Give Access without User Access Administrator permission required
I'm currently automating the provisioning of Azure Maps + Client App. The client authenticates using a Managed Identity for Azure.
However, in order to give the Managed Identity access to Azure Maps, I need to have permission to this action:
This action is not normally given to Service Principals, and it's not great from a security perspective. The required role is User Access Administrator
So I would like to be able to give Maps reader permission to a managed identity, WITHOUT needing the User Access Administrator role on my Service Principal.
A good example is KeyVault. With KeyVault, access can be given to read KeyVault secrets etc. using only a contributor on the subscription (i.e. the default for SP's)
The approach Azure Maps uses common across Azure Many teams such as Storage, Service Bus, Event Hubs use this approach and this interface is not unique to Azure Maps.
What are your concerns with using User Access Administrator role?
Have you considered granting the role at a Resource Group Scope instead of full Azure Subscription scope?
Also you can use JIT policies to restrict access to this role just when you need to deploy? https://docs.microsoft.com/en-us/azure/role-based-access-control/pim-azure-resource
How would you feel if there was a separate role and action for only data actions role assignments?