Support cross-tenant ARG queries for hubs recommendations #2004
Description
Summary
FinOps hubs recommendations currently query Azure Resource Graph at tenant scope using the Data Factory managed identity. While Azure Lighthouse delegated resources are automatically included in tenant-scope queries, there is no support for explicit cross-tenant queries to tenants not configured via Lighthouse.
Current behavior
- Queries run at tenant scope (no
subscriptionsormanagementGroupsin the ARG API request body) - The Data Factory managed identity authenticates against the home tenant only
- Azure Lighthouse delegated resources are automatically included (no changes needed)
- Cross-tenant queries to non-Lighthouse tenants are not supported
Desired behavior
Support querying resources across multiple tenants that are not configured via Azure Lighthouse, enabling multi-tenant FinOps scenarios such as MSPs managing resources across customer tenants.
Technical considerations
- The ARG REST API does not have a
tenantIdparameter; tenant scope is determined by the authentication token - Azure Resource Manager supports
x-ms-authorization-auxiliaryheader with up to 3 auxiliary bearer tokens for cross-tenant access - Supporting non-Lighthouse cross-tenant queries would require:
- A multi-tenant app registration consented in each target tenant
- Credentials stored in Key Vault
- Token acquisition via Web activities in the ADF pipeline
- Pipeline refactoring to loop over external tenants or pass auxiliary tokens
- Alternative approach: ForEach loop over external tenants, acquiring a token per tenant and running queries independently (avoids the 3-tenant limit of auxiliary tokens)
Workaround
Configure Azure Lighthouse delegations from target tenants. Lighthouse-delegated resources automatically appear in tenant-scope ARG queries without any code changes.