Using Access Token to access multi tenant storage account using RBAC (with out any credentials from multi tenant storage account)

Alex, Alexon 71 Reputation points
2020-06-17T11:01:25.667+00:00

Looking for a solution using Access Token to access multi tenant storage account using RBAC, with out any credentials from multi tenant storage account (programatic access to tenants storage account for CURD operations)

Based on the following code samples: https://github.com/Azure-Samples/ms-identity-java-desktop/tree/master/ (Username-Password Flow)

I have created a service principal, and using "username + password + client id", i generated a token. With this token + RBAC permission for my user (as Storage Blob Contributor), I am able to do blob CURD operations with in MY account.

I want to extend this solution for multi tenant storage account. The user which I created above has provided with RBAC permission for another tenant (assume as Tenant-2) storage account (Storage account contributor, Storage blob contributor).

My assumption was, using the same token generated in the first step, I should be able to do CURD operations on Tenant-2 storage account (Since Tenant-2 has provided RBAC permissions for my user). But this doen't worked. It reports an authentication error - "Issuer validation failed. Issuer did not match".

In JWT token, the token issuer/signer was my tenant-id. Still not sure, why RBAC doen't work ?

Any suggestions,

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,871 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,352 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-06-20T06:47:17.347+00:00

    @AlexAlexon-4788, The app registration is just an entry in AAD, to say that I have an actual application running somewhere, and for that actual application I am creating this registration and whenever my actual application sends a request with this app id (generated by the app registration), please treat it as a trusted application. In other words just like a user has username and password in AAD to authenticate itself, same way the app would also have an app id and app secret (created through app registration) to authenticate itself when it reaches to AAD for token.

    Now coming to the second part where you mentioned that you want to access storage accounts of other tenants (lets say tenant B) from an app that is registered in tenant A. If we compare this scenario by replacing the app with an user, the steps would be like:
    Add the user of tenant A to either at the subscription level or at the resource group level or directly at the resource level RBAC of tenant B to provide access to the storage.

    In the same way, the application of tenant A would also have to be added first to tenant B somehow so that the application can interact with the resources in tenant B. For this very reason, I request you to convert your app-registration to a multi-tenant app. Once you convert you app-registration in Tenant A to multi-tenant app, the service principal of you app can be registered in Tenant B, by simply accessing that app and logging into it with a user of tenant B. Once the user of tenant B accesses that application the service principal would get registered in tenant B for your actual application. Then you can use that service principal to be added at the subscription level or at the resource group level or directly at the resource level RBAC of tenant B to provide access to the storage.

    This would be the only way to extend your application to other tenants. You can read more about multi-tenant application architecture and how the sign-ins happens for these apps and how are these different from normal apps here:

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex, Alexon 71 Reputation points
    2020-06-18T11:43:45.987+00:00

    Thanks for your reply @soumi-MSFT

    I will make my application scenario more clear

    1. By multi tenant, I mean/want like, my app (service principal) can access the storage account of other tenants (not expecting like other tenants can access my app)
    2. My server (on-premises) --> get token (user name (AD user) + password + client id) My server (on-premises) --> do operations on multi tenant storage account using tokens
    3. the app reg done in my azure account is just to support for RBAC (no real server running in Azure)
    4. Based on the sample code you provided (username password flow), I can generate token and do operations on storage account belongs to my tenant. I was under the assumption that, i can use the same token to do operations on other tenant storage account (by generating token with the scope as other tenant storage account), who has provided RBAC permission for my user (AD user) - but this not worked as mentioned in my initial question (token signature verification failed, as this is signed by my tenant)
    5. My basic expectation is that, i want to do this programatically with the support of RBAC (avoid using any type of credentials of other tenants)

    FYI 1. Regarding authority - In the username password flow, it is given as "https://login.microsoftonline.com/organizations/" 2. I changed to "https://login.microsoftonline.com/common/", but gives this error Caused by: com.microsoft.aad.msal4j.MsalServiceException: AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint. 3. The scope i am using is -- SCOPE = Collections.singleton("https://storage.azure.com/user_impersonation")

    1 person found this answer helpful.
  2. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-06-18T09:09:21.493+00:00

    @AlexAlexon-4788, Apologies for the delay in my response. In case you want to extend the current application for other tenants, you would have to turn the app-registration for this app to multitenant app from single tenant app.

    10361-multitenantoption.png

    Once this app is configured as multitenant, users from other tenants would be able to access this app and authenticate to it using their tenant user IDs. Once the users from other tenant signs into this app, a service principal for this app would get created in their tenant and then on that service principal you can apply the RBAC roles. For the user authentication, it would reach out to that other tenant and fetch a token from that other tenant when the user of that tenant puts in the creds.

    Points to note:

    In your current application's code, where you have mentioned the authority like "https://login.microsoftonline.com/{tenant-id}"; you need to modify that and put in the following "https://login.microsoft.com/common";. If you are following the same sample that I have shared with you above, you would that that sample has the following variable defined: " private final static String AUTHORITY = "https://login.microsoftonline.com/common/"; " in the UsernamePasswordFlow.java. This is required for the application code to behave has multitenant.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments