I have an Azure SQL Server residing in tenant A and I need to add a Virtual network rule for a subnet residing in tenant B.
For this, I have created a service principal and given it multi-tenant access. I am also able to see the SP in both tenants. The SP is given access to both the subscriptions and resources (SQL Server and VnNet) in both the tenants.
When I try to add the VNet rule using the SP credentials/login, I encounter the following error:
New-AzSqlServerVirtualNetworkRule:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action'
on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/
{SQL Server name}/virtualNetworkRules/{rule name}',
however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
2
Answers
To encounter the following error
Go to Azure Portal ->Resource group -> Access Control (IAM) -> Add Role assignment. -> Select network Contributor -> Add
If I understand you correctly you want to connect resources that reside in two separate VNETs.
Have you set up any VNET peering between the two networks (tutorial)?