2

  1. What is the relationship between Azure RBAC roles and service principal?

    Are they the same thing or Azure RBAC roles is the property of the account that can create different service principals by different RBAC roles?

  2. What is the relationship between Azure RBAC roles and the roles in role assign?

    (for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing)

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
SLN
  • 4,772
  • 2
  • 38
  • 79

2 Answers2

2

Some information summarized by myself to help you understand.

1.The RBAC roles are used to be assigned to the user/service principal, then the user/service principal will be able to access the azure resources in the scope where you assign the role to them. If you not familiar with service principal, see this doc.

There are Built-in roles, or you can create custom role, they are all RBAC roles. Every role has the permissions e.g. the Owner has Microsoft.Authorization/*/Write permission, it allow to Create roles, role assignments, policy assignments, policy definitions and policy set definitions. Once the user/service principal was assigned as the RBAC role, he will get the corresponding permissions.

2.Azure RBAC roles and the roles in role assign are the same thing.

for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing

You should note that not called create, the Virtual Machine Administrator Login is an RBAC built-in role, which defined by Azure, the Owner just assigns the user/service principal as a Virtual Machine Administrator Login role at some scope(e.g. your resource group/subscription/a VM).

Another point, the Owner is the role that has the most permissions in all RBAC roles. In the built-in roles, just Owner and User Access Administrator can assign user/service principal as an RBAC role(just Owner and User Access Administrator have the Microsoft.Authorization/*/Write permission, which I mentioned above, it used to assign roles. If you create a custom role which also has this permission, it will also be able to assign role). So the you I said in 1 must should be Owner.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Hey Joy, thanks a lot for your help. Here is my understanding, please correct me If I'm wrong. the Owner role has the highest privilege permission for resource access and manipulation. Any User/Application had been signed Owner role can sign the lower privileged roles to other application/user. – SLN Nov 13 '19 at 09:38
  • 1
    @SLN Basically correct, but you should note 1. When the owner assign roles to other one, it needs to be in his scope. e.g. An Owner in resource group A cannot give role to others in group B. 2. Not only the `lower privileged roles`, owner can also assign owner role to others. 3. Roles can be inherited, e.g. if the user is an owner in subscription scope, he can assign role to others in any group in this subscription. – Joy Wang Nov 13 '19 at 09:45
1
  1. No relationship. Or rather you assign RBAC roles to users\identities. Service principal is an identity. You use Azure RBAC to assign roles to it
  2. Owner role (or any other built-in role) is one of the many Azure RBAC predefined roles. you can have custom roles as well. Azure RBAC is not called Azure RBAC roles, not sure where you got that from
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-rbac-roles I got the Azure RBAC roles from here – SLN Nov 11 '19 at 13:07
  • well, it talks about roles that are part of Azure RBAC. did you read the article you are linking? `Azure RBAC includes over 70 built-in roles. There are four fundamental RBAC roles.` – 4c74356b41 Nov 11 '19 at 13:13