# Azure Identity & Access Management

## Microsoft Entra ID

* Part of a broader Microsoft Entra product family
* Provides identity, authentication, access policies, and security controls for users, groups, devices, and applications

### Microsoft Entra Roles

* Microsoft Entra ID roles are used to manage directory (identity) resources within Entra ID e.g., creating and managing users and groups, assigning administrative roles, resetting passwords, managing licenses, and managing domains
* These roles can be assigned to Entra ID Users, Groups, Service Principals, and Managed Identities
* Microsoft Entra ID roles **do not** grant access to Azure resources such as compute, databases, or storage

### Azure Roles

* Azure role-based access control (Azure RBAC) is used to authorize access to Azure resources
* These roles can be assigned to Entra ID Users, Groups, Service Principals, and Managed Identities
* Azure RBAC roles grant permissions to Azure resources such as virtual machines, databases, storage accounts, and other services

| Microsoft Entra roles                                                                                                                                                                                                                         | Azure roles                                                                                                               |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| Manage access to Microsoft Entra resources                                                                                                                                                                                                    | Manage access to Azure resources                                                                                          |
| Supports custom roles                                                                                                                                                                                                                         | Supports custom roles                                                                                                     |
| [Scope](https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-overview#scope) can be specified at the tenant level (organization-wide), administrative unit, or on an individual object (for example, a specific application) | Scope can be specified at multiple levels (management group, subscription, resource group, resource)                      |
| Role information can be accessed in the Azure portal, Microsoft Entra admin center, Microsoft 365 admin center, Microsoft Graph, Microsoft Graph PowerShell                                                                                   | Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API |

***

## Additional Resources

{% embed url="<https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#microsoft-entra-roles>" %}