Azure Identity & Access Management

An overview of Azure IAM

Microsoft Entra ID

Part of a broader Microsoft Entra product family
Provides identity, authentication, access policies, and security controls for users, groups, devices, and applications

Microsoft Entra Roles

Microsoft Entra ID roles are used to manage directory (identity) resources within Entra ID e.g., creating and managing users and groups, assigning administrative roles, resetting passwords, managing licenses, and managing domains
These roles can be assigned to Entra ID Users, Groups, Service Principals, and Managed Identities
Microsoft Entra ID roles do not grant access to Azure resources such as compute, databases, or storage

Azure Roles

Azure role-based access control (Azure RBAC) is used to authorize access to Azure resources
These roles can be assigned to Entra ID Users, Groups, Service Principals, and Managed Identities
Azure RBAC roles grant permissions to Azure resources such as virtual machines, databases, storage accounts, and other services

Microsoft Entra roles

Azure roles

Manage access to Microsoft Entra resources

Manage access to Azure resources

Supports custom roles

Scope can be specified at the tenant level (organization-wide), administrative unit, or on an individual object (for example, a specific application)

Scope can be specified at multiple levels (management group, subscription, resource group, resource)

Role information can be accessed in the Azure portal, Microsoft Entra admin center, Microsoft 365 admin center, Microsoft Graph, Microsoft Graph PowerShell

Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API