Salesforce, Python, SQL, & other ways to put your data where you need it

Need event music? 🎸

Live and recorded jazz, pop, and meditative music for your virtual conference / Zoom wedding / yoga class / private party with quality sound and a smooth technical experience

Entra RBAC Role Assignment FAQ

04 Feb 2024 🔖 security tutorials
💬 EN

Table of Contents

Below are a few frequently asked questions about Entra RBAC Role Assignments.

Many thanks to colleagues who helped me a lot with editing the wording when I wrote a similar document for internal training.

What is an Entra RBAC Role Assignment?

An Entra RBAC Role Assignment, not to be confused with an Azure RBAC Role Assignment, grants a given identity (that is, one that exists within Microsoft Entra ID) permission to perform specific types of actions against a specific “scope” of other Entra resource(s).

Vocab

Microsoft Entra ID, or “Entra” for short, is the new name for what was known as “Azure Active Directory” or “AAD.”

Context

In the model of access control where authentication (“proving a nonhuman is who it says it is”) and authorization (“proving a given, authenticated nonhuman is permitted to do what it is trying to do”), an Entra RBAC Role Assignment helps solve problems related to authorization. 🔐

The 3 components of an Entra RBAC Role Assignment

An Entra RBAC Role Assignment is an Entra resource whose purpose is to describe a junction of 3 other Entra resource identities:

  1. An Entra RBAC “role” (whether “built-in” and maintained by Microsoft or “custom” and maintained by your company) that authorizes actions such as “create Entra App Registrations.”
  2. target Entra identity serving as a “scope” upon which the role’s actions are allowed.
    • (Often simply set to “/” to represent the entire Entra tenant.)
  3. An Entra identity serving as the “principal” capable of performing such actions within the targeted Entra scope.
    • Usually a human group or user ID.
    • Protecting the human’s Entra RBAC Role Assignment with Entra Privileged Identity Management (“PIM”) is an excellent practice when the “principal” contains a human.

Create an Entra RBAC Role Assignment

See “Assign Microsoft Entra roles to users” on Microsoft Learn.

In a corporate environment, you might not be allowed to do it yourself. Hopefully, your help desk ticketing system has a ticket type that you can open to request that an Entra RBAC Role Assignment be created/edited/deleted on your behalf.

Best practices

  1. Always follow the principle of least privilege when creating – or requesting the creation of – an Entra RBAC Role Assignment.
  2. Carefully look through Microsoft’s “built-in” Entra RBAC roles to find the least-powerful role that can perform a necessary task. For example:
    • If a user merely will merely need to create, edit, and delete Entra App Registrations in support of their team’s code deployment automations…
    • then use “Application Developer“…
    • instead of the more powerful “Application Administrator”.

</div>

Follow-up steps

In a corporate environment, creating an Entra RBAC Role Assignment might not suffice to let a user perform desired actions within Entra at all hours of the day.

Each time the user to whom it was assigned would like to do any work that it permits, they will most likely need to temporarily escalate their Entra privileges to the desired Entra RBAC role by using Entra Privileged Identity Management (“PIM”).

--- ---