AAD App Registrations Azure Client Credentials Certificate Authentication Client Credentials Certificate Authentication lighthouse

Allowing Azure management access from cross-tenant SPN via Azure Lighthouse

I was recently asked about allowing cross-tenant permission for Azure Subscription through multi-tenant app for SPN. After scratching my head for a while I remembered, that app registrations only support API permissions for delegated context, not the app itself (app permissions)

Solution – Azure Lighthouse

Luckily we can use Azure Lighthouse to achieve this.

Managing tenant

  1. Create Azure AD Group
  2. Create Azure AD SPN
  3. Add the SPN to the Group

Tenant that is being managed

  1. Create Delegation

Azure Service providers listing will now shown in the tenant the Lighthouse delegation

Managing tenant

  • Test the delegation

(I am using the previous sample to access the managed tenant )

2. SPN requesting resource change for setting allowSharedKeyAccess to false (was true)

Tenant that is being managed

Audit log

  • Shows the SPN from other tenant
  • Audit log shows that SPN is using Client Credentials with Certificate flow
Storage Account being updated
AppIdAcr shows that certificate credential is being used

Ending words

Due to testing this in just about 30 minutes time, I did not sanitize the samples for publishing condition, so If there is any interest for this solution just ping me and I shall setup samples in a Github repo

0 comments on “Allowing Azure management access from cross-tenant SPN via Azure Lighthouse


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: