Learning Objectives
By the end of this chapter, you will be able to:
- Manage Microsoft Entra users and groups.
- Manage access to Azure resources.
- Manage Azure subscriptions and governance.
Executive Summary
- Microsoft Entra ID is the identity backbone of Azure; every action in Azure is performed by a security principal (user, group, service principal, or managed identity) that exists in a Microsoft Entra tenant.
- Azure RBAC controls what a security principal can do by combining three elements into a role assignment: a security principal, a role definition, and a scope. Permissions are additive and inherited downward through scopes.
- Governance in Azure is enforced through a hierarchy of management groups and subscriptions, with Azure Policy controlling resource configuration and resource locks preventing accidental deletion or modification.
- Entra ID directory roles (such as Global Administrator) and Azure RBAC roles (such as Owner) are separate systems that govern different planes; confusing them is one of the most common exam mistakes.
Assumptions
- All CLI examples use Azure CLI (
az) or Azure PowerShell (Azmodule). The deprecated AzureAD and MSOnline PowerShell modules are not covered; Microsoft Graph PowerShell is the supported replacement. - "Tenant" and "directory" are used interchangeably and refer to a single instance of Microsoft Entra ID.
- The term "Microsoft Entra ID" is the official name for what was previously called Azure Active Directory (Azure AD). Both terms refer to the same service; this material uses the official name.
- Region-specific regulatory requirements are not covered; governance concepts apply globally unless stated otherwise.
