Forum Discussion
Azure App Infra App permissions vs Role Assignment under subscription
While testing few app integration with Azure. I have noticed we have two ways of giving permissions to applications : 1) Using API permissions under the app registration where we define with Micr...
App Permissions:
These are configured under the App Registration in Azure.
App Permissions are concerned with the permissions that an application needs to operate within the Azure ecosystem, specifically for accessing various Microsoft APIs.
They are typically set to define the level of access the application has, such as read, write, etc., based on the roles present in the access token.
These permissions are applied when the application acts under its own context (service principal context) or under a user's context (delegated permissions).
Example: If a web application needs to read data from Azure AD, you can configure it with the appropriate API permissions, and access control is done based on these permissions.
Role Assignments:
Role Assignments are used to assign permissions to users or service principals directly on Azure Resources.
This form of authorization is managed by Azure itself, not by the end application.
Role Assignments are more about controlling access to Azure resources, not specifically tied to an application's functionality.
Example: Assigning a user or an application the role of 'Contributor' or 'Owner' on a specific Azure resource like a storage account or a virtual machine.
These are configured under the App Registration in Azure.
App Permissions are concerned with the permissions that an application needs to operate within the Azure ecosystem, specifically for accessing various Microsoft APIs.
They are typically set to define the level of access the application has, such as read, write, etc., based on the roles present in the access token.
These permissions are applied when the application acts under its own context (service principal context) or under a user's context (delegated permissions).
Example: If a web application needs to read data from Azure AD, you can configure it with the appropriate API permissions, and access control is done based on these permissions.
Role Assignments:
Role Assignments are used to assign permissions to users or service principals directly on Azure Resources.
This form of authorization is managed by Azure itself, not by the end application.
Role Assignments are more about controlling access to Azure resources, not specifically tied to an application's functionality.
Example: Assigning a user or an application the role of 'Contributor' or 'Owner' on a specific Azure resource like a storage account or a virtual machine.