Role Assignments - razmipatel/Random GitHub Wiki

🔍 Background Clarification: In Azure, when you create an App Registration, an associated service principal (SP) is created in the directory. This service principal is what actually receives RBAC assignments. The Enterprise Application view in Azure AD is simply another representation of this SP.

So, when assigning roles for resource access, you always assign them to the service principal’s object ID.

🛠️ Using Azure CLI to Check RBAC Assignments To list RBAC role assignments for a given service principal:

az role assignment list --assignee --output table Example:

az role assignment list --assignee a54bb309-d837-4276-b022-1871cb7284d6 --output table This lists all the roles assigned to the SP (regardless of whether you’re viewing it from the App Registration blade or Enterprise Apps blade in the portal).

🛠️ Assigning RBAC Roles via Azure CLI To assign a role to the service principal (not the Enterprise Application object), you can use:

az role assignment create --assignee --role "" --scope Example:

az role assignment create
--assignee a54bb309-d837-4276-b022-1871cb7284d6
--role "AcrPull"
--scope /subscriptions//resourceGroups//providers/Microsoft.ContainerRegistry/registries/ ⚠️ Key Points to Note: ✅ Direct Assignment: The service principal’s object ID is always used for role assignments – there’s no separate “Enterprise App object ID” for RBAC. ✅ Search Consistency: When you search in the portal for the name of the App Registration in RBAC assignments, it’s actually returning the SP object. ✅ Same for Azure CLI: All az role assignment commands target the SP object.

📘 References: az role assignment CLI documentation

Azure RBAC concepts