RBAC Scope, Inheritance & Key Built-In Roles
Azure role-based access control (RBAC) is the authorisation system for managing access to Azure resources. Every role assignment has three components: a security principal (who), a role definition (what actions), and a scope (where). Roles are inherited downward through the hierarchy — a role assigned at a higher scope automatically applies to all child scopes beneath it.
Scopes from broadest to narrowest: Tenant Root Group → Management Groups → Subscriptions → Resource Groups → Resources. A role assigned at a Management Group applies to all subscriptions, resource groups, and resources within it. Inheritance only flows downward — a role on a resource does not grant access to the resource group containing it.
- Owner — full read/write/delete on all resources, plus the ability to assign roles. The only standard role that grants role assignment.
- Contributor — full read/write/delete on all resources. Cannot assign roles or manage access permissions. The right answer when the requirement is "deploy VMs and manage virtual networks" (both are resource management operations).
- Reader — view resources only. No modifications.
- User Access Administrator — assign any role at any scope. Cannot manage resources themselves. The least-privilege answer when the requirement is specifically to assign roles to other users.
- Reader and Data Access — view storage account keys and list/read storage data. Least-privilege for viewing storage account data including blob contents.
- Network Contributor — create and manage network resources (VNets, NSGs, load balancers). Does not cover VMs or role assignment.
- Storage Account Key Operator Service Role — list and regenerate storage account access keys. The correct role when the requirement is specifically key management.
- Storage Account Contributor — manage storage accounts including listing and regenerating keys. Also covers key management.
- Resource Policy Contributor — create, edit, delete, and assign Azure Policy definitions and initiatives. The least-privilege role for managing the Azure Policy governance framework.
A role scoped to a specific resource (e.g., Storage Account Contributor on storage1) grants permissions only on that one resource. The user cannot create new storage accounts in the parent resource group — that requires the role at the resource group level or higher. Contributor at a resource group scope allows creating new resources within it; Contributor at a resource scope does not.
Hierarchy: Tenant Root Group → MG2 → Sub3 → RG3 → VM1. User1 assigned Contributor at MG2 inherits Contributor all the way down to VM1 and can resize it. User3 assigned User Access Administrator at Tenant Root Group can assign roles anywhere in the entire hierarchy — including assigning Owner on RG3 to other users.
Group Type Nesting for RBAC:
If Group1 (Security type) has the Owner role on RG1, and Group2 (Security type) is added as a member of Group1, then User2 (a member of Group2) inherits the Owner role on RG1. RBAC role inheritance flows through nested Security groups.
If Group3 is a Microsoft 365 group and is added as a member of Group1 (Security type with Owner on RG1), users in Group3 do not inherit the Owner role. Azure RBAC does not process Microsoft 365 groups nested inside Security groups for role inheritance. The nesting is simply ignored for RBAC purposes.
Microsoft 365 groups can be directly assigned Azure RBAC roles. If Group3 (M365 type) is directly assigned the Owner role on RG1, then User3 (a member of Group3) receives Owner on RG1. The limitation is only on inheriting roles through nesting — direct assignment works normally.
Custom RBAC Role — The Five JSON Sections
When no built-in role exactly matches the principle of least privilege for a requirement, a custom RBAC role can be defined. The role definition is a JSON document with five sections controlling what operations are allowed, what is explicitly blocked, and where the role can be assigned. Knowing which section to modify for a given requirement is a frequently tested concept.
| Section | Plane | Effect | Modify To… |
|---|---|---|---|
actions | Management | Grants management-plane operations (ARM) | Allow creating/modifying/deleting Azure resources |
notActions | Management | Explicitly excludes operations (overrides actions) | Block role assignment or other specific management ops |
dataActions | Data | Grants data-plane operations | Allow VM sign-in, blob read/write, queue access |
notDataActions | Data | Explicitly excludes data-plane operations | Block specific data access even if granted in dataActions |
assignableScopes | Metadata | Restricts where the role can be assigned | Limit role to a specific subscription, RG, or resource |
The ability to sign in to a virtual machine (RDP/SSH) is a data-plane operation: Microsoft.Compute/virtualMachines/login/action. It must be placed in the dataActions section of the role definition. Adding it to actions will not grant sign-in capability — actions governs only ARM management operations, not data-plane authentication.
"/"— entire tenant; role can be assigned anywhere."/subscriptions/{subId}"— any RG or resource within that subscription."/subscriptions/{subId}/resourceGroups/"— only resource groups within that subscription. This is the correct value when the requirement says "can only be assigned to resource groups in Subscription1.""/subscriptions/{subId}/resourceGroups/{rgName}"— a single specific resource group.
To prevent a custom role from managing access permissions (assigning roles), add "Microsoft.Authorization/*" to notActions. This blocks all Authorization operations regardless of what actions contains. The exam may also present "Microsoft.Authorization/*/Delete" and "Microsoft.Authorization/*/Write" as the specific entries — either approach achieves the same result.
Permission String Patterns — Least Privilege for Common Requirements
Azure RBAC permission strings follow the pattern Provider/ResourceType/Operation. The wildcard /* grants all operations on a resource type. Choosing the narrowest permission string that satisfies the stated requirement is how the principle of least privilege is applied in custom role definitions.
| Requirement | Correct Permission | Why Not the Others |
|---|---|---|
| All actions on a virtual network | "Microsoft.Network/virtualNetworks/*" | /write alone omits read and delete; /delete alone is too narrow |
| View the configuration data of a storage account | "Microsoft.Storage/storageAccounts/read" | /* allows write/delete (too broad); the blob path reads blob data, not account configuration |
| Read/write blob data (data plane) | "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" in dataActions | Account-level read is a management action, not a data action |
When a requirement uses the word "view" or "read configuration," the answer is always the specific /read permission — never the wildcard /*. The wildcard includes create, update, and delete operations. Similarly, a blob data read permission (blobServices/containers/blobs/read) does not grant access to the storage account's configuration properties — those are management-plane operations at a different level of the hierarchy.
Reading RBAC Role Assignment JSON — Scope Paths and Effective Access
The AZ-104 exam frequently presents a table or JSON snippet of raw RBAC role assignments and asks questions about who can perform specific operations on specific resources. The key skill is reading the scope path correctly and understanding that inheritance only flows downward.
| Scope Path | Access Covers |
|---|---|
/subscriptions/{subId} | Entire subscription — all RGs and all resources within (inherits down) |
/subscriptions/{subId}/resourceGroups/{rgName} | That specific RG and all resources within it |
/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName} | That one VM only — does not grant access to the parent RG |
Role assignments: User1 = Owner at subscription scope, User2 = Owner at RG2 scope, User3 = Owner at VM1 (in RG1) scope, User4 = Contributor at RG1 scope.
Who has Owner on VM1? User1 (subscription Owner inherits to VM1) and User3 (directly on VM1). User2's Owner is on RG2, not RG1, so no access to VM1. User4 is Contributor (not Owner).
Who can create a VM in RG1? User1 (sub-scope Contributor includes RG1) and User4 (RG1 Contributor can create resources in RG1). User3's scope stops at VM1 — cannot create new VMs in RG1.
A user with Owner on a specific VM can fully manage and assign roles on that VM, but cannot create new VMs in the same resource group — their authorisation scope ends at the resource boundary. Creating any new resource requires Contributor or Owner at the resource group level or higher.
Virtual Machine RBAC — Managing vs Signing In
VM management (creating, resizing, configuring) and VM sign-in (RDP/SSH) are handled by separate roles. This distinction trips up many people who assume that managing a VM implies the ability to log into it. They are entirely independent capabilities.
| Role | Manage VM (resize, configure) | Sign In (RDP/SSH) |
|---|---|---|
| Virtual Machine Contributor | Yes | No |
| Virtual Machine User Login | No | Yes (standard user) |
| Virtual Machine Administrator Login | No | Yes (with admin/root) |
| Owner / Contributor | Yes | No — alone |
If a user must both manage VMs (resize, add disks) and sign in via RDP/SSH, they need two role assignments: Virtual Machine Contributor (or Contributor) for management, plus Virtual Machine User Login or Virtual Machine Administrator Login for sign-in. Neither role alone provides both capabilities.
Virtual Network & NSG Role Permissions
Network resources — VNets, NSGs, load balancers, and private DNS zones — each have specific role requirements. The least-privilege principle means using the narrowest role scoped to exactly the resources that need to be managed.
- Adding or modifying subnets in a VNet — requires Owner, Contributor, or Network Contributor scoped at or above the VNet.
- Assigning a role to a VNet — requires Owner or User Access Administrator scoped at or above the VNet.
- Adding a backend pool or health probe to a load balancer — Network Contributor scoped to that specific load balancer is the least-privilege answer. Scoping to the resource (not the RG) is more restrictive and more appropriate.
- Security Admin — manages NSG security rules and Microsoft Defender policies, but cannot modify VNet topology (subnets, address spaces).
- Private DNS Zone Contributor — manages Private DNS zones only. Combine with Network Contributor when both VNet and DNS zone management are required.
Contributor (or Network Contributor) scoped to a specific NSG grants full management of that NSG's rules. However, it does not allow creating new resources in the parent resource group or modifying the DNS settings of a network interface in that RG. To create new storage accounts or resources in the RG, Contributor must be scoped to the resource group, not an individual resource.
Logic App Roles — Operator vs Contributor for Creating Logic Apps
Azure has two built-in RBAC roles specifically for Logic Apps. They differ fundamentally in what they permit, and the critical distinction is whether a user needs to create new logic apps or just operate existing ones.
| Role | Create Logic Apps | Read, Run, Enable/Disable | Modify Triggers/Actions |
|---|---|---|---|
| Logic App Contributor | Yes | Yes | Yes |
| Logic App Operator | No | Yes | No |
To grant a group the ability to create Azure Logic Apps in a resource group, assign the Logic App Contributor role scoped to that resource group. The role must be scoped at least to the RG where logic apps will be created. Logic App Contributor on the subscription also works (broader than needed). Assigning Logic App Contributor to the subscription instead of the specific RG satisfies the requirement but is not least-privilege.
- Logic App Operator — only manages (runs, enables/disables, reads) existing logic apps. Cannot create new ones.
- DevTest Labs User — scoped to DevTest Labs environments. Has no effect on Logic Apps.
- Contributor on the subscription — technically works but is far broader than necessary (violates least privilege).
ABAC Conditions for Blob Access Control
Attribute-Based Access Control (ABAC) adds a condition layer on top of an RBAC role assignment. While RBAC controls whether a user can perform an action, an ABAC condition restricts which specific resources that action applies to. For Azure Storage, ABAC conditions can filter blob access by blob index tags, container names, or other resource attributes.
An ABAC condition is attached to a role assignment and uses the pattern: !(ActionMatches{'action'}) OR @Resource[attribute] = 'value'. The condition only restricts the named action — all other actions permitted by the role pass through without the condition being evaluated. For example, a condition that restricts blob reads to those with tag Environment = Production does not affect write or delete operations.
To restrict users to viewing only blobs with specific blob index tags, use a role assignment condition (ABAC) on a blob data role such as Storage Blob Data Reader or Storage Blob Data Contributor. A condition like @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Environment<$key>] = 'Production' filters access at evaluation time. Stored access policies and SAS tokens cannot filter by blob index tags — conditions are the only mechanism for tag-based access filtering.
ABAC conditions for Azure Storage are supported only on Blob containers and Queues. They are not supported on File shares or Tables. Eligible roles for conditions include Storage Blob Data Contributor, Storage Blob Data Owner, and Storage Blob Data Reader.
Managed Identity vs SAS — Permanent Access vs Time-Limited Access
When Azure-hosted applications need to access storage accounts, two approaches are common: managed identity with an RBAC role assignment (no secrets, permanent), and Shared Access Signatures (time-limited, secret-based). Choosing between them depends on whether the access needs to be permanent or bounded to a specific time window.
| Requirement | Use | Why |
|---|---|---|
| Permanent access, minimise secrets | Access Control (IAM) + managed identity | Managed identity authenticates without any stored secret; RBAC role grants the permission permanently |
| Time-limited access (e.g., next 30 days only) | Shared Access Signature (SAS) | SAS tokens have a built-in expiry date; access automatically revokes after the expiry |
When a requirement says "minimise the number of secrets used" alongside permanent access for an app that has a managed identity, the answer is to configure Access Control (IAM) on the storage account and assign the appropriate role to the app's managed identity. No secret is created or stored — the managed identity token is issued by Entra ID automatically. Using Access Keys or a SAS token both involve managing a secret value.
Microsoft Entra — Adding a Custom Domain to a Tenant
By default, a Microsoft Entra tenant uses the .onmicrosoft.com domain for all user principal names (UPNs). To allow users to sign in with addresses matching the organisation's public domain (e.g., @contoso.com), the custom domain must be added to the tenant and its ownership verified. This is a three-step process that must happen in the correct order.
- Add the custom domain name in Microsoft Entra ID — go to Entra ID → Custom domain names → Add custom domain. This registers the domain name within the tenant and generates a verification token.
- Add a TXT or MX record to the public DNS zone of the domain — at the third-party registrar where contoso.com is registered. This record contains the verification token Entra provided in step 1 and proves you control the domain.
- Verify the domain in Microsoft Entra ID — Azure queries the public DNS for the verification record. After confirmation, users can be created with the
@contoso.comUPN suffix.
- Creating an Azure DNS zone — not required. The verification record is added at the third-party registrar, not in an Azure DNS zone. Azure DNS is only needed if you want to host the domain's DNS records in Azure, which is a separate choice.
- Adding a new Microsoft Entra tenant — a new tenant is not created; you are adding a domain to the existing one.
- Configuring company branding — unrelated to domain ownership verification.
Hybrid Identity — Which Attributes Can Be Modified in Entra ID
In a hybrid Entra deployment using Microsoft Entra Connect, users are synchronised from on-premises Active Directory to Entra ID. For synced users, on-premises AD is the authoritative source for most attributes — changes made directly in Entra ID will be overwritten on the next sync cycle. Understanding which attributes can always be edited in Entra ID versus which must be changed on-premises prevents wasted effort.
| User Type | Standard Attributes (JobTitle, Dept, etc.) | UsageLocation |
|---|---|---|
| Cloud-only (no sync) | Yes — modify in Entra ID | Yes |
| Synced from on-premises | No — modify in on-prem AD (changes in Entra are overwritten) | Yes — exception |
| Guest user (B2B) | Yes — typically cloud-managed | Yes |
UsageLocation is a cloud-side attribute that is not synchronised from on-premises AD — not even for fully synced users. It must always be set in Entra ID. This means UsageLocation can be modified in Entra ID for every user type, including synced users. This attribute matters for license assignment because Microsoft 365 licenses can only be assigned to users who have a UsageLocation set.
Group-Based Licensing — Types, Nesting & Removal
Microsoft Entra group-based licensing allows a license to be assigned to a group so that all members automatically receive it. Understanding which group types support license assignment, how nested group membership interacts with license inheritance, and what constraints exist when removing licenses is important for both identity management questions and exam scenarios.
| Group Type | License Assignment Supported? |
|---|---|
| Security group (enabled, not mail-enabled) | Yes |
| Microsoft 365 group (with securityEnabled = TRUE) | Yes |
| Mail-enabled security group | No |
| Distribution group | No |
Group-based licensing does not propagate through nested groups. If Group1 (Security) has a P2 license assigned, and Group2 (Security) is a member of Group1, the members of Group2 do not automatically receive the P2 license. Only direct members of Group1 receive the license. To license Group2's members, the license must be assigned directly to Group2.
To remove a group-based license from a specific user, you must remove that user from the licensed group. You cannot revoke a group-based license from an individual user directly — the license is managed at the group level. An administrator can also remove a directly-assigned license from a user account, but group-based ones require group membership changes.
A user who already receives a license through group membership can additionally be assigned other licenses directly. This does not remove or conflict with the group-based license — both apply. If a user receives P2 through Group1, and is also directly assigned a Fabric license, both licenses are active simultaneously.
User & Group Deletion Constraints
Not all Entra users and groups can be deleted freely. Certain conditions — particularly directly assigned licenses on groups — block deletion. Understanding what prevents deletion and what does not helps troubleshoot identity management operations.
Individual user accounts can be deleted regardless of their license status. A user who receives a license through group membership, or who has a directly assigned license, can still be deleted. Deleting the user removes them from all group memberships and revokes all licenses automatically.
A group that has a license directly assigned to it cannot be deleted without first removing that license from the group. If Group2 and Group4 each have P2 directly assigned, neither can be deleted until those license assignments are removed. Groups that are only members of other licensed groups can be deleted freely — the membership constraint does not block deletion.
Tenant has: Group1 (P2 assigned directly), Group2 (no direct license — member of Group1), Group3 (P2 assigned directly), Group4 (no direct license).
Groups that can be deleted: Group2 and Group4 (no directly assigned licenses). Groups blocked from deletion: Group1 and Group3 (must remove license first).
Dynamic Group Membership — Rules, Operators & Evaluating User Membership
Dynamic group membership rules automatically add or remove users (or devices) from a group based on their attribute values in Entra ID. Rules are evaluated continuously — when a user's attributes change, group membership is updated automatically. This is the correct solution for auto-populating groups from bulk-imported users based on department or other attributes, as it requires no ongoing manual management.
| Attribute | Example Value | Common Operators |
|---|---|---|
user.department | "Marketing", "Engineering" | -eq, -ne, -startsWith, -in |
user.country | "France", "US" | -eq, -ne |
user.usageLocation | "FR", "US" (2-letter code) | -eq |
user.jobTitle | "Manager" | -eq, -contains |
user.mail | "@contoso.com" | -match, -contains |
To match users who are in the Marketing department AND located in France:
(user.department -eq "marketing") -and (user.country -eq "France")
Dropdown1 = user.department, Dropdown2 = -and (logical AND — both conditions must be true), Dropdown3 = -eq (equals). The -or operator would include users who are in Marketing OR in France — too broad. The word and without the hyphen is not a valid rule operator; typeof is JavaScript syntax with no role in Entra dynamic rules.
These three attributes are often confused. user.country is the country field from the user's profile (full name like "France"). user.usageLocation is the usage location for license assignment (two-letter ISO code like "FR"). They are different attributes with different formats and different purposes. Device attributes start with device. — always use user.* attributes for user-based dynamic group rules.
When bulk-importing users from a CSV file, the most efficient way to automatically assign them to groups based on their department is to create groups with Dynamic User membership type and rules based on user.department. As soon as the users are imported and their department attribute is populated, they are automatically added to the matching dynamic group. No manual group assignment or PowerShell script is needed afterwards.
Group Naming Policy
A group naming policy in Microsoft Entra ID enforces a consistent naming format for new Microsoft 365 groups. Prefixes and suffixes can be either fixed literal strings or dynamically derived from user attributes. The distinction between String and Attribute types determines whether the value is fixed or personalised.
- String — applies a fixed literal value to every group name. For example, a prefix String of "Contoso-" makes every group name start with "Contoso-".
- Attribute — dynamically inserts a value from the group creator's user profile. For example, a prefix Attribute of "Department" inserts the creator's department value (e.g., "Sales", "Engineering") at the start of the group name.
- Create a group naming policy (initialise the policy object).
- Set the prefix type to Attribute and select Department as the attribute.
- Set "Add prefix" configuration to use the Department attribute.
This results in group names formatted as <Department><Group name> — the department of the group creator is automatically prepended. The suffix type (String vs Attribute) is configured separately if a suffix is also needed.
External Collaboration Settings vs Cross-Tenant Access Settings
Microsoft Entra provides two distinct settings areas for controlling how external users and organisations interact with your tenant. They serve different purposes and are configured in different parts of the Entra admin centre.
This setting controls which external domains can receive invitations from your tenant. To restrict so that only users from a specific partner domain (e.g., fabrikam.com) can be invited, configure the Collaboration restrictions setting under External Collaboration Settings. Options include allowing all domains, denying specific domains (blocklist), or allowing only specific domains (allowlist). This is the correct setting when the requirement is "only allow invitations to be sent to fabrikam.com users."
Cross-Tenant Access Settings configure trust and access controls between two specific Azure AD tenants — for example, whether MFA claims from a partner tenant are trusted, or whether B2B direct connect (shared channels in Teams) is enabled. This is not for controlling which domains can be invited; it is for managing the trust relationship after a guest relationship exists.
Entitlement Management — Access Package Lifecycle & External Users
Microsoft Entra Entitlement Management governs access to groups, applications, and SharePoint sites through access packages. The external user lifecycle settings control what happens to guest accounts when access expires. It is particularly useful for managing time-limited access for external partners. Understanding the two-phase lifecycle — resource removal versus account removal — is critical for interpreting entitlement management scenarios.
- Connected organisation — an external tenant explicitly configured for access requests. Users from connected organisations can request access packages if the policy allows.
- Non-connected organisation — not explicitly configured. Whether their users can request access depends on whether the access package policy allows requests from "All users" (including unconnected external users).
- Access expiration — when an access package assignment expires, the user is removed from all resources in that package (groups, app assignments, SharePoint sites).
- Day 365 (access expires) — the user is removed from Group1 and all other resources in the access package. The guest account still exists in the tenant.
- Day 395 (365 + 30-day grace period) — if the external user lifecycle settings specify "remove the user after N days with no active access packages," the guest account itself is deleted from the tenant.
These are two separate events with separate timelines. After 365 days the user is removed from Group1 (resource removal). Only after an additional 30-day grace period (day 395) is the user account removed from the tenant. The exam tests this distinction directly — "removed from Group1 after 365 days" = Yes, "removed from the tenant after 365 days" = No.
Custom Security Attributes
Microsoft Entra Custom Security Attributes allow organisations to add custom metadata properties to identity objects — users, security groups, and service principals. They are used for fine-grained access filtering and are managed by administrators with specific Entra roles.
- Attribute Definition Administrator — creates and manages attribute sets and individual attribute definitions. Cannot assign attribute values to objects.
- Attribute Assignment Administrator — assigns attribute values to Entra identity objects. Cannot create new attribute definitions.
Both roles are needed together to set up and use custom security attributes: one creates the definition, the other assigns values. To configure both tasks (create Property1 AND ensure Admin1 can assign it to users), configure Custom security attributes (to create the definition) and Roles and administrators (to grant the Attribute Assignment Administrator role to Admin1) in the Entra ID blade.
Custom Security Attributes can be assigned to users, security groups, and service principals. All three are supported. A service principal represents an application's identity in Entra — it is a valid target for attribute assignment. Custom Security Attributes cannot be assigned to Azure resources (VMs, storage accounts, etc.) — only to Entra identity objects.
Entra Default User Role Permissions
The Microsoft Entra admin centre contains a "Default user role permissions" section under User Settings. These settings control what standard (non-admin) users can do across the tenant by default — without any elevated role. Restricting specific defaults is how organisations tighten their security posture without individually managing every user.
| Setting | Controls | Restrict By Setting To |
|---|---|---|
| Users can register applications | Whether users can create app registrations (which creates service principals) | No — prevents standard users from creating service principals/app registrations |
| Restrict non-admin users from creating tenants | Whether users can create new Entra tenants | Yes |
| Restrict access to Microsoft Entra admin center | Whether users can access the Entra admin portal GUI | Yes — forces users to use PowerShell or Microsoft Graph instead |
| Users can create security groups | Whether users can create security groups | No |
- "Users can register applications" → No — prevents standard users from creating app registrations (which create service principals).
- "Restrict access to Microsoft Entra admin center" → Yes — blocks portal access, forcing users to use PowerShell cmdlets or the Microsoft Graph API for any Entra management tasks.
Restricting the Microsoft Entra admin center prevents access to entra.microsoft.com for managing Entra objects. It does NOT prevent users from accessing portal.azure.com to manage Azure resources like VMs and storage accounts. These are different portals with different access controls.
Assigning Entra Admin Roles — The Directory Role Blade
Microsoft Entra administrative roles (such as User Administrator, Global Administrator, and Authentication Policy Administrator) are different from Azure RBAC roles. They are assigned through the Entra ID portal, not through Azure's Access Control (IAM) blade. The specific location for assigning an Entra admin role to a user is the user account's Directory role blade.
To assign an Entra admin role (e.g., User Administrator) to a user: open the user's profile in the Microsoft Entra admin centre → navigate to the Directory role blade → click "Add assignments" and select the desired role. The Licenses blade assigns product licenses. The Groups blade manages group memberships. The Directory role blade is the only location for Entra admin role assignment from the user account properties.
SSPR — Configuration Blades and What Each Controls
Self-Service Password Reset (SSPR) is configured in the Microsoft Entra admin centre under Password reset. The configuration is divided across several blades, each controlling a distinct aspect of the SSPR experience. Understanding which blade to use for a given requirement is tested directly.
| Blade | What It Configures |
|---|---|
| Properties | Enable SSPR for None / Selected (specific groups) / All users. This is where you turn SSPR on for the organisation. |
| Authentication methods | Which methods are available (mobile app, email, phone, security questions); how many methods are required to reset; number of security questions required to register and to reset. |
| Registration | Whether users must register when they next sign in; how often they must re-confirm their registration. |
| Notifications | Whether users and admins receive email notification when a password is reset. |
| On-premises integration | Password writeback to on-premises AD DS (requires Entra Connect to be configured). |
To enable SSPR for all users: navigate to Properties → set to All. To require users to answer 4 security questions during registration: navigate to Authentication methods → enable security questions and set the required question count. These are two separate blades — both must be configured.
SSPR — Eligible Group Types & Who Can Configure SSPR
Two commonly confused SSPR constraints involve which group types can be used to scope SSPR deployment, and which administrative roles have the authority to configure SSPR settings for the organisation.
When SSPR is enabled for "Selected" users (rather than All), it can only be scoped to Security groups. Microsoft 365 groups and Mail-enabled security groups cannot be used to scope SSPR. This is consistent with the general pattern that SSPR group targeting requires Security groups specifically.
- Global Administrator — full SSPR configuration authority.
- Authentication Policy Administrator — can configure authentication policies including all SSPR settings. This is the dedicated role for this purpose.
- Authentication Administrator — can manage authentication methods for non-admin users; limited SSPR scope.
- Security Administrator — manages security policies, Defender settings, and security posture. Does not have authority to configure SSPR settings.
Security Administrator is a frequently presented distractor for SSPR configuration questions. Despite its name, Security Administrator does not include the ability to configure SSPR. Authentication Policy Administrator is the correct least-privilege role for SSPR configuration tasks.
SSPR — Security Questions & Privileged Admin Exclusions
SSPR security question configuration has a specific constraint that affects privileged administrators. For security reasons, Microsoft excludes certain privileged roles from being able to use security questions as their SSPR method — they must use stronger authentication methods instead.
- Security questions are an optional SSPR method that must be explicitly enabled in the Authentication methods blade.
- Administrators configure how many questions users must register (e.g., 3) and how many they must correctly answer to reset (e.g., 3). These two numbers can differ — a user might register 5 questions but only need to answer 3 to reset.
- A user who has successfully answered the required number of security questions AND any other required methods can reset their password immediately.
Users assigned privileged administrative roles — including Global Administrator, Security Administrator, Billing Administrator, Privileged Authentication Administrator, and others — are excluded from using security questions as an SSPR authentication method. This is a Microsoft security control that cannot be overridden. The full list of excluded roles is documented in the SSPR policy settings reference. These accounts must use stronger methods (authenticator app, phone, email to another admin address). If a user has the Security Administrator role assigned and SSPR is configured with security questions only, that user cannot use SSPR to reset their password via security questions.
Resource Locks vs Tags — Scope Differences
Locks and tags are both Azure governance tools, but they apply to different levels of the resource hierarchy. The difference between them is subtle but tested directly — tags support one additional scope level (Management Groups) compared to locks.
| Scope Level | Locks Supported? | Tags Supported? |
|---|---|---|
| Tenant Root Group | No | No |
| Management Group | No | Yes |
| Subscription | Yes | Yes |
| Resource Group | Yes | Yes |
| Individual Resource (VM, storage, etc.) | Yes | Yes |
Locks can only be applied at Subscription, Resource Group, and individual Resource scope. Management Groups and the Tenant Root Group cannot have locks applied to them. Tags go one level higher — they include Management Groups but still exclude the Tenant Root Group. When presented with a hierarchy question listing TRG → MG1 → Sub1 → RG1 → VM1, locks apply to Sub1, RG1, and VM1; tags apply to MG1, Sub1, RG1, and VM1.
Azure Private DNS — Auto-Registration & VNet Link Behaviour
Azure Private DNS zones can automatically create and maintain DNS A records for virtual machines in linked virtual networks. This feature is called auto-registration and is configured on the virtual network link between the private DNS zone and the VNet — not on the VMs themselves. Understanding exactly what determines whether a VM is auto-registered prevents a common misread involving Windows DNS suffix settings.
- Auto-registration is enabled or disabled on the virtual network link in the private DNS zone — specifically the "Enable auto registration" toggle on that link.
- When enabled, Azure creates an A record in the private zone whenever a VM in the linked VNet starts up, and removes it when the VM is deallocated.
- All VMs in the linked VNet are auto-registered — there is no per-VM opt-in or opt-out.
- Auto-registration only works with private DNS zones. Public DNS zones do not support it.
The DNS suffix configured inside a Windows Server VM (e.g., the "Primary DNS suffix" set to Contoso.com in the OS network settings) is a Windows networking configuration that affects what domain name the VM appends when resolving short hostnames. It has absolutely no bearing on whether Azure registers the VM's IP address in an Azure Private DNS zone. A VM with Windows DNS suffix "Contoso.com" is not automatically registered in an Azure private DNS zone named contoso.com — only the VNet link's auto-registration toggle determines that.
When a question presents a public Azure DNS zone (e.g., adatum.com as a public zone) and asks whether a VM's record is automatically added when the VM starts, the answer is always No. Auto-registration is exclusively a feature of private DNS zones with VNet links. Public DNS zones require records to be added manually or via automation.
Co-Administrator — Subscription Scope Only
The co-administrator role is a legacy concept from the Azure classic deployment model. It grants permissions equivalent to Owner at the subscription level, but with a hard limitation: it can only be assigned at subscription scope. It cannot be assigned to management groups, resource groups, or individual resources.
Co-administrator can only be added to an Azure subscription. When presented with a list of possible targets — Management Group, Subscription, Resource Group, VM — the only valid answer is the subscription. Attempting to add a co-administrator to a resource group, VM, or management group is not possible.
| Co-Administrator | Owner (RBAC) | |
|---|---|---|
| Available scope | Subscription only | Any scope (MG, Sub, RG, Resource) |
| Deployment model | Classic (legacy) | Azure Resource Manager (current) |
| Recommended? | No — legacy | Yes |
App Service Deployment Credentials
Azure App Service supports three distinct deployment credential mechanisms. They differ in how the user authenticates and what identity is used during the deployment. The principle of least privilege determines which mechanism to select.
- User-level FTPS credentials — a username and password set by the developer in the Azure portal. These are specific to the user but use a custom deployment password, not the user's Microsoft Entra credentials. Valid for FTP/FTPS deployments but not for Entra-authenticated deploys.
- App-level FTPS credentials — auto-generated per web app. These are shared by anyone who deploys to that app and also do not use Entra credentials.
- Microsoft Entra credentials (Web Deploy) — uses the developer's actual Entra identity for deployment via Web Deploy. The least-privilege RBAC role that enables this is Website Contributor. This is the correct answer when the requirement specifies using Entra credentials with least privilege.
Assigning the Owner role to enable Web Deploy would work technically, but it violates the principle of least privilege — Owner grants full control over all Azure resources, not just deployment rights. Website Contributor is the narrowest role that grants the specific ability to deploy content to a web app using Microsoft Entra credentials.
Azure Key Vault — Application Access via Managed Identity
When an Azure-hosted application (App Service, VM, Function App, Container Instance) needs to retrieve secrets, keys, or certificates from Azure Key Vault, the recommended pattern is to use a managed identity rather than storing any credentials in the application's configuration. The managed identity authenticates to Key Vault using Entra ID tokens, eliminating the need to create, store, or rotate any secrets.
- Enable a system-assigned managed identity on the Azure resource (App Service, VM, etc.).
- Assign the managed identity a Key Vault role — Key Vault Secrets User for read-only secret access, or Key Vault Secrets Officer for read/write.
- The application uses DefaultAzureCredential or ManagedIdentityCredential in the SDK to authenticate automatically.
No credentials are stored anywhere — the managed identity token is issued by Entra ID at runtime.
Creating a service principal or a user account to grant vault access requires managing a secret (client secret or password), which defeats the purpose of Key Vault. A private endpoint controls network access but does not provide the identity the application uses to authenticate. A managed identity is the correct answer for granting an Azure-hosted app access to Key Vault secrets.
Azure Key Vault — Network Access Scope
Key Vault access is not restricted by Azure region or resource group membership by default. Network-level access controls are configured separately through the vault's Networking blade and are independent of the identity-based access controls configured through RBAC or vault access policies.
Any application with the appropriate role assignment can access a Key Vault regardless of which Azure region it is in. An App Service in West Europe can access a Key Vault in East US — region proximity does not affect access permissions. Network restrictions (firewall rules, VNet service endpoints, private endpoints) must be explicitly configured if you want to limit access by network location.
- Allow all networks — the default; any internet IP can reach the vault (subject to RBAC/access policies).
- Selected networks — allow access from specific VNets (via service endpoints) or specific IP address ranges.
- Private endpoint only — all public access is blocked; vault is accessible only through the private endpoint from within the VNet.