I happened to notice that a data factory (ADFv2) is owner of one of our Azure subscriptions. This is a typical ADF and not doing anything out of ordinary. I am guessing this was done by mistake -- but just want to ask here in the forum if there can be a genuine scenario where data factory needs to be owner of a given subscription?
Asked
Active
Viewed 48 times
0
-
also -- the data factory exists in the same subscription. – Dhiraj Feb 16 '21 at 20:38
-
We are not clear about your question. Can you show us some screenshots? – Joseph Xu Feb 17 '21 at 02:14
-
Do you have any other concerns about this issue? – Joy Wang Feb 19 '21 at 02:17
2 Answers
1
Is the Azure data factory used for any automation purposes using REST APIs, etc ? Like scaling resources or pausing/resuming resources across RGs?
If that is the case, then the ADF might have been given owner access on subscription for MSI in all the objects within RGs present in the subscription.
If this ADF is specific to data ingestion use cases, then there is no need to provide the ADF owner access on the entire subscription.
Nandan
- 3,939
- 2
- 8
- 21
1
Yes, what @Nandan said is basically correct, more specifically, essentially the Owner is assigned to the MSI of your ADFv2, when you need to use the MSI(managed identity) of your ADFv2 to auth to Azure resources/call Azure REST APIs, the RBAC role(in your case, it is Owner) is needed, to do most of the things, some other roles are enough e.g. Contributor, to do something like create role assignment, you need the role has the higher privilege, e.g. Owner.
Three specific cases I answered to help you understand:
Joy Wang
- 39,905
- 3
- 30
- 54