CoursesAzure securityEntra ID & RBAC

Entra ID, Conditional Access & PIM

Two identity planes, adaptive sign-in, just-in-time roles.

Advanced35 min · lesson 1 of 15

Azure security begins in Entra ID (formerly Azure AD), because identity is the real perimeter and Azure has two distinct identity planes that people constantly conflate. Getting them straight is the difference between a coherent access model and a pile of over-grants.

Two planes: directory roles vs Azure RBAC

Entra directory roles (Global Administrator, User Administrator, Application Administrator) govern the tenant itself — users, groups, app registrations, Conditional Access. Azure RBAC roles (Owner, Contributor, Reader) govern Azure resources — VMs, storage, Key Vaults. They are separate systems with separate assignments: a Global Administrator has no automatic power over resources, and an Azure Owner has no automatic power over the directory (though a Global Admin can elevate to gain it). Treat each plane’s privileged roles as crown jewels in their own right.

the two planes, side by side
# Directory (Entra) role — governs tenant objects:
# Global Administrator, Privileged Role Administrator, Application Administrator
# Azure RBAC role — governs resources at a scope:
az role assignment create \
--assignee [email protected] \
--role "Contributor" \
--scope /subscriptions/SUB/resourceGroups/payments-prod
# A Global Admin can toggle "access management for Azure resources" to gain
# User Access Administrator at the ROOT — a known elevation path to watch.

Conditional Access and just-in-time

Conditional Access is the policy engine that makes sign-in adaptive: require MFA, a compliant device, or a trusted location — or block risky sign-ins outright. Pair it with Privileged Identity Management so privileged roles are eligible rather than permanently active: admins elevate just-in-time, with approval and MFA, for a bounded window that is fully logged. Standing Global Administrator on a dozen accounts is exactly the exposure PIM removes.

Entra ID access controls
who + context
Conditional Access
MFA, device, location, risk gates
PIM
just-in-time role activation
two role planes
directory roles
tenant objects (Global Admin…)
Azure RBAC
resources (Owner/Contributor…)
Keep the planes distinct, gate sign-in with Conditional Access, and make privilege time-bound with PIM. Standing admin is the exposure to eliminate.
Global Administrator is the tenant crown jewel
A Global Administrator can control every identity, app, and policy — and elevate to reach all resources. Keep the count tiny, make them eligible (PIM) rather than permanent, enforce phishing-resistant MFA, and alert on every activation. A handful of standing Global Admins is the single biggest tenant risk.