Share via

Is Using a Multi-Tenant Service Principal and ARM APIs the Standard Approach for Cross-Tenant Resource Deployment?

Sree Aravind M 40 Reputation points
2026-03-10T07:03:36.23+00:00

We are currently evaluating an approach to deploy Azure resources in a customer's subscription from our application.

The approach we are considering involves using a multi-tenant App Registration (Service Principal) for authentication and then using Azure Resource Manager (ARM) APIs to deploy the required resources in the customer’s Azure subscription (cross-tenant scenario).

Before proceeding with this implementation, we would like to confirm whether this is the recommended or standard approach for handling such deployments.

If there are any alternative approaches, best practices, or recommended architectures for deploying resources across tenants in this scenario, please let us know.

Thank you for your guidance.

Azure Managed Applications
Azure Managed Applications

An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Naveena Patlolla 9,660 Reputation points Microsoft External Staff Moderator
    2026-03-16T08:57:08.2633333+00:00

    Hi Sree Aravind M
    Please try to use below options:
    Option 1: Using a multi-tenant service principal with ARM APIs is a standard architecture for cross-tenant resource deployment, especially automation platforms.

    Note: Use least privilege RBAC for SPN

    Option 2: using Azure Lighthouse generally makes it much easier to use Azure Resource Manager (ARM) APIs across two tenants compared to managing multi-tenant service principals.

    https://learn.microsoft.com/en-us/azure/lighthouse/concepts/architecture#how-azure-lighthouse-works

    Single identity can manage multiple tenants

    Works seamlessly with Azure CLI, Terraform, and ARM APIs

    No need to maintain multiple service principals

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    0 comments
  2. Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator
    2026-03-10T09:31:33.5566667+00:00

    Hello Sree Aravind M,

    Thank you for reaching out to the Microsoft Q&A forum.

    Yes, your proposed approach is valid and commonly used.

    Using a multi-tenant App Registration in Microsoft Entra ID and authenticating to deploy resources through Azure Resource Manager APIs in a customer’s subscription is a standard pattern for SaaS applications that provision resources across tenants.

    Best practices:

    • Have the customer grant admin consent so a service principal is created in their tenant.
    • Assign RBAC permissions (preferably at Resource Group scope) to the service principal.
    • Use certificate-based authentication instead of client secrets.
    • Deploy resources using ARM/Bicep templates or APIs.

    Alternatives (depending on scenario):

    • Azure Managed Applications – recommended for Marketplace or managed SaaS deployments.
    • Azure Lighthouse – recommended for cross-tenant management by MSPs.

    Conclusion: Your approach is a supported and recommended architecture for cross-tenant automated deployments.

     

  3. Q&A Assist
    2026-03-10T07:03:52.5333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Using a multitenant application registration and calling Azure Resource Manager (ARM) APIs is a valid and commonly used pattern for cross-tenant deployments, especially for managed service provider (MSP) and SaaS scenarios. However, it is not the only pattern and is best viewed as one of several supported approaches rather than the single “standard” for all cases.

    Key points from the guidance:

    1. Multitenant vs. single-tenant Entra design
      • Guidance explicitly advises against creating multiple Microsoft Entra tenants for most multitenant solutions. Instead, it recommends using a single Microsoft Entra tenant with management groups and subscriptions to organize resources where possible.
      • Multiple Entra tenants are typically used only by MSPs operating Azure environments on behalf of customers, or when customers require resources to live in their own tenants.
      • When resources must be deployed into subscriptions tied to multiple Entra tenants, Azure Lighthouse is recommended to help manage resources across tenants.
    2. Approaches for automation across multiple tenants The Cloud Adoption Framework describes two main approaches for automating Azure landing zones across multiple Entra tenants:
      • Approach 1 – Complete isolation
        • Each Microsoft Entra tenant has its own isolated automation components: separate Git repos, CI/CD (GitHub Actions/Azure Pipelines), and identities (service principals, managed identities, etc.).
        • This is used when strong isolation and regulatory requirements demand strict separation between tenants.
      • Approach 2 – Shared application registration (multitenant) with multiple service principals
        • A shared multitenant app registration is used, with a service principal created in each customer tenant.
        • Often combined with the deployment stamps pattern to deploy an almost identical architecture across many tenants at scale.
        • This pattern aligns closely with the approach being evaluated: a multitenant app registration authenticating to ARM to deploy resources in customer subscriptions.
      These approaches are presented as examples that can be mixed and matched based on organizational requirements, not as a single mandated standard.
    3. ARM, IaC, and deployment patterns
      • Azure Resource Manager is the core service for creating, managing, and deleting Azure resources. For multitenant solutions, it is recommended to use infrastructure as code (IaC) and deployment pipelines rather than manual operations.
      • Recommended tools and patterns include:
        • Bicep or ARM templates, Terraform, or other IaC tools that call ARM.
        • Template specs to centrally store and reuse parameterized templates for tenant-specific deployments.
        • Deployment stacks to manage sets of tenant resources as a single logical unit, even across resource groups or subscriptions, and to simplify offboarding.
      • Automation is strongly recommended for multitenant deployments to achieve scale, repeatability, and reduced outage risk.
    4. Recommended practices for cross-tenant deployments For a scenario where an application deploys resources into customer subscriptions:
      • Use a multitenant app registration with per-tenant service principals (Approach 2) when:
        • Operating in an MSP or SaaS model where customers keep their own Entra tenants/subscriptions.
        • A consistent, stamp-based architecture is deployed per customer.
      • Consider Azure Lighthouse when:
        • Ongoing management and operations across many customer tenants are required, not just initial deployment.
      • Use IaC and deployment pipelines:
        • Define all customer resources via Bicep/ARM/Terraform.
        • Optionally use template specs and deployment stacks to standardize and manage tenant environments.
      • Avoid antipatterns:
        • Manual deployment and testing.
        • One-off, tenant-specific customizations that complicate deployments; instead, use a common codebase and configuration (feature flags, pricing tiers, etc.).

    Summary:

    Using a multitenant app registration (service principal) plus ARM APIs to deploy resources into customer subscriptions is a recommended and common approach for cross-tenant deployments, particularly in MSP-style and multitenant SaaS scenarios. It aligns with the documented “shared application registration (multitenant) with multiple service principals” pattern and should be combined with IaC, deployment pipelines, and, where appropriate, Azure Lighthouse and deployment stamps/stacks for scale and manageability.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.