Table of Contents
Configure Azure Role Permissions for Management Groups, Subscriptions, Resource Groups, and Resources
Key Concepts
Here’s a comparison table between Microsoft Entra ID roles (formerly Azure AD roles) and Azure roles (RBAC). These operate in different scopes: Entra roles manage identity and directory-level features, while Azure roles control access to Azure resources.
| Category | Microsoft Entra ID Role | Azure Role (RBAC) | Purpose/Scope |
|---|---|---|---|
| Global Admin / Owner | Global Administrator | Owner | Full access to Entra services / Azure resources |
| User Management | User Administrator | — | Create and manage users and groups in Entra |
| Group Management | Groups Administrator | — | Manage group memberships and settings |
| Application Management | Application Administrator | Contributor (to specific app resource) | Manage app registrations and configurations |
| Authentication / Identity | Authentication Administrator | — | Manage password reset, MFA, and authentication methods |
| Security Operations | Security Administrator / Security Reader | Security Reader / Security Admin | View or manage security-related settings and alerts |
| Access Management | Privileged Role Administrator | User Access Administrator | Assign roles in Entra / manage RBAC permissions |
| Monitoring / Reporting | Reports Reader | Reader | Read reports / monitor resource usage |
| Device Management | Intune Administrator / Cloud Device Admin | — | Manage devices registered in Entra / Intune |
| Billing | Billing Administrator | Billing Reader / Owner | Manage billing info in Entra or Azure subscription |
| Custom Roles | Custom Directory Role | Custom Azure Role | Create least-privilege roles in Entra / Azure |
| PIM Control | Privileged Authentication Administrator | — | Manage PIM and authentication flows |
| Support | Helpdesk Administrator | — | Reset passwords and monitor support tickets |
| Network / Infra Roles | — | Network Contributor / Virtual Machine Contributor | Specific access to Azure infra components (VMs, VNETs, NSGs) |
Key Differences
- Microsoft Entra ID Roles
- Directory-level scope (users, groups, authentication, apps)
- Managed from Microsoft Entra admin center
- Mostly identity governance focused
- Azure RBAC Roles
- Resource-level scope (VMs, storage, networking, etc.)
- Managed from Azure Portal > Access Control (IAM)
- Focused on infrastructure and platform resources
- Azure RBAC: Role-based access control for managing who has access to Azure resources
- Security Principal: Entity that can be assigned permissions (user, group, service principal, managed identity)
- Role Definition: Collection of permissions defining allowed operations
- Scope: Boundary where access applies (management group, subscription, resource group, resource)
- Role Assignment: Attachment of a role definition to a security principal at a particular scope
Implementation Steps
- Identify the appropriate scope level for permission assignment
- Select the security principal requiring access
- Determine the least-privileged role needed
- Create the role assignment using Azure Portal, Azure CLI, PowerShell, or ARM templates
Best Practices
- Use management groups for enterprise-wide permissions
- Apply the principle of least privilege
- Use resource groups for project or application-based access control
- Leverage inheritance to simplify permission management
- Regularly audit role assignments
Assign Microsoft Entra Built-in Roles
Key Concepts
- Microsoft Entra ID: Azure’s cloud identity service (formerly Azure AD)
- Directory Roles: Permissions for managing Entra resources and services
- Administrative Units: Containers for delegating administrative responsibilities
Common Built-in Roles
- Global Administrator: Complete access to all Entra features
- User Administrator: Create/manage users and groups
- Authentication Administrator: Set authentication methods and password policies
- Application Administrator: Manage enterprise applications
- Security Administrator: Read security information and manage security settings
Implementation Steps
- Navigate to Microsoft Entra admin center
- Access Roles and administrators
- Select the appropriate role
- Add assignment to desired user or group
- Define scope if applicable (directory-wide or limited to administrative unit)
Assign Azure Built-in Roles
Key Concepts
- Azure RBAC Built-in Roles: Predefined sets of permissions for common scenarios
Common Built-in Roles
- Owner: Full access to all resources
- Contributor: Create and manage resources but cannot grant access
- Reader: View existing resources
- User Access Administrator: Manage access but not resources
- Service-specific roles: Network Contributor, Storage Account Contributor, etc.
Implementation Steps
- Navigate to the desired scope in Azure Portal
- Select Access control (IAM)
- Click Add role assignment
- Select the appropriate role
- Assign to the security principal
Best Practices
- Use the Reader role for monitoring personnel
- Assign Contributor to team members who need to manage resources
- Limit Owner assignments
- Consider custom roles when built-in roles don’t meet requirements
Create and Assign Custom Roles
Azure Custom Roles
Key Components
- Actions: Operations allowed
- NotActions: Operations excluded from allowed actions
- DataActions: Operations on data within objects
- NotDataActions: Data operations excluded
- AssignableScopes: Where the role can be assigned
Implementation Steps
- Identify required permissions
- Create JSON definition file with necessary operations
- Create custom role using PowerShell, CLI, or REST API
- Assign the custom role like any built-in role
Comparison: Azure Custom Role Creation (CLI/JSON vs. GUI)
| Aspect | Azure CLI / JSON Method | Azure Portal (GUI) Method |
|---|---|---|
| Interface | Command-line tool + JSON file | Point-and-click in the Azure Portal |
| Skill Level | Intermediate to advanced (requires CLI knowledge) | Beginner to intermediate |
| Best For | Automation, version control, repeatability | Quick manual role creation or experimentation |
| Steps Involved | 1. Write JSON 2. Run az role definition create | 1. Go to IAM → Roles 2. Click “Add custom role” |
| Customization | Full flexibility over permissions and structure | Limited to UI-supported options |
| Assignable Scopes | Precisely defined in JSON (/subscriptions/...) | Selected using GUI (subscriptions, resource groups, etc.) |
| Cloning Built-in Roles | Manual via copying and editing a role definition | Built-in option to clone existing roles |
| Permission Search | Manual in docs or scripts | Built-in search tool for actions in the UI |
| Error Checking | Limited; errors shown in terminal | Built-in validation in portal |
| Repeatable Deployment | ✅ Easily reusable in pipelines or scripts | ❌ Manual only; not easily repeatable |
| Auditing / Version Control | ✅ Store JSON in source control | ❌ Not easily auditable unless documented separately |
| Visual Preview | ❌ None (text-based only) | ✅ UI displays actions and scope nicely |
| Typical Use Case | DevOps, IaC, automation, role versioning | Admins creating roles ad hoc or exploring configurations |
Summary
- Use CLI + JSON when:
- You need automation, version control, or repeatable deployments
- You’re working in enterprise environments or CI/CD pipelines
- Use Portal GUI when:
- You want a quick, visual, one-off creation
- You’re still experimenting or learning role definitions
Microsoft Entra Custom Roles
Key Components
- RolePermissions: App and directory permissions
- ResourceScopes: Resources where the role applies
Implementation Steps
- Navigate to Microsoft Entra admin center
- Go to Roles and administrators
- Create new custom role
- Define permissions by selecting from available options
- Assign custom role to security principals
Best Practices
- Start by cloning a built-in role
- Follow principle of least privilege
- Document custom role purposes
- Review and update custom roles regularly
- Test custom roles before broad deployment
Implement and Manage Microsoft Entra Permissions Management (deprecated)
Key Concepts
- Microsoft Entra Permissions Management (EPM): Cloud Infrastructure Entitlement Management (CIEM) solution to discover, remediate, and monitor permissions across multi-cloud environments
- Permission Creep Index: Metric that measures the gap between granted and used permissions
- Least Privilege Recommendations: Suggestions for rightsizing permissions
- Multi-cloud Visibility: Monitor identities and access across Azure, AWS, and GCP
Implementation Steps
- Onboard cloud environments (Azure, AWS, GCP) into EPM
- Assess permission usage with analytics and insights
- Apply least privilege recommendations to rightsize access
- Use reports to monitor risky permissions and privileged access
- Set up alerts and automation for ongoing monitoring
Transition Guidance
- Retirement Announcement: Microsoft has announced EPM will be retired on October 1, 2025
- Recommended Action: Transition to Microsoft Defender for Cloud for continued CIEM capabilities and multi-cloud security posture management
- Resource: The Future of CIEM in Microsoft Defender for Cloud | Microsoft Community Hub
Best Practices
- Begin transition planning early
- Export current CIEM insights and audit trails from EPM
- Evaluate Defender for Cloud features for equivalent or improved functionality
- Communicate changes to stakeholders and identity governance teams
Configure Microsoft Entra Privileged Identity Management
Key Concepts
- Privileged Identity Management (PIM): Service for managing, controlling, and monitoring access
- Just-in-Time Access: Temporary elevation of privileges
- Eligible Assignments: Pre-approved role assignments that require activation
- Active Assignments: Currently activated privileges
- Approval Workflow: Process for requesting and authorizing role activation
Implementation Steps
- License requirements: Microsoft Entra ID P2 or E5
- Enable PIM for your organization
- Configure role settings:
- Activation maximum duration
- Approval requirements
- Notification settings
- MFA requirements
- Make eligible role assignments
- Set up approval workflows
Best Practices
- Require justification for activation
- Enable time-bound role activations
- Implement MFA for critical roles
- Set up alerting for suspicious activities
- Regularly review permanent role assignments
Use Case Examples
| Use Case | Scenario Description | Azure Portal (GUI) Steps |
|---|---|---|
| 1. Just-in-Time (JIT) Access for Azure Subscription Owner | Temporarily elevate a user to the “Owner” role in a subscription for administrative tasks | – Go to Microsoft Entra admin center → PIM – Select Azure resources → your subscription – Click Activate next to the “Owner” role under My roles |
| 2. Approval Workflow for Privileged Roles | Require manager approval before users can activate the “Global Administrator” role | – Go to Microsoft Entra admin center → PIM – Select Microsoft Entra roles → Roles – Click Global Administrator → Settings – Enable Approval required and assign Approvers |
| 3. Quarterly Access Reviews for Admin Roles | Review users assigned to “Application Administrator” role every 3 months | – Go to Microsoft Entra admin center → PIM – Select Access reviews → + New access review – Choose Microsoft Entra role → select Application Administrator – Set Reviewers and Recurrence to Quarterly |
Configure Role Management and Access Reviews in Microsoft Entra
Role Management
Key Components
- Role Catalog: Collection of all roles available for assignment
- Role Settings: Configuration options for roles
- Role Activation Settings: Requirements for activating eligible roles
Implementation Steps
- Navigate to PIM in Microsoft Entra admin center
- Configure role settings for each role:
- Activation requirements
- Assignment durations
- Notification settings
- Implement approval workflows
Access Reviews
Key Concepts
- Access Reviews: Process to regularly validate access needs
- Review Scope: Resources covered by a review
- Reviewers: Individuals responsible for approving/denying continued access
- Recurrence: Frequency of review cycles
Implementation Steps
- Navigate to Access reviews in Microsoft Entra admin center
- Create new access review
- Define scope (directory roles, apps, groups)
- Select reviewers
- Set review frequency and duration
- Configure automated actions for non-reviewed items
- Enable review and monitor progress
Use Cases examples for Access Reviews
| Use Case | Description | Review Target | Reviewer Type | Goal |
|---|---|---|---|---|
| 1. Group Membership Clean-up | Regularly validate if users still need to be part of specific security or M365 groups | Microsoft 365 or security groups | Group owners or managers | Ensure users don’t retain access to sensitive resources unnecessarily |
| 2. Directory Role Reviews | Audit users assigned to privileged roles like “Global Administrator” or “User Administrator” | Microsoft Entra roles | Security admin, self-review, or designated reviewer | Reduce standing privilege and enforce least privilege |
| 3. Application Access Review | Revalidate user access to enterprise applications like Salesforce, ServiceNow, etc. | Enterprise applications integrated with Entra ID | App owners, managers, or the users themselves | Avoid unnecessary license consumption and potential data exposure |
| 4. Guest User Review | Periodic checks to remove stale B2B/guest accounts that no longer need access | External users in specific groups or tenant | Group owners or tenant admins | Clean up external access and improve tenant hygiene |
| 5. Project-Based Access Review | Review access for temporary project teams after project completion | Teams, groups, or SharePoint sites | Project manager or team owner | Decommission temporary access once no longer needed |
| 6. Departmental Access Alignment | Quarterly review for access to departmental resources (e.g., Finance, HR) | Department-based groups or SharePoint access | Department heads or resource owners | Ensure only active department members retain access |
| 7. Self-Attestation Reviews | Let users confirm if they still need access to specific apps or groups | Groups or apps with high user count | Users themselves (self-review) | Promote accountability and reduce admin overhead |
| 8. Compliance and Audit Support | Meet regulatory requirements like ISO, NIST, SOX by validating access to sensitive data or roles | Roles, apps, and high-privilege groups | Compliance officer or internal auditors | Provide documentation for external audits and improve governance posture |
Best Practices
- Schedule quarterly reviews for critical roles
- Use a mix of self-review and manager review
- Set up reminders for pending reviews
- Document review decisions
- Configure automatic removal for non-approved access
- Enable notifications and reminders to ensure timely completion
Implement Conditional Access Policies
Key Concepts
- Conditional Access: Tool for controlling access based on signals
- Signal: Factor used in access decisions (user, location, device, application, risk)
- Decision: Grant or block access based on signals
- Session Controls: Restrictions applied during access
Common Policy Components
- Assignments: Who and what the policy applies to
- Users and groups
- Applications
- Conditions (platforms, locations, client apps, device state)
- Access Controls: Requirements and restrictions
- Grant controls (MFA, compliant device, etc.)
- Session controls (app enforcement, sign-in frequency)
Implementation Steps
- Navigate to Conditional Access in Microsoft Entra admin center
- Create new policy
- Name the policy descriptively
- Configure assignments:
- Select users, groups, or exclude specific ones
- Choose cloud apps
- Define conditions
- Set access controls:
- Require MFA, device compliance, or hybrid join
- Block access when conditions aren’t met
- Apply session controls
- Enable policy in report-only or on mode
Use Cases for Conditional Access Policies
| Use Case | Description | Condition | Goal |
|---|---|---|---|
| 1. MFA for Admin Accounts | Enforce Multi-Factor Authentication (MFA) for all privileged admin accounts | – User type: Admins – Device: Any – Location: Any | Add an extra layer of security to sensitive accounts, reducing the risk of credential theft |
| 2. Block Legacy Authentication | Block outdated and insecure authentication methods (like Basic Authentication) for enhanced security | – Application: All apps – Client app: Legacy authentication methods (e.g., IMAP, POP, SMTP) | Prevent attacks that exploit legacy authentication protocols |
| 3. Require Device Compliance for Access | Allow access only from compliant devices managed by Intune | – Device: Compliant devices only – User type: All – Location: Any | Ensure that only secure, compliant devices (e.g., patched, encrypted) can access corporate resources |
| 4. Geo-Location-based Access Control | Restrict access to resources based on user’s geographic location or IP address | – Location: Trusted named locations (office IP, known regions) – User type: All | Block risky login attempts from unfamiliar or untrusted geographic regions |
| 5. Block Access from Unmanaged Devices | Prevent access to sensitive data from devices not enrolled in your organization’s management system (Intune) | – Device: Non-managed devices – User type: Any | Reduce the risk of data leakage by limiting access to unmanaged devices |
| 6. Time-Based Access | Allow access to corporate resources only during certain hours or business hours | – Time: 9 AM – 6 PM – User type: All – Location: Any | Restrict access to sensitive resources outside of working hours, reducing risk after hours |
| 7. Risk-Based Access Control (User Risk) | Block or require MFA when a user’s login is deemed risky (e.g., unfamiliar device, location, or behavior) | – Risk level: High – User: Any – Device: Any – Location: Any | Protect accounts and data by dynamically adapting access based on detected risk levels |
| 8. Require MFA for External Sharing | Ensure MFA is enabled for any user sharing content externally (e.g., OneDrive, SharePoint) | – User type: External sharing users – Authentication method: MFA required | Add an extra layer of security when sharing resources with external users |
| 9. Require Hybrid Azure AD Join for VPN | Enforce that users must be authenticated via Hybrid Azure AD Join to access VPN resources | – Device: Hybrid Azure AD joined – User: All – Location: Any | Ensure that only domain-joined, trusted machines can connect to the VPN |
| 10. Block Access on Jailbroken/Rooted Devices | Prevent access from jailbroken or rooted devices to reduce the likelihood of compromised devices accessing sensitive data | – Device: Jailbroken/rooted devices – User: All – Location: Any | Protect corporate data by blocking risky devices that may be compromised |
Best Practices
- Use named locations for network boundaries
- Implement MFA for all administrative accounts
- Create break-glass emergency access accounts
- Test policies in report-only mode before enforcement
- Monitor policy outcomes regularly
- Document policy purposes and exceptions
- Avoid conflicting policies
- Apply least privilege principle
Closure
In Microsoft Entra and Azure, role-based access control (RBAC) helps manage permissions across identities and resources. Below are the key points for role assignments and best practices.
Key Concepts
| Microsoft Entra ID Roles | Azure RBAC Roles |
|---|---|
| Manage identities, users, groups, apps | Control access to Azure resources (VMs, storage) |
| Operate at directory level | Operate at resource level |
| Focus on identity governance and security | Focus on infrastructure and platform resources |
Role Management Best Practices
| Best Practice | Description |
|---|---|
| Least Privilege | Assign the minimum required permissions |
| Regular Audits | Review and monitor role assignments |
| Use Management Groups | Simplify access control with centralized roles |
| Custom Roles | Create roles when built-in roles don’t fit needs |
Privileged Identity Management (PIM) and Access Reviews
| Use Case | Description |
|---|---|
| Just-in-Time (JIT) Access | Temporarily elevate privileges for specific tasks |
| Approval Workflow | Require approval before role activation |
| Access Reviews | Regularly review role assignments and access |
Conditional Access Policies
| Use Case | Description |
|---|---|
| MFA for Admin Accounts | Enforce MFA for all privileged admin accounts |
| Block Legacy Authentication | Block insecure, legacy authentication methods |
| Device Compliance | Restrict access to compliant devices only |
- Microsoft Entra ID Roles focus on identity management, while Azure RBAC Roles control resource access.
- Use PIM and Access Reviews to manage privileged access and ensure compliance.
- Implement Conditional Access policies for additional security controls.
Always follow the principle of least privilege, document your identity strategy, and perform periodic audits to maintain a secure and compliant cloud environment.
Link to main post
Updated Exam Cram for Exam AZ-500: Microsoft Azure Security Technologies
What is Azure Security Engineer?
