Microsoft Entra ID vs Azure ARM – Identity and Resource Control Explained

MICROSOFT ENTRA ID IS RESPONSIBLE FOR IDENTITY, GOVERNANCE, AND AUTHENTICATION

Identities

v Users

v Groups

v Service Principals

v Managed Identities

Identity Roles (Authorization for Identity)

v Global Administrator

v Privileged Role Administrator

v Security Administrator

v Conditional Access Administrator

Identity Policies

v Conditional Access

v Identity Protection

v Privileged Identity Management (PIM)

v Access Reviews

Purpose

v Control who can authenticate

v Control how authentication happens

v Control under what conditions access is allowed

After Authentication, an Authentication Token is issued.

Section 2 — Azure Resource Manager (Resource Control Plane)

Azure Resource Manager (ARM) governs resources inside Azure subscriptions.

ARM Hierarchy

v Management Groups

v Subscriptions

v Resource Groups

v Resources

Azure RBAC (Authorization for Resources)

Roles:

v  Owner

v  Contributor

v  Reader

v  User Access Administrator

Important Principle

RBAC roles are assigned to identities — never to Entra roles.

Scoped At

v Management Group

v Subscription

v Resource Group

v Resource

Purpose

v Control what actions are allowed

v Control where actions are allowed

Section 3 — Azure Policy (Resource Governance)

Azure Policy enforces compliance at the resource level.

Effects

v Deny

v Audit

v Append

v Modify

v DeployIfNotExists

Purpose

·        Control what is allowed to exist

·        Enforce configuration standards

·        Maintain compliance

Critical Architectural Concept

Entra ID authenticates identities.
ARM authorizes actions on resources.
Azure Policy enforces governance and compliance.

This separation is fundamental to enterprise Azure security design.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.