Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Complete Cross Tenant Peering with ARM #17407

Open
nazakathussain opened this issue Mar 8, 2022 · 13 comments
Open

Unable to Complete Cross Tenant Peering with ARM #17407

nazakathussain opened this issue Mar 8, 2022 · 13 comments
Labels
ARM - Templates bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Service Attention This issue is responsible by Azure service team. Tracking We will track status and follow internally
Milestone
Az 11.3.0 (2024-0...

Comments

@nazakathussain
Copy link

nazakathussain commented Mar 8, 2022
edited
Loading

Description

Similar to issues reported in Azure CLI however different way to reproduce.

Scenario
Attempting to deploy an ARM Template as described in Article which will complete a peering between two Virtual Networks in different tenants which returns an error message. The same happens in CLI when using group deployment.

The ARM Template:

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "apiVersion": "2017-10-01", "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "name": "<PeeringName>", "location": "<VnetA RG>", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": true, "allowGatewayTransit": false, "useRemoteGateways": true, "remoteVirtualNetwork": { "id": "/subscriptions/<Destination Subscription>/resourceGroups/<VNet RG>/providers/Microsoft.Network/virtualNetworks/<Vnet>" } } } ], "outputs": {} }

Command being used to deploy:

New-AzResourceGroupDeployment -Name "VirtualNetworkDeployment" -ResourceGroupName "<VNetA RG>" -TemplateFile .\virtualNetworkPeer.json -Verbose`

Issue script & Debug output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.19041.1320                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.19041.1320                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

4.2.0

Error output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.
@nazakathussain nazakathussain added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 8, 2022
@ghost ghost added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 8, 2022
@dingmeng-xue dingmeng-xue added ARM - Templates CXP Attention [Deprecated] The Azure CXP Support Team is responsible for this issue. labels Mar 9, 2022
@ghost
Copy link

ghost commented Mar 9, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

@nazakathussain
Copy link
Author

nazakathussain commented Mar 9, 2022
edited
Loading

This was raised after a support session with Microsoft, in which they were unable to provide a solution (only a workaround) and suggested that it does need to be tracked as a bug.

@SaurabhSharma-MSFT SaurabhSharma-MSFT added Service Attention This issue is responsible by Azure service team. and removed CXP Attention [Deprecated] The Azure CXP Support Team is responsible for this issue. labels Mar 9, 2022
@ghost
Copy link

ghost commented Mar 9, 2022

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details

Description

Similar to issues reported in Azure CLI however different way to reproduce.

Scenario
Attempting to deploy an ARM Template as described in Article which will complete a peering between two Virtual Networks in different tenants which returns an error message. The same happens in CLI when using group deployment.

The ARM Template:

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "apiVersion": "2017-10-01", "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "name": "<PeeringName>", "location": "<VnetA RG>", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": true, "allowGatewayTransit": false, "useRemoteGateways": true, "remoteVirtualNetwork": { "id": "/subscriptions/<Destination Subscription>/resourceGroups/<VNet RG>/providers/Microsoft.Network/virtualNetworks/<Vnet>" } } } ], "outputs": {} }

Command being used to deploy:

New-AzResourceGroupDeployment -Name "VirtualNetworkDeployment" -ResourceGroupName "<VNetA RG>" -TemplateFile .\virtualNetworkPeer.json -Verbose`

Issue script & Debug output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.19041.1320                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.19041.1320                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

4.2.0

Error output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.
Author: nazakathussain
Assignees: -
Labels:

Service Attention, bug, ARM - Templates, customer-reported
Milestone: -

@SaurabhSharma-MSFT
Copy link
Member

@nazakathussain Thanks for sharing details. Could you please provide your support case number as well? I am redirecting this to services team to look into. Thanks

@nazakathussain
Copy link
Author

@nazakathussain Thanks for sharing details. Could you please provide your support case number as well? I am redirecting this to services team to look into. Thanks

2203030050002475

@gsrx
Copy link

gsrx commented Apr 5, 2023

Is there any update on this issue? I am also Unable to Complete Cross Tenant Peering with ARM

@angryconsultant
Copy link

This also holds true for Bicep templates. The cause appears to be the requirement for separate authentication. Is there a method to address this without manual intervention in the portal?

@voigtsv
Copy link

voigtsv commented Dec 18, 2023

Any update on this issue would be appreciated.

@isra-fel
Copy link
Member

Apart from the template file and parameters, this cmdlet should ask for the ID of the extra tenants, then get extra tokens and put them in the header. The design will look like New-AzResourceGroupDeployment [-AuxTenant <string[]>] .......

We are planning to support this soon.

@isra-fel isra-fel added this to the Az 11.3.0 (2024-02-06) milestone Dec 20, 2023
@isra-fel isra-fel added the Tracking We will track status and follow internally label Dec 20, 2023
@isra-fel isra-fel mentioned this issue Dec 20, 2023
Closed
@msJinLei msJinLei added ARM - Templates Service Attention This issue is responsible by Azure service team. and removed Service Attention This issue is responsible by Azure service team. ARM - Templates labels Jan 9, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.

msJinLei added a commit to msJinLei/azure-powershell-common that referenced this issue Jan 11, 2024
@msJinLei
Enable TenantId to Retrieve Auxiliary Auth Header
41a8d58 
To Fix Azure/azure-powershell#17407
msJinLei added a commit to msJinLei/azure-powershell-common that referenced this issue Jan 11, 2024
@msJinLei
Enable TenantId to Retrieve Auxiliary Auth Header
41ec3d9 
To Fix Azure/azure-powershell#17407
msJinLei added a commit to msJinLei/azure-powershell-common that referenced this issue Jan 11, 2024
@msJinLei
Enable TenantId to Retrieve Auxiliary Auth Header
2220581 
To Fix Azure/azure-powershell#17407
@ArmaanMcleod
Copy link
Contributor

When will this be released? Any enterprise organisation with a multi tenant setup using ARM/Bicep will find this incredibly frustrating. Basically need to stop using templates for any cross tenant deployments and go back to powershell or CLI.

@isra-fel
Copy link
Member

Let me reopen this issue - fundamental changes were made to support cross-tenant token-acquiring. Now the engineering work left is to utilize it in deployment cmdlets - we are working with ARM team to get an ETA for that.

@isra-fel isra-fel reopened this Jan 24, 2024
@mortenlerudjordet
Copy link

Any movement on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ARM - Templates bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Service Attention This issue is responsible by Azure service team. Tracking We will track status and follow internally
Projects
None yet
Milestone
Az 11.3.0 (2024-02-06)
Development

No branches or pull requests
10 participants
@mortenlerudjordet @isra-fel @nazakathussain @ArmaanMcleod @angryconsultant @SaurabhSharma-MSFT @voigtsv @gsrx @msJinLei @dingmeng-xue