Role-based access control (RBAC): Azure roles vs. Microsoft Entra ID roles

In the intricate world of Azure, understanding roles is pivotal to manage resources and identity objects efficiently and securely. But there are two concepts that are often confused in terms of what they are and what they can do: Azure roles and Microsoft Entra ID roles. 

In this article, I provide a better understanding of these roles and offer clarity on their distinct functionalities and scopes.

• What is role-based access control (RBAC)?
• Understanding Azure role-based access control (RBAC)
  • Diving into key Azure roles    
• How Azure subscriptions and Entra ID tenants work together
  • What is an Entra ID tenant?
  • How are Azure subscriptions and Entra ID tenants related?
• Understanding role-based access control in Microsoft Entra ID
  • Exploring key Microsoft Entra ID roles
• The difference between Azure roles and Microsoft Entra ID roles
• Effective RBAC implementation in Azure: Bringing it all together

Before we dive into Azure roles, let’s first understand role-based access control and its benefits. Role-based access control (RBAC) is a security methodology that assigns different levels of access to users based on their roles or functions within an organization.

RBAC can help protect resources, such as data, applications, and systems, from unauthorized or improper access, modification, addition, or deletion.

There are several benefits of RBAC:

• It simplifies the management of user permissions. You only need to assign users a role, rather than multiple individual permissions.

• It reduces the risk of human error. Users have access only to the resources they need to perform their tasks—nothing more.

• It enhances security and compliance. Because users can’t access sensitive or confidential information that isn’t relevant to their roles, you can easily maintain audit trails.

Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager. It aims to provide fine-grained access management to Azure resources. 

Here’s how it works: A user assigns a role definition to an identity object. This role determines the actions the identity object can perform at a specified scope. This creates a waterfall effect in which permissions trickle down from the assigned level to all underlying levels. 

Another way of putting it is that Azure RBAC operates on a fundamental equation—who can do what where?

• Who: Identity objects or security principles

• What: Role definitions and assignments 

• Where: The scope within which these roles are applicable

There are over 100 built-in Azure roles, each designed to provide specific permissions for managing Azure resources. There are a few roles that apply to all resource types that are worth highlighting.

• Owner: Grants full access to resources with delegation rights

• Reader: Allows viewing of resources without modification rights

• Contributor: Permits resource management excluding user access management

• User Access Administrator: Enables user access management without resource management capabilities

Even though there is a large and growing selection of built-in roles, there’s also an option to create custom roles to meet specific criteria.

Now we have an understanding of Azure roles. But before we can understand Microsoft Entra ID roles, we need to take a step back and understand the relationship between Microsoft Entra ID and Azure subscriptions.

Entra ID is a cloud-based identity and access management (IAM) service that provides authentication and authorization for users and devices that access Azure resources. An Entra ID tenant is an instance of Entra ID that represents an organization. A tenant has a unique ID and a domain name, such as awesomecorp.onmicrosoft.com.

Every Azure subscription has a trust relationship with an Entra ID tenant. This means the subscription relies on the tenant to authenticate and authorize users and devices that access Azure resources. 

A subscription can only trust one tenant at a time, but a tenant can be trusted by multiple subscriptions. This allows an organization to manage access to different Azure resources using a single Entra ID.

As opposed to Azure RBAC, Microsoft Entra ID RBAC focuses only on managing identity objects within the Entra ID tenant itself. It does not extend to resources inside of the Azure subscriptions. Those identity objects would be things like users, groups, and applications. The same equation of who can do what where is used to implement Microsoft Entra ID RBAC.

There are about 60 built-in Microsoft Entra roles. These are some principal Microsoft Entra ID roles. 

• Global Admin: Offers comprehensive control over all Entra ID resources

• Billing Administrator: Specializes in executing billing tasks

• User Administrator: Manages users and groups within the tenant

• Helpdesk Administrator: Handles helpdesk functions including password resets

Like Azure RBAC, Microsoft Entra ID also supports custom roles.

The primary difference between Azure roles and Microsoft Entra ID roles lies in the resources they manage. 

Azure roles primarily govern access to resources deployed inside the cloud, including virtual networks, machines, and resource groups, with role assignments possible at various scopes. 

On the other hand, Microsoft Entra ID roles operate on identity objects at the tenant level and impact users’ abilities within that specific tenant. Although Microsoft Entra ID roles are typically set at a tenant level, you can make scope adjustments using administrative units. These are used as logical containers that give you more refined control over access permissions.

Understanding the difference between Azure roles and Microsoft Entra ID roles is crucial for effective RBAC implementation in Azure environments. While both roles play a vital role in access management, they serve different purposes and manage different types of resources. 

By leveraging both types of roles appropriately, you provide the right level of access to users and enhance security and operational efficiency. To learn more, check out my course Microsoft Azure Administrator (AZ-104): Manage Azure Identities and Governance.