What is the relationship between Azure RBAC roles and service principal?
Are they the same thing or Azure RBAC roles is the property of the account that can create different service principals by different RBAC roles?
What is the relationship between Azure RBAC roles and the roles in role assign?
(for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing)

- 11,934
- 5
- 22
- 48

- 4,772
- 2
- 38
- 79
2 Answers
Some information summarized by myself to help you understand.
1.The RBAC roles are used to be assigned to the user/service principal, then the user/service principal will be able to access the azure resources in the scope where you assign the role to them. If you not familiar with service principal, see this doc.
There are Built-in roles, or you can create custom role, they are all RBAC roles. Every role has the permissions
e.g. the Owner has Microsoft.Authorization/*/Write
permission, it allow to Create roles, role assignments, policy assignments, policy definitions and policy set definitions
. Once the user/service principal was assigned as the RBAC role, he will get the corresponding permissions.
2.Azure RBAC roles and the roles in role assign are the same thing.
for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing
You should note that not called create
, the Virtual Machine Administrator Login
is an RBAC built-in role, which defined by Azure, the Owner
just assigns the user/service principal as a Virtual Machine Administrator Login
role at some scope(e.g. your resource group/subscription/a VM).
Another point, the Owner
is the role that has the most permissions in all RBAC roles. In the built-in roles, just Owner
and User Access Administrator
can assign user/service principal as an RBAC role(just Owner
and User Access Administrator
have the Microsoft.Authorization/*/Write
permission, which I mentioned above, it used to assign roles. If you create a custom role which also has this permission, it will also be able to assign role
). So the you
I said in 1
must should be Owner
.

- 39,905
- 3
- 30
- 54
-
Hey Joy, thanks a lot for your help. Here is my understanding, please correct me If I'm wrong. the Owner role has the highest privilege permission for resource access and manipulation. Any User/Application had been signed Owner role can sign the lower privileged roles to other application/user. – SLN Nov 13 '19 at 09:38
-
1@SLN Basically correct, but you should note 1. When the owner assign roles to other one, it needs to be in his scope. e.g. An Owner in resource group A cannot give role to others in group B. 2. Not only the `lower privileged roles`, owner can also assign owner role to others. 3. Roles can be inherited, e.g. if the user is an owner in subscription scope, he can assign role to others in any group in this subscription. – Joy Wang Nov 13 '19 at 09:45
- No relationship. Or rather you assign RBAC roles to users\identities. Service principal is an identity. You use Azure RBAC to assign roles to it
- Owner role (or any other built-in role) is one of the many Azure RBAC predefined roles. you can have custom roles as well. Azure RBAC is not called
Azure RBAC roles
, not sure where you got that from

- 69,186
- 6
- 100
- 141
-
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-rbac-roles I got the Azure RBAC roles from here – SLN Nov 11 '19 at 13:07
-
well, it talks about roles that are part of Azure RBAC. did you read the article you are linking? `Azure RBAC includes over 70 built-in roles. There are four fundamental RBAC roles.` – 4c74356b41 Nov 11 '19 at 13:13