question

PatrickSciortino-0157 avatar image
1 Vote"
PatrickSciortino-0157 asked SamaraSoucy-MSFT commented

Synapse Analytics: What is the default service principal used for?

When creating a new Azure Synapse Analytics workspace, a service principal with the same name as the resource is automatically created with Synapse Administrator role on the workspace granted to it. This brings the following questions:
- What is this service principal used for?
- What would be the consequences of deleting this service principal?
- Can we prevent its creation?

92540-image.png


azure-synapse-analytics
image.png (62.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PatrickSciortino-0157 avatar image
0 Votes"
PatrickSciortino-0157 answered SamaraSoucy-MSFT commented

Hi @SamaraSoucy-MSFT ,

Thank you for the quick answer.

It is still not very clear to me though. In Data Factory, service principal is one possible option to authenticate to linked services. If other authentication methods are used (e.g. managed identity), then no service principal is needed to have pipelines work. Do you mean that in the case of Synapse, the Pipeline functionality wouldn't work at all if one decides to delete this service principal, even if it is not used in any linked service?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I did some checking- it is not currently possible to remove the managed identity from the admin role via the portal in order to protect against the possible consequences I mentioned. I will need to reach out to the product team to see if there are more details I can share about how the identity is used internally. While Synapse Pipelines and Data Factory are very similar services, they aren't identical and don't function the same way in some areas.

Do you have any specific concerns about the resource being granted permissions to itself that I can share with the product team when I speak to them? If you aren't comfortable doing so publicly I can set up a private conversation about it. Managed identities are deleted when a resource is deleted, so you do not need to manage their lifecycle and the credentials are never exposed, so they offer stronger security than a user created service principal where you must create and secure credentials yourself.

0 Votes 0 ·

Hi @SamaraSoucy-MSFT ,
No specific question, but I would indeed like to learn a bit more about how this service principal is used internally and what makes it indispensable for pipelines. Thank you in advance!

0 Votes 0 ·

Sure thing. I've sent a request to the product team to see if there is anything more we can share publicly about how it is used. I will share any information I can with you when they respond.

0 Votes 0 ·
Show more comments
SamaraSoucy-MSFT avatar image
0 Votes"
SamaraSoucy-MSFT answered SamaraSoucy-MSFT edited

Currently the identity is always created with the workspace- it is used for Synapse Pipelines, and without the identity this feature will not work. It is also an option when creating linked services and is often given permissions to SQL Pools, though neither is required.

Even if you are not planning on using the Pipelines feature, an alternative to deleting the user would be to limit it's permissions as there is no guarantee that the scope of its use won't expand in the future. The thing you will need to remember if you choose to limit or remove it will be that you could run into unexpected errors in the future that may require expanding the scope of its permissions or turn the managed identity back on.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.