Azure-docs: Unable to Peer VNets in different subscriptions and different Azure AD tenants

Thanks for the question. We are currently investigating and will update you shortly.

I ran the same test and experience it from a payg to csp.

A bit of an update: I received the same error when attempting a peer between different Azure Tenants with CSP subscriptions (different subscriptions, just both are CSP).

@jfuller05 This error typically occurs when trying to peer 2 VNETS in different tenants while permissions are not properly set. If you have followed the document and properly added all of the permissions between the tenants, your best bet is to open a support request. If you do not have a support plan, please let me know.

Thank you for the feedback. In my original post I was using the Resource Manager Template to accomplish the vnet peering. I found that using PowerShell I'm able to create the peering between the 2 Azure AD Tenants with 2 different subscriptions following the instructions here https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#powershell

@jfuller05 I am glad you were able to successfully peer your VNETs. We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

I was able to set up peering using AzureCLi and user authentication.
However if trying ServicePrincipal authentication it doesn't work and returns an error

Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions//resourceGroups/dev-rg/providers/Microsoft.Network/virtualNetworks/dev-vnet/virtualNetworkPeerings/dev-vnet-to-dev-vnet-uw2', however the current tenant '' is not authorized to access linked subscription 'tenant#2'."

What's the reason for this?
I can see AppId#1 in AAD of tenant#2.
The only difference I can see is that User is added as a guest in other AAD, however ServicePrincipal can't be added as a guest, but it can be seen as Enterprise Application in Portal (AAD section). Any information on how to make ServicePrincipal working between 2 tenants/AADs - much appreciated.

Hello there

I have the same issue than @ivasilyev-servicetitan-com

@duckie Have you tried using PowerShell to create the peerings?

@duckie Finally I made it working using the following set of commands:

az account clear
az login --service-principal -u "appId" -p "secret" --tenant "tenant#1"
az login --service-principal -u "appId" -p "secret" --tenant "tenant#2"
az network vnet peering create --name dev-vnet-to-dev-vnet-uw2  --resource-group dev-rg --vnet-name dev-vnet --remote-vnet "/subscriptions/subscr#2/resourceGroups/dev-rg-uw2/providers/Microsoft.Network/VirtualNetworks/dev-vnet-uw2" --allow-vnet-access

The order in az login commands makes difference. If you're creating peering in subscr#2 vnet, then you need to login to tenant#1 first, then to tenant#2.

@ivasilyev-servicetitan-com Thanks, it worked for me!

Do you know how to translate the az login commands into SDK instructions?
The peering instruction requires access to both tenants:

NetworkPeering peeringAB = networkA.peerings().define(peeringABName)
          .withRemoteNetwork(networkB)
          .create();

networkA is accessed with tenantA.
networkB is accessed with tenantB.

then I get the following error:

The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/subscriptionA/resourceGroups/rg-dev/providers/Microsoft.Network/virtualNetworks/vnet-dev/virtualNetworkPeerings/peer-dev', however the current tenant '(tenantA)' is not authorized to access linked subscription '(subscriptionB)'

@fabaliga I'm not sure what it will be with SDK. But I beleive you need to make 2 authentication actions as well (in correct order). Actually I will need to achieve the same with Terraform somehow - not sure the actual steps for now.
Meanwhile, did you see this video? It shows AzureCLI, PowerShell and REST API (using Postman) actions to make the peering. You can try to use --debug option to investigate what AzureCLI is doing under the hood.

@ivasilyev-servicetitan-com Many thanks for the video! I don't think the SDK handles the auxiliary token, so using the REST request might be the only solution.

(Also, regarding Terraform, it seems that you can authenticate using the Azure CLI)

I'm having the same issue using ARM deployments using an account with MFA.
We need it to work via ARM using a service principal.
BTW it works via PowerShell but we need it working via ARM.
Any help would be appreciated.

@duckie there was a fix in azurerm 1.34. Using this as a documentation - you can make a peering between 2 VNets in diff AADs.