This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 80%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
My Azure Cognitive Search instance is in a different tenant than my Azure Blob Storage instance. How do I connect cross-tenant if I don't want to use Account Keys to authenticate? I'm assuming I need to use a multi-tenant service principal or something like that but I can't find any documentation on the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
Hi Rhonda S
How do I configure Azure Cognitive Search datasource to connect using service principal?
# If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hello Rhonda S,
Greetings! Welcome to Microsoft Q&A Platform.
To connect Azure Cognitive data source to Azure Blob Storage across different tenants, you can try using SAS service.
A shared access signature (SAS) enables you to securely provide your client applications with access to objects in Azure Storage.
Shared access signatures can be used to restrict the scope of operations that a client can perform, and the objects that they can perform operations against. For example, if you have a shared storage account for all of your tenants, and you store all of tenant A's data in a blob container named tenanta, you can create an SAS that only permits tenant A's users to access that container. For more information, see Isolation models to explore the approaches you can use to isolate your tenants' data in a storage account. If you want to access Azure Blob storage in a different tenant, you can use Managed Identity (MI) to authenticate to Azure Cognitive services. MI is a feature of Azure Active Directory that enables you to authenticate to services that support Azure AD authentication without the need for credentials in your code.
refer for more details - Multitenancy and Azure Storage, Managed identities for Azure resources, https://video2.skills-academy.com/en-us/azure/search/search-howto-managed-identities-storage, https://video2.skills-academy.com/en-us/azure/search/search-howto-managed-identities-data-sources?tabs=portal-sys%2Cportal-user.
To access Blobs cross tenant, SAS would be the best option and could keep in both the sides to upload and download (Read, Write, delete and List) If so Delegate access with a shared access signature, Using SAS you can set expiry data and time for the Storage account and also specify the IP address.
Additionally, it is also possible to cross tenant access without using the shared access keys: https://video2.skills-academy.com/en-us/azure/active-directory-b2c/tutorial-customize-ui
Note: User should have access to the Guest account.
If user and you are in different tenant, you need to invite as a Guest and add permission to storage account.
1. Once you are invited into the account (Guest) you don't need Shared Signature permission.
2. You can provide access different level of access using IAM in Azure portal without storage account key. Additional information: Refer to this MSDN thread which provides detailed information, How RBAC works with AAD and more.
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.