A cloud-based identity and access management service for securing user authentication and resource access
Microsoft Entra ID roles and Azure RBAC roles serve different control planes and should be assigned based on what must be administered.
- Microsoft Entra roles control access to Microsoft Entra resources such as users, groups, applications, and other Microsoft services that rely on Entra administration.
- Azure RBAC roles control access to Azure resources such as subscriptions, resource groups, virtual machines, and storage through Azure Resource Manager.
A practical way to decide is:
- Use Microsoft Entra roles when the task is directory or tenant administration.
- Examples: managing users, groups, applications, or tenant-wide identity settings.
- Use Azure RBAC roles when the task is managing Azure resources.
- Examples: deploying resources, managing VMs, assigning access on subscriptions or resource groups.
- Use both only when the job truly spans both areas.
- Some administrators need identity administration and Azure resource administration, but these permissions are not automatically combined.
Important distinctions:
- Microsoft Entra roles and Azure RBAC are separate role-based access control systems.
- Microsoft Entra role permissions cannot be used in Azure custom roles, and Azure role permissions cannot be used in Microsoft Entra custom roles.
- By default, a Global Administrator does not have access to Azure resources.
- If a Global Administrator enables Access management for Azure resources in the Azure portal, that user is granted the User Access Administrator Azure role on all subscriptions in the tenant. This is intended for regaining or managing access, not as a default operating model.
For organizations deciding how to assign access:
- Separate identity administration from resource administration where possible.
- Use Entra roles for tenant-wide identity services.
- Use Azure RBAC for Azure subscriptions, resource groups, and resources.
- Assign at the narrowest scope possible.
- Azure RBAC supports scope at management group, subscription, resource group, and resource.
- Microsoft Entra roles can be scoped at tenant level, administrative unit, or individual object for some scenarios.
- Prefer built-in or narrowly defined custom roles over broad roles.
- Both systems support custom roles.
- Follow least privilege.
- Grant only the permissions required for the task.
- Avoid using highly privileged roles such as Global Administrator except for emergency scenarios.
- Use just-in-time elevation where available.
- Both Microsoft Entra roles and Azure RBAC roles integrate with Microsoft Entra Privileged Identity Management for controls such as approval workflow and MFA.
Recommended practice for mixed admin scenarios:
- An identity administrator who manages users and groups should receive an appropriate Microsoft Entra role, not broad Azure RBAC access unless Azure resource work is also required.
- An Azure platform or application administrator who deploys and manages infrastructure should receive the appropriate Azure RBAC role at the correct scope, not a tenant-wide Entra admin role unless identity tasks are also required.
- If one person must do both, assign the minimum required role in each system separately rather than relying on a broad tenant-wide role.
In short, the decision is based on what is being managed:
- Identity, directory, and Microsoft 365-related administration → Microsoft Entra roles
- Azure subscriptions and resources → Azure RBAC roles
References: