Domain 2 of 4 · Chapter 3 of 4

Conditional Access and RBAC

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security, Compliance, and Identity Fundamentals premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • Conditional Access and RBAC: two gates on one path
  • Inside Conditional Access: signals, decision, controls
  • RBAC: Microsoft Entra roles vs Azure roles
  • Least privilege with built-in and custom roles
  • Exam-pattern recognition: the traps

Microsoft Entra roles vs Azure (resource) roles

DimensionMicrosoft Entra rolesAzure (resource) roles
Governs access toMicrosoft Entra directory resources: users, groups, applications, domainsAzure resources: virtual machines, storage, databases, resource groups, subscriptions
Scope levelsTenant-wide, an administrative unit, or a single directory objectManagement group, subscription, resource group, or individual resource
Example built-in rolesGlobal Administrator, User Administrator, Billing AdministratorOwner, Contributor, Reader, User Access Administrator
Custom rolesSupportedSupported (over 100 built-in roles ship already)
Default reach into the other systemNone by default; a Global Administrator can elevate to gain the Azure User Access Administrator role tenant-wideNone by default; an Azure role never grants directory permissions

Decision tree

Managing a directory object?users, groups, apps, domainsManaging an Azure resource?VM, storage, resource groupMust grant others access?assign roles to othersOnly need to view?Microsoft Entra rolee.g. Global AdministratorNeither system:out of scope hereOwner orUser Access AdministratorReader roleview onlyContributormanage resources, cannot assign rolesYesNoNoYesYesNoYesNoNo built-in role fits? Author a custom role, scoped narrowly for least privilege.

Cheat sheet

  • Conditional Access is an if-then engine that runs after the first factor
  • Conditional Access requires Microsoft Entra ID P1
  • Risk-based Conditional Access conditions require Identity Protection (P2)
  • A Conditional Access decision is block, grant with controls, or session controls
  • Grant controls attach requirements that must all be met to proceed
  • Sign-in frequency is a session control, not a grant control
  • Conditional Access targets sign-ins through signals called assignments
  • An RBAC assignment is a security principal, a role, and a scope
  • Microsoft Entra roles and Azure roles are two separate systems
  • Entra roles scope to the directory, Azure roles scope to the resource hierarchy
  • A Global Administrator has no Azure resource access by default
  • Elevating access gives a Global Administrator User Access Administrator at root scope
  • Owner can assign roles, Contributor cannot
  • Reader only views, User Access Administrator only manages access
  • Prefer built-in roles, author a custom role only when none fits
  • Least privilege is the narrowest role at the smallest scope
  • Pick the least-privilege Entra built-in directory role for the task
  • Named locations mark trusted IP ranges that Conditional Access can exclude

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Microsoft Entra Conditional Access: Zero Trust Policy Engine
  2. Azure roles, Microsoft Entra roles, and classic subscription administrator roles
  3. Conditional Access: Manage Session Controls Effectively
  4. Configure Security Defaults for Microsoft Entra ID
  5. Elevate access to manage all Azure subscriptions and management groups
  6. Best practices for Microsoft Entra roles