|
| 1 | +--- |
| 2 | +title: Microsoft Entra roles assigned by Service Connector |
| 3 | +description: Understand RBAC roles assigned by Service Connector when using a managed identity in Microsoft Azure. |
| 4 | +#customer intent: As a developer, I want to understand RBAC roles assigned by Service Connector when using a managed identity, so that I can understand access permissions. |
| 5 | +author: maud-lv |
| 6 | +ms.author: malev |
| 7 | +ms.service: service-connector |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 06/25/2024 |
| 10 | +--- |
| 11 | +# Microsoft Entra roles assigned by Service Connector |
| 12 | + |
| 13 | +Service Connector's purpose is to simplify the process of connecting various Azure services together. When a connection is created using Service Connector, Service Connector configures the authentication between these Azure services. |
| 14 | + |
| 15 | +To do this, Service Connector uses Azure's [role-based access control (RBAC)](../role-based-access-control/overview.md) authorization system that provides access management to Azure resources. |
| 16 | + |
| 17 | +This article provides a summary of the roles assigned by Service Connector by default, and explains how to choose a different role. |
| 18 | + |
| 19 | +## Built-in roles |
| 20 | + |
| 21 | +By default, when a user selects one of the authentication types listed below, Service Connector assigns the managed identity the roles listed in the table that follows. |
| 22 | + |
| 23 | +* System-assigned managed identity |
| 24 | +* User-assigned managed identity |
| 25 | +* Workload identity |
| 26 | +* Service principal |
| 27 | + |
| 28 | +| Target services | Built-in roles | Description | ID | |
| 29 | +|-------------------------|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------| |
| 30 | +| Azure Cosmos DB | DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e15450 | |
| 31 | +| Azure Key Vault | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 | |
| 32 | +| | Key Vault Certificate User | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba | |
| 33 | +| Azure Blob Storage | Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. | ba92f5b4-2d11-453d-a403-e96b0029c9fe | |
| 34 | +| Azure Storage Queue | Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | |
| 35 | +| Azure Storage Table | Storage Table Data Contributor | Read, write, and delete access to Azure Storage tables and entities. | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | |
| 36 | +| Azure Event Hubs | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde | |
| 37 | +| | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 | |
| 38 | +| Azure App Configuration | App Configuration Data Reader | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 | |
| 39 | +| Azure Service Bus | Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | |
| 40 | +| | Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | |
| 41 | +| Azure SignalR | SignalR Service Owner | Full access to Azure SignalR Service REST APIs. | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | |
| 42 | +| Azure WebPubSub | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources. | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | |
| 43 | +| Azure OpenAI Service | Cognitive Services OpenAI Contributor | Full access including the ability to fine-tune, deploy, and generate text. | a001fd3d-188f-4b5d-821b-7da978bf7442 | |
| 44 | +| Azure Cognitive Service | Cognitive Services User | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 | |
| 45 | + |
| 46 | +For more information about these roles, go to [Azure built-in roles](../role-based-access-control/built-in-roles.md) |
| 47 | + |
| 48 | +## Role customization |
| 49 | + |
| 50 | +When creating a new connection in Service connector, users can choose other roles than the default ones. This is done in the Azure portal in the Service Connector menu, in the **Authentication** tab, under **Advanced** > **Role**. |
| 51 | + |
| 52 | +:::image type="content" source="./media/microsoft-entra-roles/customize-role.png" alt-text="Screenshot of the Azure portal, showing how to edit a connection's role."::: |
| 53 | + |
| 54 | +## Related content |
| 55 | + |
| 56 | +* [Service Connector internals](./concept-service-connector-internals.md) |
| 57 | +* [Permission requirement for Service Connector](./concept-permission.md) |
0 commit comments