Relationship between Azure RBAC roles and service principal

1
votes

  1. What is the relationship between Azure RBAC roles and service principal?

    Are they the same thing or Azure RBAC roles is the property of the account that can create different service principals by different RBAC roles?

  2. What is the relationship between Azure RBAC roles and the roles in role assign?

    (for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing)

2
azureservice-principalazure-rbac

2 Answers

2
votes

Some information summarized by myself to help you understand.

1.The RBAC roles are used to be assigned to the user/service principal, then the user/service principal will be able to access the azure resources in the scope where you assign the role to them. If you not familiar with service principal, see this doc.

There are Built-in roles, or you can create custom role, they are all RBAC roles. Every role has the permissions e.g. the Owner has Microsoft.Authorization/*/Write permission, it allow to Create roles, role assignments, policy assignments, policy definitions and policy set definitions. Once the user/service principal was assigned as the RBAC role, he will get the corresponding permissions.

2.Azure RBAC roles and the roles in role assign are the same thing.

for example, Azure RBAC owner role can create Virtual Machine Administrator Login roles, why they are all call roles!!!!!! very confusing

You should note that not called create, the Virtual Machine Administrator Login is an RBAC built-in role, which defined by Azure, the Owner just assigns the user/service principal as a Virtual Machine Administrator Login role at some scope(e.g. your resource group/subscription/a VM).

Another point, the Owner is the role that has the most permissions in all RBAC roles. In the built-in roles, just Owner and User Access Administrator can assign user/service principal as an RBAC role(just Owner and User Access Administrator have the Microsoft.Authorization/*/Write permission, which I mentioned above, it used to assign roles. If you create a custom role which also has this permission, it will also be able to assign role). So the you I said in 1 must should be Owner.

1
votes
  1. No relationship. Or rather you assign RBAC roles to users\identities. Service principal is an identity. You use Azure RBAC to assign roles to it
  2. Owner role (or any other built-in role) is one of the many Azure RBAC predefined roles. you can have custom roles as well. Azure RBAC is not called Azure RBAC roles, not sure where you got that from