Skip to main content
Microsoft Azure
CHAPTER 03

Azure Identity and Access Management

Updated: May 15, 2026
20 min read

# CHAPTER 3

Azure Identity and Access Management

1. Introduction

Security in the cloud does not start with firewalls; it starts with Identity. If a malicious actor gains access to an administrator's credentials, firewalls are useless because the attacker simply turns them off. Azure Active Directory (recently rebranded as Microsoft Entra ID) and Role-Based Access Control (RBAC) form the central nervous system of Azure security. They dictate *Who* can do *What* on *Which* resource. In this chapter, we will master the Principle of Least Privilege and deploy secure access policies.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define Microsoft Entra ID (formerly Azure Active Directory).
  • Differentiate between Authentication (Who are you?) and Authorization (What can you do?).
  • Understand the scope of Role-Based Access Control (RBAC).
  • Enforce the Principle of Least Privilege.
  • Implement Multi-Factor Authentication (MFA).

3. Beginner-Friendly Explanation

Imagine a high-security corporate office.
  • Entra ID (The Front Desk): The security guard at the front door. You show your ID badge. The guard verifies you actually work here (Authentication).
  • RBAC (The Keycard System): Once inside, your badge is scanned at every door. Just because you are in the building doesn't mean you can open every door. If you are an accountant, your badge opens the Accounting office. It does *not* open the IT Server Room. The system checks your permissions (Authorization).

In Azure, you use Entra ID to log in, and RBAC to restrict what you can touch.

4. Microsoft Entra ID (Azure AD) vs. Windows Server AD

Do not confuse these two!
  • Windows Server Active Directory: The legacy system running on physical servers in a basement, used to manage desktop computers, printers, and local network logins via Kerberos.
  • Microsoft Entra ID (Azure AD): A modern, cloud-based identity provider. It manages web-based logins via OAuth and SAML. It is the exact same identity system that secures Office 365 and Microsoft Teams.

5. Role-Based Access Control (RBAC)

When assigning permissions, you never give permission directly to a person. You give a person a Role.
  1. 1. Owner: Has absolute power. Can create, delete, and grant access to others. (Extremely dangerous).
  1. 2. Contributor: Can create and delete resources (like VMs and databases), but *cannot* grant access to other people.
  1. 3. Reader: Can look at resources, but cannot change or delete anything.

*Specific Roles:* Azure has hundreds of highly specific roles, like Virtual Machine Contributor (can manage VMs, but cannot touch databases).

6. The Principle of Least Privilege

The golden rule of Cloud Security: Give a user the exact minimum permissions they need to do their job, and absolutely nothing more. If a junior developer only needs to view logs to debug an app, give them the Reader role. Do not give them the Contributor role just because it's faster to assign. If their laptop is hacked, Least Privilege prevents the hacker from destroying the database.

7. Mini Project: Create Secure Azure Users and Roles

Let's practice granting restricted access.

Step-by-Step Tutorial:

  1. 1. In the Azure Portal, search for Microsoft Entra ID.
  1. 2. On the left menu, click Users, then click + New user > Create new user.
  1. 3. Create a username (e.g., intern@yourdomain.onmicrosoft.com) and display name ("Summer Intern"). Auto-generate a password and copy it. Click Create.
  1. 4. Now, search the top bar for Resource groups. Select an existing Resource Group (or create a dummy one).
  1. 5. On the left menu of the Resource Group, click Access control (IAM).
  1. 6. Click + Add > Add role assignment.
  1. 7. In the Role list, do NOT choose Owner. Select Reader. Click Next.
  1. 8. Under Members, click + Select members. Search for your "Summer Intern" user and select them.
  1. 9. Click Review + assign.
  1. 10. *The Result:* If you log in with the intern's credentials, they can look at the resources in that specific folder, but if they click the "Delete" button on a server, Azure will throw a massive "PERMISSION DENIED" error. Security in action!

8. Real-World Scenarios

A company hired a freelance web developer to upload HTML files to a Storage Account. The lazy IT admin gave the freelancer the Contributor role at the Subscription level. The freelancer's email account was breached by a hacker. Because the hacker had Contributor access, they bypassed the storage account entirely, spun up 50 massive Virtual Machines, and started mining Bitcoin, costing the company $20,000 in 48 hours. Had the admin used Least Privilege and assigned the Storage Blob Data Contributor role directly to the specific Storage Account, the hacker could only have uploaded files, preventing the Bitcoin mining disaster.

9. Best Practices

  • Multi-Factor Authentication (MFA): Passwords are no longer sufficient. You MUST enforce MFA (requiring a text message or Authenticator App code) for every user, especially administrators. Microsoft states that enabling MFA blocks 99.9% of automated account compromise attacks.

10. Security Tips

  • Conditional Access Policies: Enterprise companies use Entra ID Conditional Access. You can create a rule: "If an Administrator tries to log into the Azure Portal, require MFA. But if they try to log in from an IP address located outside the United States, instantly block the login entirely."

11. CLI Examples

To list all role assignments for a specific user via terminal:
bash
1 
az role assignment list --assignee "intern@yourdomain.com" -o table

12. Exercises

  1. 1. Explain the difference between Authentication and Authorization. Which Azure service handles which?
  1. 2. Why is assigning the Owner role to a developer considered a violation of the Principle of Least Privilege?

13. FAQs

Q: Can a user have different roles in different places? A: Yes! Roles are applied at a "Scope". A developer could be an Owner of their personal Sandbox Resource Group, but only a Reader in the Production Resource Group.

14. Interview Questions

  • Q: Define the Principle of Least Privilege. Provide a specific scenario demonstrating how violating this principle within Azure RBAC could lead to a catastrophic data breach.
  • Q: Explain the architectural difference between Microsoft Entra ID (Azure AD) and traditional on-premises Windows Server Active Directory.

15. Summary

In Chapter 3, we locked down our cloud environment. We established that Identity is the true security perimeter of the cloud, utilizing Microsoft Entra ID for Authentication and RBAC for strict Authorization. We rejected dangerously broad roles in favor of precision, adhering strictly to the Principle of Least Privilege. Finally, we successfully provisioned a new user and securely scoped their access to a single resource group, preventing unauthorized infrastructure modification.

16. Next Chapter Recommendation

Our project is secure and our billing is monitored. It is finally time to build something. Proceed to Chapter 4: Azure Virtual Machines.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Azure Free Tier and Billing Basics
Next Chapter Azure Virtual Machines

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6