• Different from [[202404061316 Azure Roles|azure roles]] (they apply to [[202312231415 Azure Master|Azure]] [[202404061212 Azure Resources|resources]])

Overview

1. Permissions applied for [[202404011327 Entra ID|Entra ID]]
2. Always think least privilege

Security Principal

• Who or what is being assigned access?
• [[202401101139 Entra ID users|Entra user]]
• [[202312242245 Entra ID Groups|entra group]] (requires p1) /
  • needs to be setup as such at creation time (Entra ID roles can be assigned to the group)
  • isAssignableToRole property
  • immutable so only at setup
• app

Role Definition

• What are the permissions being given?
• types: built-in or custom - [[202401072111 Entra ID custom roles|Entra custom roles]]

Built-in Entra roles

1. Global Administrator
2. User Administrator
3. Billing Administrator

Scope

1. Where will the permissions apply?
2. Hierarchy
3. Traditionally used to be global
4. Can be:
   1. [[202408281918 Entra ID tenant|tenant]]
   2. [[202401061515 Entra ID Administrative Units|Entra Administrative Units]]
   3. Entra resource
      1. Microsoft Entra groups
      2. Enterprise applications
      3. Application registrations
5. If role is assigned on container level role is applied to items contained in it
6. If role is applied at resource level it applies to the resource
   1. In particular does not extend to members of the [[202312242245 Entra ID Groups|groups]]

---

references

Entra RBAC Use groups to manage Entra roles Builtin Roles