Unable to Complete Cross Tenant Peering with ARM

[nazakathussain]

Description

Similar to issues reported in Azure CLI however different way to reproduce.

Scenario
Attempting to deploy an ARM Template as described in Article which will complete a peering between two Virtual Networks in different tenants which returns an error message. The same happens in CLI when using group deployment.

The ARM Template:

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "apiVersion": "2017-10-01", "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "name": "<PeeringName>", "location": "<VnetA RG>", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": true, "allowGatewayTransit": false, "useRemoteGateways": true, "remoteVirtualNetwork": { "id": "/subscriptions/<Destination Subscription>/resourceGroups/<VNet RG>/providers/Microsoft.Network/virtualNetworks/<Vnet>" } } } ], "outputs": {} }

Command being used to deploy:

New-AzResourceGroupDeployment -Name "VirtualNetworkDeployment" -ResourceGroupName "<VNetA RG>" -TemplateFile .\virtualNetworkPeer.json -Verbose`

Issue script & Debug output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.19041.1320                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.19041.1320                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

4.2.0

Error output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Thank you for your feedback. This has been routed to the support team for assistance.

[nazakathussain]

This was raised after a support session with Microsoft, in which they were unable to provide a solution (only a workaround) and suggested that it does need to be tracked as a bug.

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details

---

Description

Similar to issues reported in Azure CLI however different way to reproduce.

Scenario
Attempting to deploy an ARM Template as described in Article which will complete a peering between two Virtual Networks in different tenants which returns an error message. The same happens in CLI when using group deployment.

The ARM Template:

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "apiVersion": "2017-10-01", "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "name": "<PeeringName>", "location": "<VnetA RG>", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": true, "allowGatewayTransit": false, "useRemoteGateways": true, "remoteVirtualNetwork": { "id": "/subscriptions/<Destination Subscription>/resourceGroups/<VNet RG>/providers/Microsoft.Network/virtualNetworks/<Vnet>" } } } ], "outputs": {} }

Command being used to deploy:

New-AzResourceGroupDeployment -Name "VirtualNetworkDeployment" -ResourceGroupName "<VNetA RG>" -TemplateFile .\virtualNetworkPeer.json -Verbose`

Issue script & Debug output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.19041.1320                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.19041.1320                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

4.2.0

Error output

New-AzResourceGroupDeployment : 11:34:21 - The deployment 'VirtualNetworkDeployment' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope 
'/subscriptions/<VnetASubID>/resourcegroups/<RgName>/providers/Microsoft.Network/virtualNetworks/<VnetName>/virtualNetworkPeerings/<PeeringName>', however the current tenant '<Source Tenant ID>' is not authorized to access linked subscription '<Destination Subscription ID>'.

Author:	nazakathussain
Assignees:	-
Labels:	Service Attention, bug, ARM - Templates, customer-reported
Milestone:	-

[SaurabhSharma-MSFT]

@nazakathussain Thanks for sharing details. Could you please provide your support case number as well? I am redirecting this to services team to look into. Thanks

[nazakathussain]

@nazakathussain Thanks for sharing details. Could you please provide your support case number as well? I am redirecting this to services team to look into. Thanks

2203030050002475