Private link service multi tenant and best practice

Question

Hi guys,

I have a tenant with a storage service that is accessible via private endpoint, an external vendor (who also have a tenant on Azure) needs to be able to access my storage account (just this one) without going through the Internet, so I was thinking of using a private link service but I see these requirements:

1. Needs to have Contributor (or similar) permissions to configure network resources in both tenants.
2. RBAC : To allow access to the Private Link, the user who manages the Private Endpoint (and creates the Private Link) must have the appropriate permissions on both subscriptions

I wonder if this may be the “safest” solution, what should be the best practices in this case?

thanks!

Answer 1

@Andrea ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you mentioned the approach of a single user creating the Private EndPoint in Vendor's tenant and also approving the request in your tenant

• If that's the case, then yes
• Your observations are correct
• This user should have the appropriate level of permissions on both the tenants.

However, you do not have to invite an external user into your Tenant.

• Instead, userA from the Vendor's tenant can create a Private EndPoint in their tenant with the "Resource ID or alias" alone
  • They should have the permissions listed in : Private endpoint
• Post which, an userB from your tenant can approve the Private EndPoint connection request.
  • This user should have the permissions listed in : Approval RBAC for private endpoint

This way, neither party is required to invite guest users into their tenant and grant them any permission.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.