What is Entra ID (Azure Active Directory) roles
Entra ID is the new name for Azure Active Directory (Azure AD), which provides identity and access management services for Azure resources and Microsoft services. Entra ID roles, previously known as Azure AD roles, help control access to various services and resources within an organization’s Azure environment.
These roles are part of Role-Based Access Control (RBAC) and allow administrators to assign specific permissions to users, groups, or applications to manage access to resources. Below are the commonly used Entra ID (Azure AD) roles and their descriptions:
Common Entra ID Roles:
| Role | Description | Common Usages |
|---|---|---|
| Global Administrator | Full access to all aspects of Entra ID (Azure AD) and Microsoft 365 services. Can manage all administrative features. | Used for organization-wide admins who manage users, groups, and resources across all services, including billing, policies, and access to sensitive data. |
| User Administrator | Manages users, groups, and related tasks like password resets and user creation. | Used to manage user accounts, assign licenses, reset passwords, and configure user groups. |
| Application Administrator | Manages application registrations and app-related permissions in Entra ID. | Used for managing the registration of enterprise applications, assigning permissions to apps, and configuring single sign-on (SSO). |
| Authentication Administrator | Manages authentication settings, including multi-factor authentication (MFA) and password policies. | Used for setting up MFA, enforcing authentication policies, and managing password reset configurations. |
| Billing Administrator | Manages subscriptions, purchases, and billing details for the organization. | Used for managing Azure billing, viewing invoices, and subscription management by the finance or accounts team. |
| Security Administrator | Manages security policies and configurations, including conditional access, identity protection, and monitoring. | Used for managing and monitoring security policies, enforcing conditional access, and handling identity protection protocols. |
| Privileged Role Administrator | Manages role assignments and can elevate roles for users and manage privileged access to resources. | Used for managing access to privileged roles, assigning roles to other users, and enabling just-in-time access to critical resources via Privileged Identity Management (PIM). |
| SharePoint Administrator | Manages SharePoint Online settings and permissions, including site collections and document sharing. | Used for managing and configuring SharePoint sites, document libraries, and access controls in a collaborative environment. |
| Exchange Administrator | Manages email settings and services for Exchange Online. | Used for configuring and managing email services, mail flow, and user mailboxes in Exchange Online. |
| Teams Administrator | Manages Microsoft Teams settings, including collaboration policies and messaging configurations. | Used for configuring Microsoft Teams features, policies, voice, and video settings for communication and collaboration within the organization. |
| Compliance Administrator | Manages data compliance, audit settings, and legal hold configurations across services. | Used for ensuring that the organization complies with regulatory requirements by managing data retention policies, eDiscovery, and audit logs. |
| Device Administrator | Manages registered devices in Entra ID, including enforcing policies and managing access. | Used for managing devices enrolled in the organization’s Azure AD, enforcing compliance policies, and configuring device settings. |
| Reports Reader | Read-only access to view logs, audit reports, and other monitoring data related to Azure AD activities. | Used by auditors and monitoring teams to access reports and logs for user sign-ins, security events, and Azure AD activity without making changes. |
| Intune Administrator | Manages devices, applications, and security policies in Microsoft Intune. | Used for configuring and managing mobile devices, apps, and security policies to ensure devices comply with organizational standards. |
Key Points:
- Global Administrator is the most powerful role, with access to all features across Azure AD and related services.
- User Administrator focuses on managing user accounts, while Application Administrator handles applications and app permissions.
- Security and Compliance Administrators manage security policies and data protection settings, ensuring organizational compliance with regulations.
- Privileged Role Administrator manages role assignments and access controls to protect sensitive resources.
What is Azure Subscriptions IAM Roles?
Azure Subscription IAM Roles are predefined or custom Role-Based Access Control (RBAC) roles in Azure that are assigned at the subscription level. A subscription in Azure is a logical container that holds Azure resources like virtual machines, storage, networks, and databases. IAM roles determine what actions users or groups can perform on resources within the subscription, helping to control access and permissions.
There are many built-in IAM roles available in Azure, but here are the most common roles used at the subscription level and their typical uses:
Common Azure Subscription IAM Roles:
| Role | Description | Common Usages |
|---|---|---|
| Owner | Full access to all resources within the subscription, including the ability to delegate access to others. | Used by administrators who need full control over all resources and can assign permissions to other users. |
| Contributor | Can create and manage all types of Azure resources but cannot grant access to others. | Used by developers and resource managers who need to deploy, configure, and manage resources without managing access permissions. |
| Reader | Read-only access to all resources within the subscription. | Used by auditors, compliance officers, and monitoring teams to view resources and configurations without making any changes. |
| User Access Administrator | Can manage access permissions for users, groups, and applications at the subscription or resource level. | Used by admins responsible for assigning and revoking RBAC roles, but without permission to manage the actual resources themselves. |
| Billing Reader | Read-only access to billing and subscription information. | Used by finance and accounting teams to view cost-related data, such as invoices and billing reports, without making changes to the resources. |
| Virtual Machine Contributor | Can create and manage virtual machines and related resources like disks and network interfaces. | Used by teams responsible for creating, managing, starting, stopping, and configuring VMs without needing full access to the entire subscription. |
| Storage Account Contributor | Can manage storage accounts and access data but cannot manage access permissions. | Used by those managing storage solutions such as blob storage, queues, file shares, and tables. |
| Network Contributor | Can manage network resources, including virtual networks, subnets, network interfaces, and security groups. | Used by networking teams responsible for configuring virtual networks, public IPs, network security groups, load balancers, and network routing. |
| SQL DB Contributor | Can manage SQL databases and servers within the subscription but cannot manage access to them. | Used by database administrators and developers who manage and configure Azure SQL Databases, including backups, scaling, and performance monitoring. |
| Security Reader | Provides read-only access to security-related settings and data, such as security policies and recommendations. | Used by security analysts to monitor security settings, view compliance reports, and track potential security risks across the subscription. |
Key Characteristics of Azure Subscription IAM Roles:
- Scope of Permissions: The permissions for these roles can be applied at the subscription level, resource group level, or specific resources within the subscription.
- Granular Control: By using RBAC roles, you can provide users with precise access to the resources they need while limiting permissions to other parts of the environment.
- Inheritance: Roles assigned at the subscription level automatically propagate down to all resources and resource groups within that subscription, providing a centralized way to manage access.
- Custom Roles: You can create custom roles to meet specific access needs, combining certain permissions from existing roles or defining new ones.
Common Scenarios for Subscription-Level Role Assignment:
- Owner is often assigned to the IT administrators who need full control over all resources.
- Contributor is assigned to developers, DevOps engineers, or resource managers who need to manage resources like VMs, storage, and databases without managing access.
- Reader is given to auditors, compliance officers, or external consultants who need read-only visibility into the environment.
- User Access Administrator is for the access control team responsible for managing RBAC assignments.
Difference between Entra ID (Azure Active Directory) roles and Azure Subscriptions IAM Roles
Here is a tabular comparison between Entra ID (Azure Active Directory) roles and Azure Subscription IAM roles, highlighting the key differences:
| Criteria | Entra ID (Azure Active Directory) Roles | Azure Subscription IAM Roles |
|---|---|---|
| Scope | Roles apply to identity and access management across Azure AD and Microsoft services. | Roles apply to managing resources within a specific Azure subscription. |
| Primary Purpose | Used to manage users, groups, applications, devices, and directory-related tasks. | Used to manage resources such as virtual machines, storage, networks, and databases in Azure. |
| Resource Focus | Identity management (e.g., user creation, app registrations, authentication policies). | Resource management (e.g., creating and managing Azure VMs, networks, storage). |
| Common Roles | – Global Administrator – User Administrator – Application Administrator – Security Administrator – Device Administrator | – Owner – Contributor – Reader – Virtual Machine Contributor – Storage Account Contributor |
| Access Control | Controls who has access to identity resources such as users, groups, and apps. | Controls who has access to Azure resources like VMs, databases, and networks. |
| Role Assignment Levels | Roles are assigned at the tenant level (i.e., across the entire Azure AD instance). | Roles can be assigned at the subscription, resource group, or resource level. |
| Example Use Cases | – Managing user identities and security groups. – Configuring single sign-on (SSO) for applications. – Enforcing security policies (e.g., MFA). | – Creating and managing VMs, networks, databases. – Assigning permissions for resource management and deployment. |
| Control Over Permissions | Manages access to Azure AD-related resources like users, apps, and security settings. | Manages access to Azure subscription-level resources like compute, storage, and networking services. |
| Typical Assignees | IT administrators handling user management, security teams enforcing policies. | DevOps, developers, infrastructure admins, and IT teams managing cloud resources. |
| Role Customization | Built-in roles are typically more focused on identity, with fewer options for resource-level permissions. | RBAC allows for highly granular role-based permissions on various Azure resources. |
| Visibility & Reporting | Provides logs and reports on user activities, sign-ins, and security policies. | Provides monitoring and metrics for Azure resource consumption, usage, and performance. |
| Examples of Tasks | – Resetting user passwords – Configuring multi-factor authentication (MFA) – Managing app registrations. | – Deploying VMs – Setting up virtual networks – Managing storage accounts. |
Key Differences:
- Scope: Entra ID roles manage identity resources like users and applications, while Azure Subscription IAM roles manage Azure resources like VMs, databases, and networks.
- Access Level: Entra ID roles apply across the entire tenant, while Subscription IAM roles can be scoped to a specific subscription, resource group, or resource.
- Purpose: Entra ID roles are focused on managing identity and security, while Subscription IAM roles are focused on managing the infrastructure and services within Azure.
Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG
Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
Latest posts by Rajesh Kumar (see all)
- Best AI tools for Software Engineers - November 4, 2024
- Installing Jupyter: Get up and running on your computer - November 2, 2024
- An Introduction of SymOps by SymOps.com - October 30, 2024
