AZ-305 - Design Authentication and Authorization Solutions
1. Role-Based Access Control (RBAC) Overview
Azure Role-Based Access Control (RBAC) is the authorization system built on Azure Resource Manager that provides fine-grained access management for Azure resources. RBAC allows you to segregate duties within your team and grant only the amount of access that users need to perform their jobs.
How RBAC Works
The RBAC Model
Azure RBAC is built on three core elements: Security Principal (who - a user, group, service principal, or managed identity), Role Definition (what - a collection of permissions such as read, write, delete), and Scope (where - the level at which access applies: management group, subscription, resource group, or resource).
Role Assignment
A role assignment is the process of attaching a role definition to a security principal at a particular scope. This is how access is granted. To revoke access, you remove the role assignment. A user can have multiple role assignments, and Azure RBAC uses an additive model where effective permissions are the sum of all assigned roles.
RBAC Scope Hierarchy
Roles can be assigned at four levels of scope. Permissions granted at a parent scope are inherited by child scopes:
| Scope Level | Example | Inheritance |
|---|---|---|
| Management Group | Root management group or custom group | Inherited by all subscriptions and resources below |
| Subscription | Azure subscription | Inherited by all resource groups and resources in the subscription |
| Resource Group | A resource group containing related resources | Inherited by all resources in the group |
| Resource | A specific Azure resource (e.g., a VM or storage account) | Applies only to that resource |
Deny Assignments
Deny assignments block users from performing specific actions even if a role assignment grants them access. Deny assignments take precedence over role assignments. They are created by Azure Blueprints and Azure managed applications to protect system-managed resources. You cannot directly create deny assignments yourself.
2. Built-in vs Custom Roles
Azure provides over 120 built-in roles for common access scenarios. When built-in roles do not meet your specific needs, you can create custom roles.
Key Built-in Roles
Fundamental Roles
Owner - Full access to all resources and can delegate access to others. Contributor - Can create and manage all resources but cannot grant access. Reader - Can view existing resources but cannot make changes. User Access Administrator - Can manage user access to Azure resources but not the resources themselves.
| Role | Manage Resources | Grant Access | Scope |
|---|---|---|---|
| Owner | Yes | Yes | All levels |
| Contributor | Yes | No | All levels |
| Reader | No (view only) | No | All levels |
| User Access Administrator | No | Yes | All levels |
Custom Roles
Creating Custom Roles
Custom roles are defined using a JSON role definition that specifies Actions (allowed operations), NotActions (excluded operations), DataActions (data plane operations), and NotDataActions (excluded data operations). Custom roles can be scoped to one or more subscriptions or management groups. They require Microsoft Entra ID P1 or P2 license for creation.
Control Plane vs Data Plane
Azure operations are divided into two categories. The control plane manages Azure resources (creating VMs, configuring networks). The data plane interacts with the data within resources (reading blob data, querying a database). RBAC roles can include both control plane Actions/NotActions and data plane DataActions/NotDataActions.
3. Identity Management in Azure
Identity management is the foundation of security in Azure. It encompasses how users, applications, and services authenticate and receive authorization to access resources.
Identity Types
Security Principals
User - A person with an identity in Microsoft Entra ID. Group - A collection of users managed together. Service Principal - An identity for applications and services to access Azure resources. Managed Identity - An automatically managed identity in Entra ID that eliminates the need to store credentials in code.
Managed Identities
| Feature | System-Assigned | User-Assigned |
|---|---|---|
| Lifecycle | Tied to the resource; deleted when resource is deleted | Independent; can outlive any single resource |
| Sharing | Cannot be shared across resources | Can be assigned to multiple resources |
| Use Case | Single resource needs access to other services | Multiple resources need the same identity |
| Creation | Enabled on the resource directly | Created as a standalone Azure resource |
When to Use Managed Identities
Use managed identities whenever an Azure resource needs to authenticate to another Azure service. They eliminate the need for managing credentials, rotate secrets automatically, and support Azure RBAC for fine-grained access control. Examples include a VM accessing Key Vault, an App Service connecting to Azure SQL, or an Azure Function reading from Storage.
4. Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) is the cloud-based identity and access management service. It provides authentication, authorization, and identity governance for both Azure resources and external applications.
Entra ID Editions
Edition Comparison
Free - Basic identity management, SSO for SaaS apps, MFA. P1 - Adds Conditional Access, dynamic groups, self-service group management, and on-premises write-back. P2 - Adds Identity Protection, Privileged Identity Management (PIM), access reviews, and entitlement management.
Conditional Access
Conditional Access policies are if-then statements that enforce access controls based on signals such as user identity, location, device state, application, and risk level. Policies can require MFA, block access, require compliant devices, or restrict access to specific locations.
External Identities
Microsoft Entra External ID enables secure collaboration with external users. B2B collaboration allows partner users to sign in with their own identities. B2B direct connect enables shared channels in Teams. External ID for customers (CIAM) provides identity experiences for consumer-facing applications.
5. Privileged Identity Management (PIM)
PIM is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources. It supports just-in-time privileged access, time-bound access, and approval-based role activation.
PIM Key Features
Just-In-Time Access
PIM provides just-in-time privileged access to Azure resources and Microsoft Entra ID. Users are assigned eligible roles rather than permanent active roles. When they need elevated access, they activate the role for a limited time period (e.g., 1-8 hours). This minimizes the window of exposure for privileged access.
Approval Workflow
PIM can require approval before a role is activated. Designated approvers receive a notification and can approve or deny the request. You can also require justification and MFA for role activation. All activation and approval activities are audited for compliance.
PIM vs Permanent Assignments
| Aspect | Permanent Assignment | PIM Eligible Assignment |
|---|---|---|
| Access Duration | Always active | Activated on demand for limited time |
| Security Risk | Higher (constant exposure) | Lower (minimized exposure window) |
| Audit Trail | Limited visibility | Full audit of activation, justification, approval |
| Approval Required | No | Configurable (can require approval and MFA) |
| License Required | No | Microsoft Entra ID P2 |
Access Reviews
Access reviews allow organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. Regular reviews ensure that only the right people have continued access. Reviews can be configured for Entra ID roles, Azure resource roles, group memberships, and application access. Reviewers can be the users themselves, group owners, or designated reviewers.
Key Terms
| Term | Definition |
|---|---|
| RBAC | Role-Based Access Control - authorization system providing fine-grained access management for Azure resources. |
| Security Principal | An identity (user, group, service principal, or managed identity) that can be assigned roles. |
| Role Definition | A collection of permissions (Actions, NotActions, DataActions, NotDataActions) that define what operations are allowed. |
| Managed Identity | An automatically managed identity in Entra ID that eliminates credential management for Azure resources. |
| Microsoft Entra ID | Cloud-based identity and access management service (formerly Azure Active Directory). |
| Conditional Access | Policy engine that enforces access controls based on signals like user, location, device, and risk. |
| PIM | Privileged Identity Management - provides just-in-time, time-bound, and approval-based privileged access. |
| Deny Assignment | Blocks specific actions on resources even if a role assignment grants access; takes precedence over allow. |
Exam Tips
- Understand scope inheritance: Permissions assigned at a parent scope (management group) are inherited by all child scopes (subscriptions, resource groups, resources).
- Know the four fundamental roles: Owner (full access + delegate), Contributor (full access, no delegation), Reader (view only), User Access Administrator (manage access only).
- PIM requires Entra ID P2: Questions about just-in-time access, eligible role assignments, and approval workflows always point to PIM, which requires a P2 license.
- Managed identities over service principals: When an Azure resource needs to authenticate to another service, prefer managed identities to avoid credential management.
- System-assigned vs user-assigned: System-assigned is tied to one resource lifecycle. User-assigned is independent and can be shared across multiple resources.
- Deny assignments override allow: Deny assignments created by Blueprints and managed apps take precedence over role assignments. You cannot create them directly.
Practice Questions
Question 1
A developer needs to create and manage Azure resources in a resource group but should not be able to grant access to other users. Which built-in role should you assign?
A. Owner
B. Contributor
C. Reader
D. User Access Administrator
Answer: B
The Contributor role allows creating and managing all types of Azure resources but does not allow granting access to others. Owner would give too much permission (includes access delegation), Reader is view-only, and User Access Administrator only manages access, not resources.
Question 2
Your organization requires that Global Administrator access is only available when needed and requires approval from a security officer. The access should automatically expire after 4 hours. What should you implement?
A. Conditional Access policy with session timeout
B. Microsoft Entra PIM with eligible assignment and approval workflow
C. Custom RBAC role with time-limited scope
D. Azure Policy with deny effect for permanent assignments
Answer: B
PIM enables just-in-time access with eligible role assignments. Users must activate the role when needed, which can require approval from designated approvers. The activation time can be limited (e.g., 4 hours), after which access automatically expires.
Question 3
You have multiple Azure Functions that all need to access the same Azure Key Vault and Azure SQL Database. You want to simplify identity management. What should you use?
A. A single service principal with client secret shared across all Functions
B. System-assigned managed identity on each Function
C. A user-assigned managed identity shared across all Functions
D. Store connection strings in application settings for each Function
Answer: C
A user-assigned managed identity can be shared across multiple Azure resources. This simplifies management because you configure Key Vault and SQL Database access policies once for the shared identity. System-assigned identities would require configuring access for each Function individually.
Question 4
You need to grant a partner organization access to specific Azure resources without creating accounts in your Entra ID tenant. What feature should you use?
A. Microsoft Entra External ID B2B collaboration
B. Create guest accounts manually in your tenant
C. Share subscription credentials with the partner
D. Use Azure Lighthouse for delegated resource management
Answer: A
Microsoft Entra External ID B2B collaboration allows partner users to sign in using their own organizational identities. They are represented as guest users in your tenant and can be assigned roles to access specific resources without you managing their credentials.
Question 5
You need to create a custom role that allows users to start and restart VMs but not delete them, and this role should be available across three subscriptions. How should you define the role?
A. Create the custom role at the resource group level in each subscription
B. Create the custom role with the three subscriptions as assignable scopes
C. Assign the built-in Virtual Machine Contributor role and use deny assignments
D. Create three separate custom roles, one per subscription
Answer: B
Custom roles can specify multiple subscriptions as assignable scopes, making the role definition available across all specified subscriptions. The role definition would include Actions for VM start and restart operations while excluding delete operations through careful definition of Actions and NotActions.
AZ-305 Designing Azure Infrastructure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.