
MICROSOFT ENTRA ID IS RESPONSIBLE FOR IDENTITY, GOVERNANCE, AND AUTHENTICATION
Identities
v Users
v Groups
v Service Principals
v Managed Identities
Identity Roles (Authorization for Identity)
v Global Administrator
v Privileged Role Administrator
v Security Administrator
v Conditional Access Administrator
Identity Policies
v Conditional Access
v Identity Protection
v Privileged Identity Management (PIM)
v Access Reviews
Purpose
v Control who can authenticate
v Control how authentication happens
v Control under what conditions access is allowed
After Authentication, an Authentication Token is issued.
Section 2 — Azure Resource Manager (Resource Control Plane)
Azure Resource Manager (ARM) governs resources inside Azure subscriptions.
ARM Hierarchy
v Management Groups
v Subscriptions
v Resource Groups
v Resources
Azure RBAC (Authorization for Resources)
Roles:
v Owner
v Contributor
v Reader
v User Access Administrator
Important Principle
RBAC roles are assigned to identities — never to Entra roles.
Scoped At
v Management Group
v Subscription
v Resource Group
v Resource
Purpose
v Control what actions are allowed
v Control where actions are allowed
Section 3 — Azure Policy (Resource Governance)
Azure Policy enforces compliance at the resource level.
Effects
v Deny
v Audit
v Append
v Modify
v DeployIfNotExists
Purpose
· Control what is allowed to exist
· Enforce configuration standards
· Maintain compliance
Critical Architectural Concept
Entra ID authenticates identities.
ARM authorizes actions on resources.
Azure Policy enforces governance and compliance.
This separation is fundamental to enterprise Azure security design.
0 comments