Skip to content

Authentication & Access


Control Description
Conditional access policies
  • Along with MFA, ensure that additional requirements are met before granting access:
    • Block logins from suspicious IP addresses
    • Deny access from devices without malware protection
    • etc.
  • Azure Active Directory provides conditional access policies that includes support for access policies based on group, location, or device state.
Azure Application Proxy (for legacy apps)
  • Composed of two components:
    1. A connector agent that sits on a Windows server within your corporate network
    2. An external endpoint
  • When a user navigates to the endpoint, they authenticate with Azure AD and are routed to the on-premises application via the connector agent
Azure AD Privileged Identity Management (PIM)
  • Additional paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD & Azure resource access reviews
  • With the PIM service, you can manage, control, and monitor access to important resources in your organization
  • Organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD


  • Access management occurs at the Azure subscription level
  • Identities are mapped to roles directly or through group membership
  • Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy
  • Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances
  • Resource groups are also a scope for applying RBAC permissions
  • Diagram showing how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level
  • Roles assigned at a higher scope are inherited by child scopes
  • The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations
  • Restrictions:
    • A subscription is associated with only one Azure AD tenant
    • A resource group is associated with only one subscription
    • A resource can be bound to only one resource group


Component Description
Security Principal (who) User, Group, Service Principal
Role Definition (what)
    Built-in roles:
    • Owner: Has full access to all resources, including the right to delegate access to others
    • Contributor: Can create and manage all types of Azure resources, but can't grant access to others
    • Reader: Can view existing Azure resources
    • User Access Administrator: Lets you manage user access to Azure resources
Scope (where)
  • Where the access applies to
  • Scope can be specified at multiple levels: management group, subscription, resource group, or resource
  • Structured in a parent-child relationship (when you grant access at a parent scope, those permissions are inherited by the child scopes)
Role Assignment
  • A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access
    • To grant access, you create a role assignment
    • To revoke access, you remove a role assignment
  • The role assignment scopes are defined in a custom role definition under AssignableScopes

Custom Roles

Permissions needed to manage custom roles
To manage custom roles, you'd need to be assigned to a role that has the related Actions and AssignableScopes in the role definition
Task Action Description
Create/Delete Microsoft.Authorization/roleDefinitions/write Users can create or delete custom roles for use in scopes
Update Microsoft.Authorization/roleDefinitions/write Users can update custom roles in scopes.
View Microsoft.Authorization/roleDefinitions/read Users can view the custom roles available for assignment at a scope. All built-in roles allow custom roles to be available for assignment

Role Structure

  "Name": "",
  "IsCustom": true,
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [

Azure RBAC Roles vs Azure AD Roles

Role Description
Azure RBAC roles
  • Used to manage access to Azure resources
  • Multiple scope levels (management group, subscription, resource group, resource)
    Azure AD roles
    • Used to manage access to Azure AD resources (user accounts, passwords, domains)
    • Scope only at tenant level
    • Examples:
      • Global Administrator:
        • Can manage access to administrative features in Azure AD
        • A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator
        • By default, whoever signs up for the directory is automatically assigned this role
      • User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users
      • Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to RBAC permissions
        An Azure AD Global Administrator can elevate their access to manage all Azure subscriptions and management groups:
        • This greater access grants them the Azure RBAC User Access Administrator role for all subscriptions of their directory (N.B.: the User Access Administrator is assigned at the scope of root)
        • Through the User Access Administrator role, the Global Administrator can give other users access to Azure resources