Modern Cloud Environments require a structured and secure approach to managing Identities, Controlling Access, and Enforcing Governance. Microsoft Azure achieves this through a layered architecture that separates identity management from Resource Management while ensuring both operate together seamlessly. This architecture is built around two Primary Control Planes: Microsoft Entra ID, which handles Identity and Authentication, and Azure Resource Manager, which Governs Access to Resources.
At the Highest Level, Azure follows a clear separation of responsibilities. Microsoft Entra ID is responsible for Validating Identities and Issuing Tokens, while Azure Resource Manager is responsible for Evaluating Permissions and Enforcing Access Decisions. This Separation Ensures Scalability, Security, and Centralized Control.
Microsoft Entra ID Serves as the Identity Control Plane. All access to Azure begins with an Identity stored within Entra ID. These Identities include Users, Groups, Service Principals, and Managed Identities. Users represent Human Actors such as Administrators and Engineers. Groups simplify Access Management by allowing permissions to be assigned collectively. Service Principals Represent Applications and Automation Processes, while managed identities provide secure, Azure-Managed Identities for Services without requiring Credential Management.
When an identity attempts to access Azure, it Must First be Authenticated. Authentication is handled entirely by Microsoft Entra ID. This process involves Validating Credentials and Evaluating Conditions such as Device Compliance, Location, and Risk Signals. Multi-Factor Authentication may be required to strengthen Verification, and Identity Protection Mechanisms continuously Analyze Sign-In behavior to detect anomalies.
Once Authentication is successful, Microsoft Entra ID issues a Security Token. This Token represents Proof of Identity and Contains Claims about the User or Service. It is important to understand that Azure Resource Manager Does Not Authenticate Identities Directly. Instead, it fully trusts the token issued by Entra ID. This creates a clear Trust Boundary between Identity Validation and Resource Access.
Within the Identity Control Plane, Administrative Permissions are Governed through Entra ID Roles. These Roles define what actions can be performed within the directory itself, such as Managing Users, Configuring Authentication Methods, or Defining Security Policies. Examples include Global Administrator, Privileged Role Administrator, and Security Administrator. These Roles do not Grant Access to Azure Resources; they are strictly used for Managing Identity and Directory Configuration.
In addition to Roles, Entra ID Policies provide Dynamic Control over Authentication Behavior. Conditional Access Policies determine how and when Users can Sign In based on Contextual Signals. Identity Protection introduces Risk-Based Decisions, such as Blocking or Requiring Additional Verification for Suspicious Activity. Privileged Identity Management enables Just-In-Time Elevation of Administrative Roles, Reducing standing Privileges. Access Reviews ensure that Permissions remain appropriate over time. Together, these Policies Control how identities Authenticate, when Access is allowed, and how Risk is Mitigated.
After a Token is issued, it is presented to Azure Resource Manager, which represents the Resource Control Plane. Azure Resource Manager is responsible for Orchestrating all Resource Operations and Enforcing Access Decisions. It operates on a Hierarchical Structure that Organizes Resources into Management Groups, Subscriptions, Resource Groups, and Individual Resources. This hierarchy allows Permissions and Policies to be Applied Consistently and Inherited across the Environment.
Authorization within Azure Resource Manager is handled through Azure Role-Based Access Control. RBAC determines whether an Identity is allowed to Perform a Specific Action on a Resource. Roles such as Owner, Contributor, Reader, and User Access Administrator define sets of Permissions. These Roles are assigned to Identities and Scoped at different Levels of the Resource Hierarchy. This allows precise Control over who can Perform Actions, what actions they can perform, and where those Actions Apply.
RBAC focuses Exclusively on Authorization. It answers the question of what an Identity is allowed to do. However, it does not enforce whether a Resource Configuration is compliant with Organizational Standards. This responsibility is handled by Azure Policy.
Azure Policy Provides Governance and Compliance Enforcement across the Environment. It Evaluates Resources against Defined Rules and applies effects such as Denying Non-Compliant Deployments, Auditing Existing Resources, Modifying Configurations, or Automatically Deploying required settings. Policies can be applied at the Management Group, Subscription, Resource Group, or Resource Level, ensuring Consistent Enforcement Across all Scopes.
The interaction between RBAC and Azure Policy is critical. RBAC determines whether an action is allowed, while Azure Policy determines whether the result of that action is compliant. Even if RBAC allows a user to create a resource, Azure Policy can still Deny the Deployment if it Violates Defined Standards.
The complete flow of access in Azure begins when an Identity Attempts to Interact with a Resource. Microsoft Entra ID Authenticates the Identity and evaluates Applicable Policies. A security Token is issued and presented to Azure Resource Manager. RBAC evaluates whether the requested action is permitted, and Azure Policy evaluates whether the action complies with Governance Rules. Only when all Conditions are satisfied is Access Granted.
This Architecture is built on Several Key Principles. Authentication is centralized within Microsoft Entra ID, ensuring consistent Identity Validation. Authorization is handled separately through RBAC, allowing precise control over actions and Scope. Governance is enforced through Azure Policy, ensuring compliance across the environment. The hierarchical structure of Azure Resource Manager enables scalable and Consistent Application of Permissions and Policies.
Understanding this Architecture is essential for designing secure and Well-Governed Azure Environments. Microsoft Entra ID Verifies Identity, Azure RBAC Controls Access, and Azure Policy Enforces Compliance. Together, they form a comprehensive and Layered Control Plane that Governs every interaction with Azure Resources.
0 comments