Entra ID Roles

AZURE RBAC ENTRA

Different from azure roles (they apply to Azure resources)

Overview

Permissions applied for Entra ID
Always think least privilege

Security Principal

Who or what is being assigned access?
Entra user
entra group (requires p1) /
- needs to be setup as such at creation time (Entra ID roles can be assigned to the group)
- isAssignableToRole property
- immutable so only at setup
app

Role Definition

What are the permissions being given?
types: built-in or custom - Entra custom roles

Built-in Entra roles

Global Administrator
User Administrator
Billing Administrator

Scope

Where will the permissions apply?
Hierarchy
Traditionally used to be global
Can be:
1. tenant
2. Entra Administrative Units
3. Entra resource
  1. Microsoft Entra groups
  2. Enterprise applications
  3. Application registrations
If role is assigned on container level role is applied to items contained in it
If role is applied at resource level it applies to the resource
1. In particular does not extend to members of the groups

references

Entra RBAC Use groups to manage Entra roles Builtin Roles

Subscribe to NordLetter

A weekly newsletter on living in Finland.

← Back to Til

UPDATED January 7, 2024 at 17:01

Thoughts? Email sajal@sajalchoudhary.net

2 Backlinks

Azure Roles

TIL

Microsoft Entra

TIL