Mapping Google Cloud IAM concepts to similar ones in Azure
In this article, I try to create a short mapping of key Google Cloud IAM (Identity and Access Management) concepts to similar ones in Microsoft Azure.
If you see things that are wrong or incomplete, please leave a comment with what I should fix.
For a more general Google Cloud to Azure comparison, you can refer to the Azure for Google Cloud Professionals document.
Looking for AWS IAM to Azure mapping? Take a look here.
Google Cloud Identity (or Google Workspace)
- Similar to Azure Active Directory (Azure AD).
- Provides identity management as a service.
- Google Cloud Cloud Identity super admin user account is similar to Azure AD Global Administrator, which shouldn’t be used for day-to-day operations.
Google Cloud Organization
Google Cloud Folder
- Similar to Azure Management Group.
- Provides a way to organize Google Cloud Projects and other Folders similar to how Azure Management Groups organize Azure Subscriptions.
Google Cloud Project
- Similar to Azure Subscription.
- All cloud resources (VMs, storage, databases) are deployed within specific Azure Subscriptions and Google Cloud Projects.
- Resource quotas (e.g., total number of VM cores) and billing are managed at the level of Azure Subscription or Google Cloud Project.
- Azure Subscriptions provide an additional level of resource organization within a subscription called Azure Resource Groups.
Google Cloud IAM User
- Similar to Azure AD User.
- Identity used by people who login using username, password, and ideally also multi-factor authentication (MFA).
Google Cloud IAM Group
- Similar to Azure AD Group.
- Grouping of multiple identities like users, service accounts / service principals.
Google Cloud IAM Service Account
- Similar to Azure AD Service Principal and Azure Managed Identity.
- Identity used by application code and services/resources.
- Google Cloud Service Accounts can have multiple “key” credentials.
- Azure AD Service Principals can have multiple “secrets/keys” or certificates.
- Azure Managed Identity can be assigned to VMs and other Azure resources similar to how Service Accounts are assigned to Google Cloud instances, and can be used from those resources without needing to use keys.
Google Cloud IAM Role
- Similar to Azure Role Based Access Control (RBAC) Role Definition.
- Collection of permissions consisting of allowed or not allowed actions.
- Azure provides many built-in role definitions, including Owner/Contributor/Reader, and provides ability to define custom roles.
Google Cloud IAM Policy
- Similar to Azure RBAC Role Assignment.
- Defines who, can do what, on which resource.
- In Azure, role assignment defines which principal (user, group, or service principal), gets specific role (set of allowed actions), starting at which scope in the hierarchy (management group, subscription, resource group, or specific resource) and inherited downward.
Google Cloud Organization Policies
- Similar to Azure Policy.
- Not the same as IAM Policy or RBAC.
- Provides centralized governance and guardrails for cloud resource usage (e.g., which resource types can be created, in which regions).
Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad