Definition
Authorization (AuthZ) determines what an authenticated identity can access and what
actions they can perform.
Focus Areas
Assign entitlements securely and e Ưiciently.
Apply and enforce consistent policies.
Simplify access control across systems.
Authorization Concepts
Concept Description Example
Entitlement
Type Grants access to resources (via groups,
RBAC, ABAC, or PBAC). Marketing group gets access
to campaign data.
Concept Description Example
Access
Policies Define who can do what, on which
resources. “Only finance users can view
payroll data.”
Enforcement Where access rules are applied
(application layer, proxy, or external policy
engine). A SharePoint API checks user
role before displaying files.
Common Authorization Models
Model Description Example
Access Control Lists
(ACLs) Directly list allowed/denied
entities per resource. Hard to
scale. File permissions listing users.
Role-Based Access
Control (RBAC) Access granted via roles rather
than individuals. “HR Manager” role grants edit
rights to HR files.
Attribute -Based
Access Control
(ABAC) Access based on attributes of
user, resource, and environment. Managers can access “Manager
Only” files during work hours.
Policy-Based Access
Control (PBAC) Combines business roles and
policies for dynamic access. Policy allows project leads to
approve expenses up to $5 000.
Authentication Context (Preview)
An Entra ID feature that applies contextual access requirements for specific data or
actions.
Example:
All employees can view the lunch-menu site, but only users on managed devices can
access the “Secret BBQ Recipe” SharePoint site.