Azure Private Link enables private and secure connectivity to Azure PaaS services across different tenants by leveraging private endpoints. This architecture ensures that traffic remains on the Microsoft backbone network, completely bypassing the public internet. This blog will walk you through the steps to set up cross-tenant connectivity between Azure Databricks and Azure Storage account using Private Link.
High Level Architecture
Cross-Tenant Architecture Overview
- The setup involves two separate Azure tenants:
- Tenant A: Hosts the Storage Account.
- Tenant B: Hosts Azure Databricks.
- Databricks in Tenant B accesses the Hierarchical Namespace (HNS) enabled Storage Account in Tenant A using a Private Endpoint.
- The Storage Account in Tenant A is HNS enabled (i.e., suitable for Azure Data Lake Storage Gen2).
- A Private DNS Zone must be configured to resolve the NIC of the private endpoint created for the storage account.
- A multi-tenant Service Principal (SPN) is required to:
- Allow secure, managed access for Databricks in Tenant B to the storage account in Tenant A.
- Provide role-based access control (RBAC) access to the storage account.
Steps to Configure Cross-Tenant Private Endpoint
- Create an HNS-enabled Storage Account in Tenant A.
- Capture the Resource ID and Subresource name (blob).
- In Tenant B, create a Private Endpoint:
- Use the Resource ID and Subresource name of the storage account from Tenant A.
- After creating the Private Endpoint:
- An approval request will be triggered in Tenant A.
- Approval is found under:
Storage Account > Networking > Private endpoint connections
- In Tenant A, approve the private endpoint request:
- Minimum roles required:
- Private Link Service Owner
- OR Network Contributor
- Minimum roles required:
- Update the DNS configuration:
- Ensure the Private DNS Zone resolves the NIC of the private endpoint to allow successful name resolution for the storage account from Tenant B.
Multi-Tenant SPN Configuration and Access
- In Tenant B, create a Multi-Tenant App Registration (SPN).
- In Tenant A, grant admin consent using the following URL: https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
- Replace:
- {organization} = Tenant A's Directory (Tenant) ID
- {client-id} = Application (Client) ID of the SPN
- Replace:
- Minimum Entra ID Role required to approve admin consent:
- Application Administrator
- After consent is granted, assign RBAC to the SPN in Tenant A:
- Role: Storage Blob Data Contributor
- Scope: On the target Storage Account
Azure documentation references
- Multi-Tenant SPNs: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant
- Tenant wide Admin Consent: Grant tenant-wide admin consent to an application - Microsoft Entra ID | Microsoft Learn
Updated May 19, 2025
Version 1.0
umairakhtar19
Microsoft
Microsoft