Mapping Google Cloud IAM concepts to similar ones in Azure
Published Sep 06 2022 06:54 AM 2,476 Views

If you see things that are wrong or incomplete, please leave a comment with what I should fix.

Google Cloud Identity (or Google Workspace)

  • Similar to Azure Active Directory (Azure AD).
  • Provides identity management as a service.
  • Google Cloud Cloud Identity super admin user account is similar to Azure AD Global Administrator, which shouldn’t be used for day-to-day operations.


Google Cloud Organization


Google Cloud Folder

  • Similar to Azure Management Group.
  • Provides a way to organize Google Cloud Projects and other Folders similar to how Azure Management Groups organize Azure Subscriptions.


Google Cloud Project

  • Similar to Azure Subscription.
  • All cloud resources (VMs, storage, databases) are deployed within specific Azure Subscriptions and Google Cloud Projects.
  • Resource quotas (e.g., total number of VM cores) and billing are managed at the level of Azure Subscription or Google Cloud Project.
  • Azure Subscriptions provide an additional level of resource organization within a subscription called Azure Resource Groups.


Google Cloud IAM User

  • Similar to Azure AD User.
  • Identity used by people who login using username, password, and ideally also multi-factor authentication (MFA).


Google Cloud IAM Group

  • Similar to Azure AD Group.
  • Grouping of multiple identities like users, service accounts / service principals.


Google Cloud IAM Service Account

  • Similar to Azure AD Service Principal and Azure Managed Identity.
  • Identity used by application code and services/resources.
  • Google Cloud Service Accounts can have multiple “key” credentials.
  • Azure AD Service Principals can have multiple “secrets/keys” or certificates.
  • Azure Managed Identity can be assigned to VMs and other Azure resources similar to how Service Accounts are assigned to Google Cloud instances and can be used from those resources without needing to use keys.


Google Cloud IAM Role


Google Cloud IAM Policy

  • Similar to Azure RBAC Role Assignment.
  • Defines who, can do what, on which resource.
  • In Azure, role assignment defines which principal (user, group, or service principal), gets specific role (set of allowed actions), starting at which scope in the hierarchy (management group, subscription, resource group, or specific resource) and inherited downward.


Google Cloud Organization Policies

  • Similar to Azure Policy.
  • Not the same as IAM Policy or RBAC.
  • Provides centralized governance and guardrails for cloud resource usage (e.g., which resource types can be created, in which regions).

Thank you!

Originally published at on March 23, 2022.

Version history
Last update:
‎Aug 29 2022 03:20 PM
Updated by: