Unit 3: Configure and Manage Microsoft Entra Roles

Overview of Microsoft Entra ID

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft’s cloud-based identity and access management (IAM) service. It provides authentication and authorization for both cloud and on-premises resources.

Examples of what Entra ID does:

Allows Contoso employees to sign in to Microsoft 365, the Azure portal, or custom SaaS apps.
Enables access to internal web apps or corporate intranet resources.
Supports developers integrating Single Sign-On (SSO) into business applications.

Who Uses Microsoft Entra ID

User Type	How They Use Entra ID	Example Scenario
IT Administrators	Control access, enforce security (e.g., MFA), manage user lifecycle, and automate provisioning.	Contoso’s IT admin enforces MFA for HR staff accessing payroll data.
App Developers	Integrate SSO into apps, use Entra APIs, and leverage organizational data for personalization.	A developer adds Microsoft sign-in to a Contoso HR app using Entra ID.
Microsoft Cloud Subscribers	Automatically receive an Entra tenant with Microsoft 365, Azure, or Dynamics.	Buying Microsoft 365 creates an Entra tenant where all users are managed.

Understanding Microsoft Entra Roles

Roles define what administrative actions a user can perform within Microsoft Entra ID. When a user needs permission to manage a specific resource — such as resetting passwords, creating groups, or managing domains — you assign a Microsoft Entra role to them.

Roles ensure segregation of duties and principle of least privilege by giving users only the permissions required to perform their tasks.

Types of Roles in Azure Ecosystem

There are three major role systems to understand:

Type of Role	Used For	Manages
Classic subscription administrator roles	Legacy roles (Account Administrator, Service Administrator, Co-Administrator).	Azure subscriptions and billing.
Azure roles (RBAC)	Modern, resource-based roles in Azure Resource Manager.	Azure resources (VMs, storage, networks).
Microsoft Entra roles	IAM-related administrative permissions.	Users, groups, licenses, apps, and Entra configurations.

Common Microsoft Entra Roles

Role	Key Permissions	Notes
Global Administrator	Manage all administrative features in Entra ID and connected services (Microsoft 365, Intune, etc.). Can reset any password and assign roles.	The first user (tenant creator) becomes the Global Admin. Microsoft recommends limiting this role to a few accounts.
User Administrator	Create, edit, and delete users and groups. Manage passwords, monitor service health, and handle support tickets.	Commonly assigned to HR or support teams managing user onboarding.
Billing Administrator	Purchase and manage subscriptions, monitor service health, manage support tickets.	Useful for finance or procurement teams.

Example: Adele, a Helpdesk Lead at Contoso, is given the User Administrator role so she can reset passwords and manage group memberships, but not alter conditional access or security policies.

Differences Between Azure Roles and Microsoft Entra Roles

Aspect	Azure Roles	Microsoft Entra Roles
Purpose	Manage Azure resources (VMs, networks, storage).	Manage identity-related resources (users, groups, policies).
Scope Levels	Can be assigned at management group, subscription, resource group, or individual resource level.	Assigned at tenant level or within an Administrative Unit.
Custom Role Support	Yes.	Yes.
Where Configured	Azure portal, PowerShell, CLI, REST API.	Entra admin portal, Microsoft 365 admin center, Microsoft Graph, or PowerShell.
Overlap?	Limited. Global Admin can elevate to Azure User Access Administrator but not automatically.	Global Admin covers Entra + Microsoft 365 but not Azure by default.

Role Overlap and Elevation Example

A Global Administrator in Entra can elevate access in the Azure portal using the Access management for Azure resources switch. When activated, this grants them the User Access Administrator Azure role on all subscriptions linked to the tenant.

Example: A Contoso Global Admin loses access to an Azure subscription because permissions were misconfigured. They temporarily enable “Access management for Azure resources,” regain control, fix permissions, and disable elevation afterward.

Assigning Roles in Microsoft Entra ID

There are multiple methods for assigning roles depending on your environment and requirements.

1. Assign a Role to a User or Group

Navigate to: Microsoft Entra ID → Roles and administrators → [Role] → + Add assignment.
Select user/group → Assign.

2. Assign a Role from the User or Group Profile

Microsoft Entra ID → Users → [Select user] → Assigned roles → + Add assignment.

3. Assign Role at a Broader Scope (Azure RBAC)

Use Access control (IAM) in the Azure resource (subscription, group, etc.) to assign Azure roles.

4. Assign Using PowerShell or Microsoft Graph API

Ideal for automation in large environments.

5. Assign Using Privileged Identity Management (PIM)

For just-in-time (JIT) access where users are eligible for a role but must activate it temporarily.

Privileged Identity Management (PIM)

PIM is part of Microsoft Entra ID Premium P2 and provides temporary and auditable elevation of roles. It helps prevent over-permissioning by allowing administrators to become privileged only when needed.

Example: Adele Vance, a security analyst, is eligible for the Security Administrator role. When performing a review, she activates the role through PIM for 4 hours, completing her task with full permissions, then automatically reverts to her standard user state.

Creating and Assigning Custom Roles

When built-in roles don’t match specific business needs, custom roles can be created.

Steps to Create a Custom Role

Navigate to Microsoft Entra ID → Roles and administrators → + New custom role.
Basics Tab – Enter role name and description (e.g., App Credential Manager).
Permissions Tab – Add permissions.
Example:
microsoft.directory/applications/credentials/update
microsoft.directory/applications/basic/update
Review + Create – Confirm and create the custom role.

Scopes:

Directory-level (tenant-wide).
App registration resource-level (specific app).

Example: A Contoso developer support team needs to update only application credentials but not user accounts. IT creates a custom role “App Credential Manager” with permissions limited to app registration credential updates.

Best Practices for Role Management

Follow the Principle of Least Privilege (PoLP).

Always grant only the minimum permissions needed to perform a task.

Use Role Groups.

Assign roles to groups instead of individual users for easier management.

Monitor Role Assignments.

Regularly review assignments to prevent privilege creep.

Avoid Overusing Global Admin.

Restrict it to break-glass (emergency) accounts and major configuration tasks.

Use PIM for Elevated Roles.

Ensure that high-privilege roles are only active temporarily and with approval.

Example Summary Scenario

Scenario: Contoso’s IT department is designing its identity governance model.

Global Admin: Assigned to 2 senior IT managers only.
User Admin: Assigned to regional HR managers to manage their own users.
Billing Admin: Assigned to the finance controller.
Custom Role: Created for “App Credential Manager” for the DevOps team.

This configuration minimizes risk, maintains accountability, and follows best security practices.

SC‑300 Study Portal Dark

Unit 3: Configure and Manage Microsoft Entra Roles