Skip to content

fix: pass auxiliary_tenant_ids to ARM client options for cross-tenant authentication#1046

Merged
ms-henglu merged 2 commits intoAzure:mainfrom
teowa:cross-tenant
Feb 3, 2026
Merged

fix: pass auxiliary_tenant_ids to ARM client options for cross-tenant authentication#1046
ms-henglu merged 2 commits intoAzure:mainfrom
teowa:cross-tenant

Conversation

@teowa
Copy link
Contributor

@teowa teowa commented Feb 2, 2026

Fixes #419

Both AdditionallyAllowedTenants and AuxiliaryTenants needs to be set for cross-tenant auth, ref: Azure/azure-sdk-for-go#17159 (comment)

@teowa teowa requested review from magodo and ms-henglu February 2, 2026 04:52
magodo
magodo approved these changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@magodo magodo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as long as the manual test passes.

@teowa
Copy link
Contributor Author

teowa commented Feb 3, 2026
edited
Loading

test:
auth: Multi-tenant application with Service Principal and a Client Secret
test config (following the case in azure doc):

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

# Primary tenant/subscription variables
variable "primary_tenant_id" {
  type        = string
  description = "The tenant ID for the primary Azure provider"
  default     = ""
}

variable "primary_subscription_id" {
  type        = string
  description = "The subscription ID for the primary Azure provider"
  default     = ""
}

# Cross-tenant variables
variable "cross_tenant_id" {
  type        = string
  description = "The tenant ID for the cross-tenant Azure provider"
  default     = ""
}

variable "cross_subscription_id" {
  type        = string
  description = "The subscription ID for the cross-tenant Azure provider"
  default     = ""
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

provider "azapi" {
  subscription_id = var.primary_subscription_id
  tenant_id       = var.primary_tenant_id
}

provider "azapi" {
  alias                = "cross"
  subscription_id      = var.cross_subscription_id
  tenant_id            = var.cross_tenant_id
  auxiliary_tenant_ids = [var.primary_tenant_id]
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "networkManager" {
  type      = "Microsoft.Network/networkManagers@2022-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      description = ""
      networkManagerScopeAccesses = [
        "Routing",
      ]
      networkManagerScopes = {
        managementGroups = [
        ]
        subscriptions = [
          "/subscriptions/${var.primary_subscription_id}"
        ]
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "networkManagerConnection" {
  provider  = azapi.cross
  type      = "Microsoft.Network/networkManagerConnections@2022-09-01"
  parent_id = "/subscriptions/${var.cross_subscription_id}"
  name      = var.resource_name
  body = {
    properties = {
      networkManagerId = azapi_resource.networkManager.id
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

log

@ms-henglu ms-henglu merged commit cb25bea into Azure:main Feb 3, 2026
10 checks passed
@teowa teowa deleted the cross-tenant branch February 3, 2026 05:06
matt-FFFFFF pushed a commit to matt-FFFFFF/terraform-provider-azapi that referenced this pull request Mar 4, 2026
@teowa @matt-FFFFFF
fix: pass auxiliary_tenant_ids to ARM client options for cross-tena…
e300780 
…nt authentication (Azure#1046)

* fix auxiliary_tenant_ids

* redact x-ms-authorization-auxiliary in log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@magodo magodo magodo approved these changes

@ms-henglu ms-henglu ms-henglu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Provider parameter auxiliary_tenant_ids not working when authenticating with Secret Value or Az CLI

3 participants

@teowa @magodo @ms-henglu