I was recently asked about allowing cross-tenant permission for Azure Subscription through multi-tenant app for SPN. After scratching my head for a while I remembered, that app registrations only support API permissions for delegated context, not the app itself (app permissions)
Solution – Azure Lighthouse
Luckily we can use Azure Lighthouse to achieve this.
Managing tenant
- Create Azure AD Group
- Create Azure AD SPN
- Add the SPN to the Group
- Create Certificate for the SPN (As MSP it’s important you are not doing SPN delegated access based on Secret, but rather use SPN
- More about the subject here (Mostly about the MS recommendations)
Tenant that is being managed
- Create Delegation
Azure Service providers listing will now shown in the tenant the Lighthouse delegation
Managing tenant
- Test the delegation
(I am using the previous sample to access the managed tenant )
2. SPN requesting resource change for setting allowSharedKeyAccess to false (was true)
Tenant that is being managed
Audit log
- Shows the SPN from other tenant
- Audit log shows that SPN is using Client Credentials with Certificate flow
Ending words
Due to testing this in just about 30 minutes time, I did not sanitize the samples for publishing condition, so If there is any interest for this solution just ping me and I shall setup samples in a Github repo
SecureCloudBlog 
0 comments on “Allowing Azure management access from cross-tenant SPN via Azure Lighthouse”