IntermediateLesson 6 of 9

Basic Identity (Azure AD / Entra ID Intro)

Learn the identity foundation in Azure: tenant, users, groups, and role-based access control basics for secure and manageable access.

What is it? (Simple Explanation)

Microsoft Entra ID (formerly Azure AD) is the identity system that controls who can sign in and what they can access.

Why do we need it?

Central login management for users and apps.
Secure access with policies and MFA.
Role-based permissions for least privilege.
Cleaner onboarding/offboarding process.

Real-world Analogy

Entra ID is the building security desk: identity proves who you are; RBAC decides which rooms you can enter.

How it works (Technical)

Tenant is an identity boundary. Users and groups are created in tenant. Azure RBAC assigns roles (Reader/Contributor/Owner) at scope (subscription/resource group/resource). Authentication verifies identity; authorization verifies permissions.

Visual Representation

Identity and Access Flow

User

Entra ID

Authentication

RBAC

Authorization by role and scope

Resource

Access granted/denied

Commands / Syntax

Azure CLI (RBAC basics)

az role assignment list --assignee user@contoso.com --output table
az role assignment create \
  --assignee user@contoso.com \
  --role Reader \
  --scope /subscriptions//resourceGroups/rg-app-dev

Example (Real-world Use Case)

A junior engineer gets Reader on production and Contributor on development resource groups, reducing risk while enabling daily work.

Hands-on

Identify current tenant in Portal.
Create a sample security group for a project team.
Assign Reader role at resource group scope to that group.
Validate access with test account.
Document least-privilege decisions.

Try It Yourself

Design access model for three personas: intern, developer, and operations lead.

Debugging Scenario

Issue: User can sign in but cannot create resources. Reason: authenticated successfully but missing authorization role at required scope.

Interview Questions

Beginner

What is Entra ID?

Microsoft’s identity and access management platform for cloud resources.

Difference between authentication and authorization?

Authentication confirms identity; authorization determines permissions.

What is RBAC?

Role-based access control that grants permissions by role at a scope.

Intermediate

Why assign roles to groups instead of users?

It simplifies operations and reduces permission drift over time.

Which role for read-only production access?

Reader role at production scope.

What is least privilege?

Grant only the minimum access needed to complete tasks.

Scenario-based

Engineer accidentally got Owner on subscription.

Reduce to required role immediately and review privileged access process.

New user cannot view any resources.

Check tenant, group membership, and role assignment scope.

Need temporary elevated access.

Use controlled, time-bound privileged access approach.

Real-world Usage

Identity and access control are the first security layer in every Azure environment, even at beginner scope.

Summary

Entra ID and RBAC define who can do what. Correct scopes and least privilege prevent many operational incidents.

Previous NextSubscriptions and Billing Basics