没有角色分配的服务主体有什么用 [英] What's the use of a service principal without role assignment
问题描述
服务原理可以通过 az ad sp create-for-rbac --skip-assignment
Q1.没有角色的服务主体有什么用?
Q1. What's the use of a service principal without a role?
Q2.服务原则可以不附加任何范围/资源而退出吗?如果可以的话,这种独立的服务原则有什么用?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
推荐答案
Q1.没有角色的服务主体有什么用?
Q1. What's the use of a service principal without a role?
参数-skip-assignment 跳过将服务主体分配给订阅.确切地说,您的问题应该是没有RBAC角色,因为还有一个名为 Administrator角色的角色,下面将对此进行介绍.
The parameter --skip-assignment skip assigning the service principal to the subscription. So to be precise, your question should be without an RBAC role, because there is another role named Administrator role, it will be mentioned below.
这里有一些用法供您参考,AD App中混合了许多用法,此处不再赘述.如果您想了解它们,可以查看 Azure AD官方文档.
Some usages here for you to refer to, there are many usages mixed with the AD App, will not go into details here. If you want to learn about them, you can look into the Azure AD official doc.
1.服务主体可以分配为 Azure AD中的管理员角色 ,则它可以根据角色权限执行操作,例如创建一个用户,删除一个组.通过 Azure ADpowershell , Az powershell模块的AAD部分 .
1.The service principal can be assigned as an Administrator role in Azure AD, then it can do the things depend on the role permissions, e.g. create a user, delete a group. Via Azure AD powershell, Microsoft Graph API, Azure AD Graph API, or the AAD part of the Az powershell module.
2.服务主体还可以调用API并使用上面的Powershell而没有管理员角色,但是您需要给
2.The service principal can also calls the APIs and use the powershell above without Administrator role, but you need to give the application permission to it. The az ad sp create-for-rbac will create an AD App along with a service principal, in the AD App in the portal -> API permissions, you can add the permission and consent. Note, when we add permissions and consent in AD App, actually the permissions will be given to the service principal in your tenant, the service principal is an instance of the AD Application in a specific tenant.
Q2.服务原则可以不附加任何范围/资源而退出吗?如果可以的话,这种独立的服务原则有什么用?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
是的,如上所述,它可以执行许多与Azure AD,Graph API有关的事情.这是有关应用程序的文档和Azure Active Directory中的服务主体对象,对您理解服务主体确实很有帮助.
Yes, as mentioned above, it can do many things related to Azure AD, Graph API. Here is a doc about Application and service principal objects in Azure Active Directory, it will be really helpful for you to understand the service principal.
这篇关于没有角色分配的服务主体有什么用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
