This chapter covers Entra ID Roles and Azure RBAC, two distinct but complementary authorization systems in Microsoft's identity and access management framework. For the SC-900 exam, approximately 15-20% of questions touch on identity roles, role-based access control, and the differences between Entra ID roles and Azure RBAC. Understanding these concepts is critical because the exam tests your ability to distinguish when to use each system and how they interact.
Jump to a section
Imagine a large office building with multiple floors and departments. The building's security system has two distinct layers: a master key system and a badge access system. The master key system (like Entra ID built-in roles) defines who can unlock specific doors—such as the server room, HR filing cabinets, or the CEO's office. These keys are pre-cut by the building's security company and cannot be modified; you can only assign them to people. The badge access system (like RBAC for Azure resources) controls who can enter specific rooms or use certain elevators within a floor. Each badge is programmed with a set of permissions that an administrator can create from scratch, specifying exactly which doors open and at what times. The key distinction: the master key system controls access to the building's identity infrastructure (like managing users, resetting passwords, or assigning licenses), while the badge system controls access to resources within the building (like virtual machines, databases, or storage accounts). A person can have both a master key and a badge, and their combined access determines what they can do. In Entra ID, built-in roles (like Global Administrator) grant broad access to the directory itself, whereas Azure RBAC roles (like Contributor) grant access to Azure resources. They are separate but complementary: you might need both to fully administer a hybrid environment.
What are Entra ID Roles?
Entra ID roles (formerly Azure AD roles) are a set of built-in and custom roles that control permissions to manage the Entra ID directory itself. They are part of the identity plane, meaning they govern what administrators can do within the directory service—such as creating users, resetting passwords, managing groups, configuring conditional access policies, or assigning licenses. These roles do NOT grant access to Azure resources like virtual machines or storage accounts.
Built-in vs Custom Roles
Microsoft provides approximately 60 built-in roles in Entra ID. Each built-in role is a predefined collection of permissions that cannot be modified. For example, the Global Administrator role has the broadest set of permissions, including the ability to reset passwords for all users, manage all directory settings, and assign roles to others. The User Administrator role can create and manage users and groups but cannot delete a Global Administrator or manage enterprise applications. The Privileged Role Administrator can manage role assignments in Entra ID and Azure AD PIM.
Custom roles allow you to define your own set of permissions from a list of over 1,500 individual permissions. These permissions are granular—for example, you can create a role that can only read user sign-in logs but not modify users. Custom roles are useful when built-in roles are too broad or too narrow.
How Entra ID Roles Work Internally
When a user performs an action in the Entra ID portal, Microsoft Graph, or PowerShell, the system evaluates whether the user has a role assignment that includes the required permission. Role assignments are made at the directory level (tenant-wide) by default, but you can also assign roles to specific administrative units (AUs) to scope permissions. For example, you can assign the Helpdesk Administrator role scoped to only users in the 'US' administrative unit, so that helpdesk staff can only reset passwords for US-based users.
The role assignment process involves three components: - Principal: The user or group receiving the role. - Role definition: The set of permissions. - Scope: Where the role applies (tenant, administrative unit, or application).
When a request is made, Entra ID checks if the principal has a role assignment that includes the required permission at the appropriate scope. If yes, access is granted; if no, access is denied.
What is Azure RBAC?
Azure RBAC (Role-Based Access Control) is an authorization system built on Azure Resource Manager that provides fine-grained access management for Azure resources. It controls who can perform actions on resources such as virtual machines, storage accounts, databases, and virtual networks. Azure RBAC does NOT control access to Entra ID directory settings.
Built-in Roles vs Custom Roles in Azure RBAC
Azure has over 70 built-in roles. The most common are: - Owner: Full access to all resources, including the ability to delegate access to others. - Contributor: Can create and manage resources but cannot grant access to others. - Reader: Can view existing resources but cannot make changes. - User Access Administrator: Can manage user access to Azure resources.
Custom roles allow you to define a set of actions (e.g., Microsoft.Compute/virtualMachines/start/action) that can be performed on a specific resource type. You can also define NotActions to exclude specific actions.
How Azure RBAC Works Internally
Azure RBAC is evaluated at the Azure Resource Manager level. Every request to create, read, update, or delete a resource goes through ARM, which checks the user's role assignments at the relevant scope. Scopes are hierarchical:
Management group
Subscription
Resource group
Resource
Permissions are inherited from higher scopes. For example, if a user is assigned Contributor at the subscription scope, they automatically have Contributor permissions on all resource groups and resources within that subscription.
When a user makes a request, ARM evaluates all role assignments that apply to the user (either directly or via group membership) at the effective scope. It then checks if any of those role assignments include the required action. If multiple role assignments apply, the union of permissions is granted (except Deny assignments, which take precedence).
Key Differences Between Entra ID Roles and Azure RBAC
| Aspect | Entra ID Roles | Azure RBAC | |--------|----------------|------------| | Controls access to | Entra ID directory (users, groups, apps, tenant settings) | Azure resources (VMs, storage, SQL, etc.) | | Scope | Tenant, administrative unit, application | Management group, subscription, resource group, resource | | Built-in roles | ~60 | ~70 | | Custom roles | Yes, from a list of permissions | Yes, from a list of actions | | Inheritance | Not inherited by default; scoping via AUs | Inherited from higher scopes | | Primary API | Microsoft Graph | Azure Resource Manager |
Common Misconfiguration: Overlapping Roles
A common mistake is assigning a user both a broad Entra ID role (like Global Administrator) thinking it will give them Azure resource access. It does not. Conversely, assigning a user Owner at the subscription scope does not give them any Entra ID permissions. To manage both, you need separate role assignments.
Privileged Identity Management (PIM)
PIM is a feature of Entra ID that provides time-based and approval-based role activation for both Entra ID roles and Azure RBAC roles. It reduces standing access by requiring users to activate their role for a limited time (e.g., 1 hour) before they can perform privileged actions. PIM also provides audit logs and alerts. For the exam, remember that PIM can manage both Entra ID roles and Azure RBAC roles, but it is an Entra ID feature.
Condition Assignment in Azure RBAC
Azure RBAC supports conditions (via Azure Attribute-Based Access Control, ABAC) that further restrict permissions based on attributes of the resource or request. For example, you can allow a user to read blobs only if the blob index tag equals 'Project=Blue'. This is beyond SC-900 but good to know.
Verification Commands
To view role assignments for a user in Entra ID:
Get-AzureADUser -ObjectId user@domain.com | Get-AzureADUserMembershipOr using Microsoft Graph:
GET https://graph.microsoft.com/v1.0/users/{id}/memberOfTo view Azure RBAC role assignments:
Get-AzRoleAssignment -SignInName user@domain.comExam Tip: The 'Roles and administrators' blade
In the Azure portal, the 'Roles and administrators' blade under Entra ID shows only Entra ID roles. The 'Access control (IAM)' blade on a resource or subscription shows Azure RBAC roles. This is a common exam hint.
Identify the Access Need
Determine whether the user needs to manage the Entra ID directory (e.g., reset passwords, manage groups) or manage Azure resources (e.g., start VMs, read storage). This determines which system to use: Entra ID roles for directory management, Azure RBAC for resource management. If both, separate assignments are needed.
Select Appropriate Role Type
Choose between built-in and custom roles. For Entra ID, built-in roles cover common scenarios; custom roles are for granular permissions. For Azure RBAC, built-in roles like Contributor or Reader are typical; custom roles are for specific actions not covered by built-in roles. Always start with the least-privilege built-in role that meets the need.
Define Scope
For Entra ID roles, scope can be tenant-wide, administrative unit, or application. For Azure RBAC, scope is a management group, subscription, resource group, or resource. Scoping limits the blast radius. For example, assign a User Administrator role scoped to an administrative unit containing only HR users.
Assign the Role
Use the Azure portal, PowerShell, CLI, or Microsoft Graph to assign the role to a user or group. For Entra ID roles, you can assign roles to groups (preferred for manageability). For Azure RBAC, assign the role at the chosen scope. The assignment is stored in the directory or ARM metadata.
Verify and Audit
After assignment, verify the role is effective by checking the role assignments blade or using PowerShell. Use Entra ID audit logs and Azure Activity Log to monitor role assignments and usage. For privileged roles, consider using PIM to require activation and generate alerts.
Enterprise Scenario 1: Managing a Multi-Tenant Environment
A large enterprise with multiple subsidiaries each has its own Entra ID tenant. The central IT team needs to manage user accounts in each tenant. They cannot use a single set of Entra ID roles across tenants. Instead, they create guest user accounts in each tenant and assign them Global Administrator or User Administrator roles as needed. However, best practice is to use Microsoft 365 Lighthouse (for Managed Service Providers) or cross-tenant synchronization to manage role assignments centrally. Misconfiguration: if a guest user is assigned Global Administrator, they can modify the tenant's directory, which is a security risk. The solution is to use PIM with approval workflows for cross-tenant admin access.
Enterprise Scenario 2: Developer Access to Azure Resources
A development team needs to create and manage VMs in a sandbox subscription but should not be able to delete resource groups or modify network security groups. The team is assigned Contributor at the subscription scope, but this allows them to delete resource groups. To limit this, the administrator creates a custom Azure RBAC role that includes only the actions Microsoft.Compute/virtualMachines/* and Microsoft.Network/networkSecurityGroups/read, and assigns it at the subscription scope. This gives developers the ability to create VMs and read NSGs but not delete resource groups. Common pitfall: forgetting to assign the role at the correct scope (e.g., assigning at resource group level instead of subscription) can break access to create resources in other resource groups.
Enterprise Scenario 3: Helpdesk with Limited Scope
A helpdesk team supports only users in the North America region. The administrator creates an administrative unit called 'North America' and adds all US and Canada users to it. Then they assign the Helpdesk Administrator role to the helpdesk group, scoped to that administrative unit. Now helpdesk can reset passwords only for North American users. If the administrative unit is not created correctly or users are not added, helpdesk may inadvertently gain tenant-wide access (if scoped incorrectly) or have no access. Performance considerations: administrative units can hold up to 100,000 users; beyond that, consider splitting into multiple AUs.
What SC-900 Tests on This Topic
The SC-900 exam objectives under 'Describe the capabilities of Microsoft Entra ID' include:
Describe the function of Azure AD roles (now Entra ID roles)
Describe the function of Azure RBAC
Differentiate between Azure AD roles and Azure RBAC
Questions typically present a scenario and ask which role system should be used, or which built-in role is appropriate. You will NOT be asked to create custom roles or remember specific permission names.
Common Wrong Answers and Why
Choosing 'Global Administrator' for an Azure resource management task. Candidates often think Global Admin is all-powerful. Reality: Global Admin only controls the directory; it does not grant access to Azure resources. The correct answer would be 'Owner' or 'Contributor' at the subscription scope.
Confusing 'User Administrator' with 'Helpdesk Administrator'. Both can reset passwords, but User Administrator can also create and delete users, while Helpdesk Administrator can only reset passwords and manage service requests. The exam may ask for a role that can reset passwords but not delete users. Helpdesk Administrator is the correct answer.
Thinking Azure RBAC roles are assigned at the tenant scope. Azure RBAC roles are assigned at management group, subscription, resource group, or resource scope—never at the tenant level. Entra ID roles are assigned at the tenant level (or AU).
Selecting 'Privileged Identity Management' as a role. PIM is a service for managing role activation, not a role itself. Questions may ask 'What can be used to grant time-limited access?' Answer: PIM.
Specific Numbers and Terms
There are about 60 built-in Entra ID roles and over 70 built-in Azure RBAC roles.
The most privileged Entra ID role is Global Administrator.
The most privileged Azure RBAC role is Owner.
Administrative units can contain up to 100,000 users.
PIM allows role activation for a maximum duration of 8 hours (default is 1 hour).
Edge Cases
Groups as role assignees: Both Entra ID roles and Azure RBAC allow assigning roles to groups. This simplifies management but requires careful group membership control.
Deny assignments: In Azure RBAC, a Deny assignment blocks access even if a role assignment grants it. Deny assignments are used in management group policies or by Azure Blueprints.
Classic subscription administrator roles: The classic Service Administrator and Co-Administrator roles are being deprecated. They are not the same as Azure RBAC roles. The exam may ask about them—remember they are legacy.
How to Eliminate Wrong Answers
If the scenario mentions managing users, groups, or tenant settings, the answer is an Entra ID role. If it mentions managing VMs, storage, or any Azure resource, the answer is an Azure RBAC role. Look for keywords like 'directory', 'tenant', 'user account' vs. 'virtual machine', 'subscription', 'resource group'.
Entra ID roles manage the directory; Azure RBAC manages Azure resources.
Global Administrator is the highest Entra ID role; Owner is the highest Azure RBAC role.
Azure RBAC scopes are hierarchical (management group > subscription > resource group > resource).
Entra ID roles can be scoped using administrative units.
Both systems support custom roles and group-based assignments.
PIM provides time-limited activation for both Entra ID roles and Azure RBAC roles.
There are approximately 60 built-in Entra ID roles and over 70 built-in Azure RBAC roles.
Classic subscription admin roles (Service Admin, Co-Admin) are legacy and not part of Azure RBAC.
These come up on the exam all the time. Here's how to tell them apart.
Entra ID Roles
Controls access to the Entra ID directory (users, groups, apps, tenant settings).
Approximately 60 built-in roles; custom roles possible.
Scope: tenant-wide, administrative unit, or application.
Assigned via 'Roles and administrators' blade in Entra ID portal.
Permissions include actions like 'microsoft.directory/users/update'.
Azure RBAC
Controls access to Azure resources (VMs, storage, SQL, etc.).
Over 70 built-in roles; custom roles possible.
Scope: management group, subscription, resource group, resource.
Assigned via 'Access control (IAM)' blade on resources.
Actions are resource provider operations like 'Microsoft.Compute/virtualMachines/start/action'.
Mistake
Global Administrator can manage all Azure resources.
Correct
Global Administrator only grants permissions to manage the Entra ID directory, not Azure resources. To manage Azure resources, you need an Azure RBAC role like Owner or Contributor at the appropriate scope.
Mistake
Azure RBAC roles are assigned at the tenant level.
Correct
Azure RBAC roles are assigned at management group, subscription, resource group, or resource scope. There is no tenant-level scope for Azure RBAC. Entra ID roles are assigned at the tenant level (or administrative unit).
Mistake
Custom roles are only available in Entra ID.
Correct
Both Entra ID and Azure RBAC support custom roles. In Entra ID, you define custom roles from a list of directory permissions. In Azure RBAC, you define custom roles from a list of resource provider actions.
Mistake
PIM can only manage Entra ID roles.
Correct
PIM can manage both Entra ID roles and Azure RBAC roles. It provides time-limited activation, approval workflows, and auditing for both systems.
Mistake
Assigning a role to a group gives the role to all group members immediately.
Correct
Yes, role assignment to a group is effective immediately for both Entra ID and Azure RBAC. However, for Azure RBAC, group membership changes may take a few minutes to propagate due to replication.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Entra ID roles control permissions to manage the Entra ID directory itself, such as creating users, resetting passwords, and configuring tenant settings. Azure RBAC controls access to Azure resources like virtual machines, storage accounts, and databases. They are separate systems; a user needs both role assignments if they need to manage both directory and resources.
No, Global Administrator only grants permissions to the Entra ID directory. To access Azure resources, the user needs an Azure RBAC role assignment (e.g., Owner, Contributor, Reader) at the appropriate scope. For example, a Global Administrator cannot start a VM unless they also have an Azure RBAC role on that VM's subscription or resource group.
An administrative unit is a container of resources (users, groups, devices) that you can use to scope Entra ID role assignments. For example, you can assign the Helpdesk Administrator role scoped to an administrative unit containing only users in a specific region, so helpdesk can only manage those users.
Yes, PIM supports both Entra ID roles and Azure RBAC roles. You can configure PIM to require activation, approval, and Just-In-Time access for Azure RBAC roles, providing time-limited elevation of privileges.
Owner has full access to all resources and can delegate access to others. Contributor can create and manage resources but cannot grant access to others. Both can perform the same actions on resources, but only Owner can assign roles to other users.
There are approximately 60 built-in Entra ID roles. Microsoft occasionally adds new roles. Examples include Global Administrator, User Administrator, Password Administrator, and Security Reader.
Yes, you can assign Entra ID roles to groups. This simplifies role management because you can add or remove users from the group instead of reassigning roles. However, the group must be a security group, and its membership must be managed carefully to avoid privilege escalation.
You've just covered Entra ID Roles and RBAC — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?