Where can I find a mapping between roles and authentication mechanisms for azure services?

0
votes

The npm package(https://www.npmjs.com/package/@azure/ms-rest-nodeauth) describes various authentication mechanisms for azure :

  1. username/password based login
  2. service-principal/secret based login
  3. interactive/device-code flow login
  4. service-principal authentication from auth file on disk
  5. MSI (Managed Service Identity) based login from a virtual machine created in Azure
  6. MSI (Managed Service Identity) based login from an AppService or Azure Function created in Azure.

I would like to know which of these mechanisms can be used by which roles(like Owner, Contributor,etc. ) to perform the permissions they have. For example, a contributor cannot use the service-principal/secret login (I might be wrong on this one) and username/password can only be used by organizational IDs.

1
azureazure-active-directory

1 Answers

1
votes

It seems they are not related to the roles, e.g. even if your user account is not a role of the subscription, you can also log in to the portal. Also, even if your sevice principal does not have the role of the subscription, you can also log in powershell, but when you access the azure resource, you will get a 401 error.

If you want to access the azure resources via user account or service principal, you need to add your account or service principal in the Access control (IAM) of the service you want in the portal, see Tutorial: Grant access for a user using RBAC and the Azure portal.