Cross-Tenant subscription deployments

[itpropro]

Is your feature request related to a problem? Please describe.
We have multiple customer cases, where we need to deploy VMs based on ARM/Bicep templates with image references. These images are located in a Azure Compute Library in another tenant and have a specific, second service principal they use to authenticate.
The docs doesn't mention this scenario, only using CLI and PowerShell to realize cross-tenant access. Also, the parameters aux-tenants and aux-subs from az deployment group are not available in az deployment sub.

Describe the solution you'd like
We need a solution where we can specify a second service principal and tenant to authenticate against the compute gallery. The reference to the image is already in resource id format. This has to be provided either as a parameter in Bicep(maybe with scopes) or as a azure cli parameter.

Describe alternatives you've considered
Afaik there are no alternatives available, if you want to use IaC with ARM or Bicep

[yonzhan]

ARM

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details

---

Is your feature request related to a problem? Please describe.
We have multiple customer cases, where we need to deploy VMs based on ARM/Bicep templates with image references. These images are located in a Azure Compute Library in another tenant and have a specific, second service principal they use to authenticate.
The docs doesn't mention this scenario, only using CLI and PowerShell to realize cross-tenant access. Also, the parameters aux-tenants and aux-subs from az deployment group are not available in az deployment sub.

Describe the solution you'd like
We need a solution where we can specify a second service principal and tenant to authenticate against the compute gallery. The reference to the image is already in resource id format. This has to be provided either as a parameter in Bicep(maybe with scopes) or as a azure cli parameter.

Describe alternatives you've considered
Afaik there are no alternatives available, if you want to use IaC with ARM or Bicep

Author:	itpropro
Assignees:	zhoxing-ms
Labels:	Service Attention, ARM, customer-reported, feature-request, Auto-Assign
Milestone:	Backlog

[zhoxing-ms]

This feature request requires the ARM service team to confirm whether the REST create-or-update-at-subscription-scope can support the deployment across tenant by using x-ms-authorization-auxiliary like the REST create-or-update-at-group-scope
@alex-frankel Could you please answer this question?

[alex-frankel]

It looks like we do not support this header and we do not have any work scheduled at the moment to start supporting it.

[zhoxing-ms]

@alex-frankel Just curiosity, why only create-or-update-at-group-scope supports x-ms-authorization-auxiliary , but create-or-update-at-subscription-scope does not support x-ms-authorization-auxiliary , is this just because there is no such requirement and plan before?