Hello Rhonda S,
Greetings! Welcome to Microsoft Q&A Platform.
To connect Azure Cognitive data source to Azure Blob Storage across different tenants, you can try using SAS service.
A shared access signature (SAS) enables you to securely provide your client applications with access to objects in Azure Storage.
Shared access signatures can be used to restrict the scope of operations that a client can perform, and the objects that they can perform operations against. For example, if you have a shared storage account for all of your tenants, and you store all of tenant A's data in a blob container named tenanta
, you can create an SAS that only permits tenant A's users to access that container. For more information, see Isolation models to explore the approaches you can use to isolate your tenants' data in a storage account. If you want to access Azure Blob storage in a different tenant, you can use Managed Identity (MI) to authenticate to Azure Cognitive services. MI is a feature of Azure Active Directory that enables you to authenticate to services that support Azure AD authentication without the need for credentials in your code.
refer for more details - Multitenancy and Azure Storage, Managed identities for Azure resources, https://video2.skills-academy.com/en-us/azure/search/search-howto-managed-identities-storage, https://video2.skills-academy.com/en-us/azure/search/search-howto-managed-identities-data-sources?tabs=portal-sys%2Cportal-user.
To access Blobs cross tenant, SAS would be the best option and could keep in both the sides to upload and download (Read, Write, delete and List) If so Delegate access with a shared access signature, Using SAS you can set expiry data and time for the Storage account and also specify the IP address.
Additionally, it is also possible to cross tenant access without using the shared access keys: https://video2.skills-academy.com/en-us/azure/active-directory-b2c/tutorial-customize-ui
Note: User should have access to the Guest account.
If user and you are in different tenant, you need to invite as a Guest and add permission to storage account.
1. Once you are invited into the account (Guest) you don't need Shared Signature permission.
2. You can provide access different level of access using IAM in Azure portal without storage account key. Additional information: Refer to this MSDN thread which provides detailed information, How RBAC works with AAD and more.
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.