问题
Service principle can be created without role via az ad sp create-for-rbac --skip-assignment
Q1. What's the use of a service principal without a role?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
回答1:
Q1. What's the use of a service principal without a role?
The parameter --skip-assignment skip assigning the service principal to the subscription. So to be precise, your question should be without an RBAC role, because there is another role named Administrator role, it will be mentioned below.
Some usages here for you to refer to, there are many usages mixed with the AD App, will not go into details here. If you want to learn about them, you can look into the Azure AD official doc.
1.The service principal can be assigned as an Administrator role in Azure AD, then it can do the things depend on the role permissions, e.g. create a user, delete a group. Via Azure AD powershell, Microsoft Graph API, Azure AD Graph API, or the AAD part of the Az powershell module.
2.The service principal can also calls the APIs and use the powershell above without Administrator role, but you need to give the application permission to it. The az ad sp create-for-rbac will create an AD App along with a service principal, in the AD App in the portal -> API permissions, you can add the permission and consent. Note, when we add permissions and consent in AD App, actually the permissions will be given to the service principal in your tenant, the service principal is an instance of the AD Application in a specific tenant.
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Yes, as mentioned above, it can do many things related to Azure AD, Graph API. Here is a doc about Application and service principal objects in Azure Active Directory, it will be really helpful for you to understand the service principal.
回答2:
A1- you can use it to remove the need of secret keys in your apps. For example, rather than storing the Azure Storage access key, you can grant an identity (your app) to store / access data on Azure Storage.
A2-I think so, it will be a system-assigned managed identity which is a special kind of managed identity (service principal)
来源:https://stackoverflow.com/questions/58846095/whats-the-use-of-a-service-principal-without-role-assignment