when I'm using the ForeignGroup, this is the doc I've found

andrei0809
  • 85
  • 1
  • 6
  • This seems to be used for giving access to CSP partners, is that your use case? https://learn.microsoft.com/en-us/partner-center/reinstate-csp?tabs=workspaces-view – juunas Oct 20 '21 at 11:47
  • Nope, just trying to give access to a Security Group from another AAD. – andrei0809 Oct 20 '21 at 12:02

1 Answers1

1

Looks like that can be used for assigning access to a CSP partner: https://learn.microsoft.com/en-us/partner-center/reinstate-csp?tabs=workspaces-view.

I'm pretty sure that you can't just grant a security group from another tenant access in your subscription.

juunas
  • 54,244
  • 13
  • 113
  • 149