Posted in : Azure, Uncategorized By Tobias Vuorenmaa Translate with Google ⟶

2 years ago

If you have been working with Azure you might have stumbled across the reality that what can be done in the portal GUI and CLI / Powershell differs.  Especially when it comes to cross tenant functions.  I had a case where we wanted to allow access to a storage account from a specific subnet in a other tenant. This is simply not a easy task to do using the portal (read not possible).

The reason behind this is that far form all functions when working with cross tenant are supported in the portal, take virtual network peering, up until recently you had to use CLI / Powershell to establish peering cross-tenant. This is now possible to do using the portal.

Back to the Storage account and its settings.


In the picture you can see that only the current tenants subscriptions is showing even though i have access to multiple tenants with guest access.

This leaves us now choice to allow access for another tenant network using the portal instead we can use az cli or powershell.

Its fairly straight forward and you have to specify the whole resource id in this format


And to actually add the network to our specific storage account i used az cli:

az storage account network-rule add -g RG_NAME –account-name SA_NAME –subnet SUBNET_ID

After that we simply verify that our rule have been added with:

az storage account network-rule list -g RG_NAME –account-name SA_NAME


Note – If service endpoints for the specific subnet and storage service is enabled you might face a error message simular to:

(NetworkAclsValidationFailure) Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets coresubnet of virtual network /subscriptions/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/azr-lab-VNet-rg/providers/Microsoft.Network/virtualNetworks/azr-lab-vNET do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet’s ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets..

More examples can be found here:

Thats it, the CLI is a life saver sometimes.

Tags : Azure, AzureStorage, Network, Security, Storage

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.