|
| 1 | +--- |
| 2 | +title: 'Cross-tenant support in Azure Virtual Network Manager (Preview)' |
| 3 | +description: Learn about how cross-tenant connections are supported in Azure Virtual Network Manager. |
| 4 | +author: mbender-ms |
| 5 | +ms.author: mbender |
| 6 | +ms.service: virtual-network-manager |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 09/12/2022 |
| 9 | +ms.custom: template-concept, ignite-fall-2022 |
| 10 | +--- |
| 11 | + |
| 12 | + |
| 13 | +# Cross-tenant support in Azure Virtual Network Manager (Preview) |
| 14 | +In this article, you’ll learn about cross-tenant support in Azure Virtual Network Manager. Cross-tenant supports allows organizations to use a central Network Manager instance for managing virtual networks across different tenants and subscriptions. |
| 15 | + |
| 16 | +> [!IMPORTANT] |
| 17 | +> Azure Virtual Network Manager is currently in public preview. |
| 18 | +> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. |
| 19 | +> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 20 | +
|
| 21 | + ## Overview of Cross-Tenant |
| 22 | + |
| 23 | +Cross-tenant support in Azure Virtual Network Manager allows you to add subscriptions or management groups from other tenants to your network manager. This is done by establishing a two-way connection between the network manager and target tenants. Once connected, the central manager can deploy connectivity and/or security admin rules to virtual networks across those connected subscriptions or management groups. This support will assist organizations that fit the following scenarios: |
| 24 | + |
| 25 | +- Acquisitions – In instances where organizations merge through acquisition and have multiple tenants, cross tenant support allows a central network manager to manage virtual networks across the tenants. |
| 26 | + |
| 27 | +- Manage service provider – In managed service provider scenarios, an organization may manage the resources of other organizations. Cross-tenant support will allow central management of virtual networks by a central service provider for multiple clients. |
| 28 | + |
| 29 | +## Cross-tenant connection |
| 30 | + |
| 31 | +Establishing cross-tenant support begins with creating a cross tenant connection between two tenants. Cross-tenant support requires two-way consent from both your network manager and from the tenant, in the form of cross-tenant connection objects. A cross-tenant connection can only be established and maintained when both objects from each party exist. |
| 32 | + |
| 33 | +Next, you create a cross-tenant connection from your network manager. The connection includes the exact scope of the tenant’s subscriptions and/or management groups to manage in your network manager. Then, the tenant creates a cross-tenant connection from their virtual network manager hub. This connection includes the scope of subscriptions and/or management groups to be managed by the central network manager. |
| 34 | + |
| 35 | +Once a cross-tenant connection is established, administrators can use their network manager to manage virtual networks included in the connection scope. This may involve the deployment of connectivity and/or security admin rules, either new or existing. |
| 36 | + |
| 37 | +## Required Permissions |
| 38 | + |
| 39 | +To use cross-tenant connection in Azure Virtual Network Manager, users need the following permissions: |
| 40 | + |
| 41 | +- Administrator of central management tenant has guest account in target managed tenant. |
| 42 | + |
| 43 | +- Administrator guest account has *Network Contributor* permissions applied at appropriate scope level(Management group, subscription, or virtual network). |
| 44 | + |
| 45 | +Need help with setting up permissions? Check out how to [add guest users in the Azure portal](../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md), and how to [assign user roles to resources in Azure portal](../role-based-access-control/role-assignments-portal.md) |
| 46 | + |
| 47 | +## Known limitations |
| 48 | + |
| 49 | +Currently, cross-tenant virtual networks can only be [added to network groups manually](concept-network-groups.md#group-membership). Adding cross-tenant virtual networks to network groups dynamically through Azure Policy is a future capability. |
| 50 | + |
| 51 | + |
| 52 | +Deleting a cross-tenant connections has the follow impact: |
| 53 | + |
| 54 | +## Helpful Tips |
| 55 | + |
| 56 | + |
| 57 | +## Next Steps |
| 58 | + |
| 59 | +- Learn how to [create a mesh network topology with Azure Virtual Network Manager using the Azure portal](how-to-create-mesh-network.md) |
| 60 | + |
| 61 | +- Check out the [Azure Virtual Network Manager FAQ](faq.md) |
0 commit comments