Introduction
In many enterprise environments, it's common for organizations to have multiple Azure tenants, each serving different teams, projects, or departments. While this segregation adds a layer of security and control, it can also introduce challenges, especially when resources need to interact across these tenants.
One common scenario is when developers need their Azure Container App in one tenant to pull container images from an Azure Container Registry (ACR) located in another tenant. This is particularly useful for organizations that centralize their container images in a shared registry, perhaps managed by a DevOps team, while allowing individual teams from different tenants to deploy applications using those images. So let’s dive into how you can set this up seamlessly.
Instruction
Step 1: Create Multitenant App Registration
1. Create a new App Registration:
- Name: Provide a name that you can easily recognize for your app registration
- Supported Account Types: Select the "Multitenant" option. Decide if you want to allow personal Microsoft accounts based on your requirements
- Redirect URI: Choose "Web" and enter "https://www.microsoft.com"
2. Navigate to the App Registration section. In the "Overview" blade, locate and note down the Application (client) ID:
3. Navigate to the "Certificates & secrets" blade. Create a new client secret and write down the value of the client secret immediately. Once you leave this page, you won't be able to retrieve or copy the value again:
Step 2: Provision the Service Principal in the Azure Container Registry tenant
1. Go to the Azure Container Registry tenant and log in with your admin account. Then access the following link and replace <ACR-Tenant-ID> and <Multitenant-application-ID> as yours:
https://login.microsoftonline.com/<ACR-Tenant-ID>/oauth2/authorize?client_id=<Multitenant-application-ID>&response_type=code&redirect_uri=https://www.microsoft.com
2. When the popup window appears, check the box for "Consent on behalf of your organization" and click "Accept":
Step 3: Grant service principal "AcrPull" permission to pull from Azure Container Registry
1. Navigate to the "Access Control (IAM)" blade in the Azure Container Registry and click on "Add role assignment":
2. Choose "AcrPull" permission:
3. Select Enterprise Application in the tenant of Azure Container Registry. You could search by name or object Id:
Step 4: Create a new Azure Container App and pull image from another tenant Azure Container Registry by Service Principal
1. Run the following Azure CLI command: *Note: Portal is not supported yet
- <application-id>: Use the value from Step 1-2
- <client-secret-value>: Use the value from Step 1-3
az containerapp create -n <name-of-container-app> -g <resource-group-of-container-app> --image <acr-name>.azurecr.io/<image-name>:<image-tag> --environment <container-app-enviroemnt-name> --ingress external --target-port <your-container-expose-port> --registry-server <acr-name>.azurecr.io --registry-username <application-id> --registry-password <client-secret-value> --query properties.configuration.ingress.fqdn
2. After running the command, the output console will confirm that the secret has been created which is used for saving the client secret value and the container app has been successfully set up:
Congratulations! All steps are complete. You can now visit the Container App Application URL to verify that everything is working correctly.
Additional Notes
- To update the new image you could run the following Azure CLI command:
az containerapp update -n <name-of-container-app> -g <resource-group-of-container-app> --image <acr-name>.azurecr.io/<image-name>:<image-tag>
- Since the portal does not support using a service principal to pull images from another tenant's Azure Container Registry, you will need to manually type as the following to change to the new image:
Reference
Microsoft
