Knowledge base

February 03, 2024

Microsoft Entra ID vs. Azure Roles: What’s the Difference?

With the recent name change from Azure AD to Microsoft Entra ID, it is essential to understand the distinction between Microsoft Entra ID roles vs. Azure roles. This terminological shift may cause some confusion, especially since “Azure AD roles” are now called “Microsoft Entra ID roles.” For those in the world of Microsoft Azure, it is crucial to know these differences.

Prerequisites:

✅ Basic knowledge of Microsoft Azure
✅ Understanding Azure: Management group vs. Subscription vs. Resource group

Overview:

Let’s look at how the Microsoft and Azure environment is structured within a tenant. The diagram below visualizes the structure of a tenant and helps us understand how each role operates across different scopes:

Representation of a Microsoft Entra ID Tenant

Representation of a Microsoft Entra ID Tenant:

Simply put, we can state that:

  • Everything under Microsoft Entra ID falls under “Tenant level scope.”
  • Everything under Azure (Management Group/Subscription/Resource Group) falls under “Azure level scope.”

Microsoft Entra ID Role:

Microsoft Entra ID roles have a scope across the following platforms:

✅️ Microsoft Entra ID
✅️ Microsoft 365 Defender Platform
✅️ Microsoft Intune
✅️ and other Non-Azure platforms…

The only platform that is somewhat confusing is “Microsoft Entra ID” itself – since it is still part of the Azure portal. Because it was previously called “Azure Active Directory,” it had to be part of the Azure portal. The name change, whether intentional or not, helped resolve the above confusion. The “Microsoft Entra ID” platform is being gradually migrated out of the Azure portal.

Having basic or privileged roles in Microsoft Entra ID does not automatically give a user access to resources in an Azure environment.

Azure Role:

Azure roles have a scope over the following:

✅️ Azure Management Group
✅️ Azure Subscription
✅️ Azure Resource Group
✅️ Resources within the above three

Having basic or privileged roles in the Azure environment does not automatically give a user access to platforms covered by the Microsoft Entra ID role.

From Microsoft Entra ID Role to Azure Role:

When I said “Having basic or privileged roles in Microsoft Entra ID does not give access to Azure resources,” that was only partially true. In the diagram above, you can see that the Azure environment is still under Microsoft Entra ID (tenant). This means that if you have the highest privileges of roles across the tenant (for example, as a Global Administrator), you can make yourself owner of the management groups, subscriptions and resource groups in the Azure environment.

So, if you have the Global Administrator role in Microsoft Entra ID, you have divine privileges across the entire tenant (both in Microsoft Entra ID and in the Azure environment)!

This is a smart way to get an Azure role, even if you only have a role in Microsoft Entra ID. However, the above method must be explicitly enabled in the Microsoft Entra ID configuration to enable Azure role assignment using a privileged Microsoft Entra ID role.

Conclusion:

Understanding the difference between Microsoft Entra ID roles and Azure roles is crucial for anyone working with Microsoft or Azure environments. Another skill point to pick up is being able to distinguish whether a role is a Microsoft Entra ID role or an Azure role based on its name. This distinction is vital in managing access and maintaining security within your IT infrastructure.

Want to know more?

Get in touch
Microsoft Entra ID roles versus Azure roles