Entra Roles and RBAC
Permissions should be tied to roles, not individuals. Built-in roles, custom roles, Azure RBAC vs Entra roles, administrative units, and the principle of least privilege.
What is role-based access control (RBAC)?
Instead of giving each person a custom set of keys, you give them a role — and the role comes with specific keys.
Imagine a hotel. Instead of deciding which doors each individual staff member can open, you define roles: “Front Desk” can access reception and the key cabinet. “Housekeeping” can access guest rooms and the supply closet. “Manager” can access everything.
When a new housekeeper starts, you assign the “Housekeeping” role. They instantly get the right keys. When they leave, you remove the role. Done.
RBAC works the same way. You define roles with specific permissions. You assign roles to people. Permissions are never given directly to individuals.
Microsoft Entra built-in roles
Microsoft Entra ID comes with over 80 built-in roles. Here are the ones you need to know for the exam:
| Role | What It Can Do | Risk Level |
|---|---|---|
| Global Administrator | Full control over the entire Entra tenant — every setting, every user, every service | Highest — should have fewest members |
| User Administrator | Create and manage users and groups, reset passwords, manage licences | Medium |
| Security Administrator | Manage security policies, review security reports, manage Identity Protection | High |
| Security Reader | Read-only access to security features and reports | Low |
| Billing Administrator | Manage subscriptions and billing | Medium |
| Helpdesk Administrator | Reset passwords for non-admin users, manage service requests | Low-Medium |
| Exchange Administrator | Manage Exchange Online settings — mailboxes, transport rules, groups | Medium |
| SharePoint Administrator | Manage SharePoint Online sites, storage, sharing settings | Medium |
Key exam concept: Global Administrator is the most powerful role. Only 2-4 people should have it. The exam frequently tests whether you know that most tasks do NOT require Global Admin — a more specific role should be used instead.
Scenario: Raj cleans up admin sprawl at Lakewood
Raj runs a report and discovers 14 people have Global Administrator at Lakewood University. Some are IT staff who only manage mailboxes. Others are department heads who once needed to reset a password.
He works with management to reassign roles:
- The Exchange team gets Exchange Administrator — they can manage mail without touching security settings
- Helpdesk staff get Helpdesk Administrator — they can reset passwords but nothing else
- Department heads lose all admin roles — they submit requests to the helpdesk instead
Global Admin goes from 14 members to 3: the IT Director, Raj (as backup), and a break-glass emergency account.
“Fourteen global admins is fourteen ways an attacker can own our entire tenant,” Raj tells the team.
Entra roles vs Azure RBAC roles
This distinction is critical for the exam. Microsoft has two separate role systems:
| Feature | Microsoft Entra Roles | Azure RBAC Roles |
|---|---|---|
| What they manage | Identity and access — users, groups, apps, policies in Microsoft Entra ID | Azure resources — VMs, storage accounts, databases, networks in Azure subscriptions |
| Scope | The Entra tenant (directory-level) | Azure subscription, resource group, or individual resource |
| Example roles | Global Admin, User Admin, Security Admin | Owner, Contributor, Reader, Virtual Machine Contributor |
| Where you assign them | Microsoft Entra admin centre | Azure portal (subscription/resource level) |
| Use case | Managing who can sign in, reset passwords, configure MFA | Managing who can create VMs, access storage, deploy apps |
Key exam concept: A Global Administrator in Entra ID does NOT automatically have access to Azure resources. These are separate permission systems. However, a Global Admin can elevate themselves to Azure access if needed — but it’s a deliberate action, not automatic.
Custom roles
The built-in roles cover most scenarios, but sometimes you need a role that does not exist. Custom roles let you pick exactly which permissions to include.
| Feature | Details |
|---|---|
| What they are | Roles with hand-picked permissions — you choose exactly what the role can and cannot do |
| Licence requirement | Microsoft Entra ID P1 or P2 |
| When to use | When no built-in role matches your needs (e.g., a role that can manage groups but NOT reset passwords) |
| How to create | Select individual permissions from a permission list, give the role a name, assign it to users |
Scenario: Raj creates a custom role for student assistants
Raj has student assistants who help with group management at Lakewood — adding people to class groups, removing graduates, updating group descriptions. But they should not be able to reset passwords or manage licences.
The built-in roles are either too powerful (User Administrator) or too limited (none match). So Raj creates a custom role:
- Name: Student Group Manager
- Permissions: Read groups, update group membership, update group properties
- Excluded: Reset passwords, manage licences, manage users
This follows the principle of least privilege — the assistants get exactly what they need, nothing more.
Principle of least privilege
Least privilege means giving users the minimum permissions they need to do their job — and only for as long as they need them.
| Principle | What To Do | What NOT To Do |
|---|---|---|
| Minimum permissions | Give the Helpdesk role to someone who resets passwords | Give Global Admin to everyone “just in case” |
| Minimum time | Activate admin access for 4 hours when needed | Leave admin access permanently assigned |
| Minimum scope | Scope a role to one department using administrative units | Give tenant-wide access when they only manage one team |
Key exam concept: The exam will present scenarios where someone is given too much access. The correct answer almost always involves assigning a more specific role with narrower permissions.
Administrative units
Administrative units let you scope role assignments to a specific part of your organisation — instead of the entire tenant.
Simple analogy: A school principal manages their own school, not every school in the district. Administrative units create these boundaries in Entra ID.
| Without Administrative Units | With Administrative Units |
|---|---|
| A User Administrator can manage ALL 5,000 users at Lakewood | A User Administrator scoped to the “Engineering Faculty” AU can only manage those 200 users |
| Every helpdesk staff member has tenant-wide reset ability | Each helpdesk person is scoped to their department’s AU |
How Raj uses administrative units
Lakewood University has four faculties: Engineering, Arts, Science, and Business. Each faculty has its own IT support person.
Raj creates four administrative units — one per faculty. He adds the relevant users to each AU. Then he assigns the Helpdesk Administrator role to each faculty’s IT person, scoped to their AU.
The result: the Engineering IT person can reset passwords for Engineering staff but cannot touch anyone in Arts, Science, or Business.
“If the Engineering IT account gets compromised,” Raj explains, “the damage is contained to one faculty — not the entire university.”
🎬 Video walkthrough
🎬 Video coming soon
Entra Roles and RBAC — SC-900 Module 6
Entra Roles and RBAC — SC-900 Module 6
~9 minFlashcards
Knowledge Check
Lakewood University has 14 Global Administrators. Raj wants to follow the principle of least privilege. What should he do FIRST?
An IT administrator needs to manage Azure virtual machines but should NOT be able to manage users in Microsoft Entra ID. Which role should they be assigned?
Raj scopes the Helpdesk Administrator role to the 'Engineering Faculty' administrative unit and assigns it to Dan. What can Dan do?