Merge pull request #299355 from mbender-ms/avnm-cross-tenant-ipam-us427369

virtual network manager | New Article | deploy-cross-tenant-ip-address-management.md

Author: denrea

articles/virtual-network-manager/TOC.yml

@@ -36,9 +36,9 @@
     items:
     - name: Cross-tenant connection support
       href: concept-cross-tenant.md
-    - name: Configure cross-tenant connection - Portal
+    - name: Configure cross-tenant connections - Portal
       href: how-to-configure-cross-tenant-portal.md
-    - name: Configure cross-tenant connection - CLI
+    - name: Configure cross-tenant connections - CLI
       href: how-to-configure-cross-tenant-cli.md
   - name: Create a network topology
     items:
@@ -114,6 +114,8 @@
       href: Prevent-overlapping-ip-address-space-policy-ipam.md
     - Name: Create IP address pools with IPAM
       href: how-to-manage-ip-addresses-network-manager.md
+    - name: Deploy cross-tenant IP address pools
+      href: deploy-cross-tenant-ip-address-management.md
 - name: Troubleshoot
   items:
     - name: Common issues 

articles/virtual-network-manager/deploy-cross-tenant-ip-address-management.md

@@ -0,0 +1,95 @@
+---
+title: Configure Cross-Tenant IPAM with Azure Virtual Network Manager
+description: Manage IP addresses across tenants with IPAM pools. Follow this guide to deploy and verify cross-tenant allocations.
+author: mbender-ms
+ms.author: mbender
+ms.service: azure-virtual-network-manager
+ms.topic: tutorial
+ms.date: 05/21/2025
+ms.custom:
+  - ai-gen-docs-bap
+  - ai-gen-title
+  - ai-seo-date:05/21/2025
+#customer intent: As an IT operator, I want to set up cross-tenant IPAM using Azure Virtual Network Manager so that I can simplify IP address management for multiple tenants.
+---
+
+# Configure cross-tenant IPAM with Azure Virtual Network Manager
+
+Managing IP addresses across multiple Azure tenants can be complex, especially in large or distributed organizations. Azure Virtual Network Manager simplifies this process by enabling centralized IP address management (IPAM) across tenants. This article shows you how to deploy a virtual network in a managed tenant using an IP address allocation from an IPAM pool in a management tenant, all through the Azure portal. You'll learn about prerequisites, step-by-step configuration, and how to remove IPAM allocations when they're no longer needed.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+- Two Azure tenants: a management tenant (Tenant A) and a managed tenant (Tenant B)
+    - Management tenant (Tenant A) must have:
+        - An Azure Virtual Network Manager instance. If you don't have a network manager instance, see [Create a network manager instance](create-virtual-network-manager-portal.md).
+        - An IPAM pool created in the network manager instance. If you don't have an IPAM pool, see [Create an IPAM pool](how-to-manage-ip-addresses-network-manager.md#create-an-ip-address-pool).
+        - Network manager configured with cross-tenant connection to Tenant B. For more information, see [Add remote tenant scope in Azure Virtual Network Manager](how-to-configure-cross-tenant-portal.md).
+        - *IPAM Pool User* role assigned to your user or service principal.
+    - Managed tenant (Tenant B) must have:
+        - *Network Contributor* role assigned at the subscription or virtual network level.
+
+## Deploy cross-tenant IPAM using the Azure portal
+
+### Create an IPAM allocation in the management tenant
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) using credentials with access to Tenant A.
+
+1. Navigate to **Azure Virtual Network Manager** and locate your network manager instance.
+
+1. Select **IP address pools** under **IP address management**.
+
+1. Select the IPAM pool where you want to create an allocation.
+
+1. Select **+ Create** > **Allocate resources**.
+
+1. In the **Allocate resources** pane, select the **Tenant :** dropdown and choose the managed tenant (Tenant B) where you want to allocate IP addresses.
+
+1. Select **Apply** and then select **Authenticate**.
+
+    > [!NOTE]
+    > The authentication process requires you to sign in with a user or service principal that has the *Network Contributor* role in Tenant B at the subscription or resource level.
+
+1. After authentication, select the virtual network, you want to associate with the IP address pool and select **Associate**.
+
+### Verify the cross-tenant association
+
+1. In Tenant A's portal view, navigate to your IP address pool and select **Allocations** under **Settings**.
+
+1. Select **Resources** and verify that the virtual network from Tenant B is listed as an allocated resource.
+
+1. Switch to Tenant B's portal view and navigate to the virtual network that received the allocation.
+
+1. Select **Subnets** under **Settings** and verify the name listed under **IPAM pool** matches the name of the IPAM pool in the management tenant (Tenant A).
+
+    :::image type="content" source="media/deploy-cross-tenant-ip-address-management/managed-tenant-virtual-network-subnets-settings-thumb.png" alt-text="Screenshot of virtual network subnet settings to verify IPAM pool matches management tenant pool." lightbox="media/deploy-cross-tenant-ip-address-management/managed-tenant-virtual-network-subnets-settings.png":::
+
+## Remove IPAM allocation
+
+To remove an IP allocation from a cross-tenant resource:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with credentials for Tenant A.
+
+1. Navigate to **Azure Virtual Network Manager** and locate your network manager instance.
+
+1. Select **IP address pools** under **IP address management**.
+
+1. On the **IP address pools** page, select **Allocations** under **Settings**.
+
+1. Select the virtual network that you want to remove the IPAM allocation from.
+
+1. Select **X Remove**.
+
+1. Authenticate to Tenant B and complete authentication.
+
+1. Once authenticated, select **Yes** to remove the IPAM allocation.
+
+1. Refresh the page to verify that the IPAM allocation is removed.
+
+
+## Next steps
+
+- [Learn about IP address management in Azure Virtual Network Manager](./concept-ip-address-management.md)
+
+- [Add remote tenant scope in Azure Virtual Network Manager](./how-to-configure-cross-tenant-portal.md)

articles/virtual-network-manager/how-to-configure-cross-tenant-portal.md

@@ -1,45 +1,54 @@
 ---
-title: Configure a cross-tenant connection in Azure Virtual Network Manager - Portal
-description: Learn how to create cross-tenant connections in Azure Virtual Network Manager to support virtual networks across subscriptions and management groups in different tenants.
+title: Configure Cross-Tenant Connections in Azure Virtual Network Manager
+description: Learn how to create cross-tenant connections in Azure Virtual Network Manager to manage virtual networks across tenants. Centralize network management and get started today.
 author: mbender-ms
 ms.author: mbender
 ms.service: azure-virtual-network-manager
-ms.topic: how-to 
-ms.date: 05/07/2024
-ms.custom: template-how-to 
-# Customer intent: As a cloud admin, I need to manage multiple tenants from a single network manager so that I can easily manage all network resources governed by Azure Virtual Network Manager.
+ms.topic: how-to
+ms.date: 05/21/2025
+ms.custom:
+  - template-how-to
+  - ai-gen-docs-bap
+  - ai-gen-title
+  - ai-seo-date:05/21/2025
+#customer intent: As a network engineer, I want to connect virtual networks in different Azure tenants so that I can centralize network management and policies.
 ---
 
-# Configure a cross-tenant connection in Azure Virtual Network Manager - portal
+# Configure cross-tenant connections in Azure Virtual Network Manager
 
-In this article, you'll learn how to create [cross-tenant connections](concept-cross-tenant.md) in Azure Virtual Network Manager by using the Azure portal. Cross-tenant support allows organizations to use a central network manager for managing virtual networks across tenants and subscriptions.
+This article explains how to create [cross-tenant connections](concept-cross-tenant.md) in Azure Virtual Network Manager using the Azure portal. Cross-tenant connections let you centrally manage virtual networks across different tenants and subscriptions, streamlining network management and policy enforcement.
 
-First, you'll create the scope connection on the central network manager. Then, you'll create the network manager connection on the connecting tenant and verify the connection. Last, you'll add virtual networks from different tenants to your network group and verify. After you complete all the tasks, you can centrally manage the resources of other tenants from a single network manager.
+First, you create the scope connection on the central network manager. Then, you create the network manager connection on the connecting tenant and verify the connection. Last, you add virtual networks from different tenants to your network group and verify. After you complete all the tasks, you can centrally manage the resources of other tenants from a single network manager.
 
 ## Prerequisites
 
 - Two Azure tenants with virtual networks that you want to manage through Azure Virtual Network Manager. This article refers to the tenants as follows:
   - **Central management tenant**: The tenant where an Azure Virtual Network Manager instance is installed, and where you'll centrally manage network groups from cross-tenant connections.
-  - **Target managed tenant**: The tenant that contains virtual networks to be managed. This tenant will be connected to the central management tenant.
+  - **Target managed tenant**: The tenant that contains virtual networks to be managed. This tenant is connected to the central management tenant.
+
 - Azure Virtual Network Manager deployed in the central management tenant.
 - These permissions:
+
   - The administrator of the central management tenant has a guest account in the target managed tenant.
   - The administrator guest account has *Network Contributor* permissions applied at the appropriate scope level (management group, subscription, or virtual network).  
 
-Need help with setting up permissions? Check out how to [add guest users in the Azure portal](../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md) and how to [assign user roles to resources in the Azure portal](../role-based-access-control/role-assignments-portal.yml).
+Need help with setting up permissions? Check out how to [Add guest users in the Azure portal](/entra/external-id/b2b-quickstart-add-guest-users-portal) and how to [assign user roles to resources in the Azure portal](../role-based-access-control/role-assignments-portal.yml).
 
 ## Create a scope connection within a network manager
 
 Creation of the scope connection begins on the central management tenant with a network manager deployed. This is the network manager where you plan to manage all of your resources across tenants. 
 
 In this task, you set up a scope connection to add a subscription from a target tenant:
 
-1. Log in to the Azure portal on the central management tenant.
+1. Sign in to the Azure portal on the central management tenant.
+
 1. Search for **Virtual network managers** and select your network manager from the list.
+
 1. Under **Settings**, select **Cross-tenant connections**, and then select **Create cross-tenant connection**.
+
 1. On the **Create a connection** page, enter the connection name and target tenant information, and then select **Create**.
 
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings.png" alt-text="Screenshot of settings entered to create a connection.":::
+   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings.png" alt-text="Screenshot of settings entered to create a cross-tenant connection in Azure Virtual Network Manager.":::
 
 1. Verify that the scope connection is listed under **Cross-tenant connections** and the status is **Pending**.
 
@@ -48,32 +57,40 @@ In this task, you set up a scope connection to add a subscription from a target
 After you create the scope connection, switch to the target managed tenant. Connect to the target managed tenant by creating another cross-tenant connection in the **Virtual Network Manager** hub:
 
 1. In the target tenant, search for **Virtual network manager** and select **Virtual Network Managers**.
+
 1. Under **Virtual Network Manager**, select **Cross-tenant connections**.
+
 1. Select **+ Create** or **Create a connection**.
+
 1. On the **Create a connection** page, enter the information for your central management tenant, and then select **Create**.
 
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings-target.png" alt-text="Screenshot of settings for creating a cross-tenant connection.":::
+   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings-target.png" alt-text="Screenshot of settings for creating a cross-tenant connection in Azure Virtual Network Manager.":::
 
 ## Verify the connection status
 
 After you create both connections, it's time to verify the connection on the central management tenant:
 
 1. On your central management tenant, select your network manager.
+
 1. Select **Cross-tenant connections** under **Settings**, and verify that your cross-tenant connection is listed as **Connected**.
 
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/verify-status.png" alt-text="Screenshot that shows a cross-connection status of Connected.":::
+   :::image type="content" source="media/how-to-configure-cross-tenant-portal/verify-status.png" alt-text="Screenshot of cross-tenant connection status showing Connected in Azure Virtual Network Manager.":::
 
 ## Add static members to a network group
 
 Now, add virtual networks from both tenants into a network group for static members. 
 
 > [!NOTE]
-> Currently, cross-tenant connections support only static memberships within a network group. Dynamic membership with Azure Policy is not supported.
+> Currently, cross-tenant connections support only static memberships within a network group. Dynamic membership with Azure Policy isn't supported.
 
 1. From your network manager, add a network group if needed.
+
 1. Select your network group, and then select **Add virtual networks** under **Manually add members**.
+
 1. On the **Manually add members** page, select **Tenant:...** next to the search box, select the linked tenant from the list, and then select **Apply**.
+
 1. To view the available virtual networks from the target managed tenant, select **Authenticate** and proceed through the authentication process. If you have multiple Azure accounts, select the one you're currently signed in with that has permissions to the target managed tenant.
+
 1. Select the virtual networks to include in the network group, and then select **Add**.
 
 ## Verify group members
@@ -82,11 +99,12 @@ In the final step, you verify the virtual networks that are now members of the n
 
 On the **Overview** page of the network group, select **View group members**. Verify that the virtual networks that you added manually are listed.
 
-:::image type="content" source="media/how-to-configure-cross-tenant-portal/network-group-membership.png" alt-text="Screenshot of network group membership." lightbox="media/how-to-configure-cross-tenant-portal/network-group-membership-thumb.png":::
+:::image type="content" source="media/how-to-configure-cross-tenant-portal/network-group-membership.png" alt-text="Screenshot of network group membership in Azure Virtual Network Manager." lightbox="media/how-to-configure-cross-tenant-portal/network-group-membership-thumb.png":::
 
 ## Next steps
 
 In this article, you deployed a cross-tenant connection between two Azure subscriptions. To learn more about using Azure Virtual Network Manager, see:
+
 - [Common uses cases for Azure Virtual Network Manager](concept-use-cases.md)
 - [Learn to build a secure hub-and-spoke network](tutorial-create-secured-hub-and-spoke.md)
 - [FAQ](faq.md)