Flash sale is here! Get Extra 25% off on ALL COURSES! Use coupon code FLASH25. Ends today.
Domain 01 · Revision Notes

Manage Azure identities and governance

RBAC, Entra ID, Custom Security Attributes, SSPR & User Management

01

RBAC Scope, Inheritance & Key Built-In Roles

Azure role-based access control (RBAC) is the authorisation system for managing access to Azure resources. Every role assignment has three components: a security principal (who), a role definition (what actions), and a scope (where). Roles are inherited downward through the hierarchy — a role assigned at a higher scope automatically applies to all child scopes beneath it.

Scope Hierarchy — Inheritance Direction

Scopes from broadest to narrowest: Tenant Root Group → Management Groups → Subscriptions → Resource Groups → Resources. A role assigned at a Management Group applies to all subscriptions, resource groups, and resources within it. Inheritance only flows downward — a role on a resource does not grant access to the resource group containing it.

Key Built-In Roles
  • Owner — full read/write/delete on all resources, plus the ability to assign roles. The only standard role that grants role assignment.
  • Contributor — full read/write/delete on all resources. Cannot assign roles or manage access permissions. The right answer when the requirement is "deploy VMs and manage virtual networks" (both are resource management operations).
  • Reader — view resources only. No modifications.
  • User Access Administrator — assign any role at any scope. Cannot manage resources themselves. The least-privilege answer when the requirement is specifically to assign roles to other users.
  • Reader and Data Access — view storage account keys and list/read storage data. Least-privilege for viewing storage account data including blob contents.
  • Network Contributor — create and manage network resources (VNets, NSGs, load balancers). Does not cover VMs or role assignment.
  • Storage Account Key Operator Service Role — list and regenerate storage account access keys. The correct role when the requirement is specifically key management.
  • Storage Account Contributor — manage storage accounts including listing and regenerating keys. Also covers key management.
  • Resource Policy Contributor — create, edit, delete, and assign Azure Policy definitions and initiatives. The least-privilege role for managing the Azure Policy governance framework.
⚠ Resource-Scoped Role ≠ Resource Group Permissions

A role scoped to a specific resource (e.g., Storage Account Contributor on storage1) grants permissions only on that one resource. The user cannot create new storage accounts in the parent resource group — that requires the role at the resource group level or higher. Contributor at a resource group scope allows creating new resources within it; Contributor at a resource scope does not.

Management Group Inheritance — Worked Example

Hierarchy: Tenant Root Group → MG2 → Sub3 → RG3 → VM1. User1 assigned Contributor at MG2 inherits Contributor all the way down to VM1 and can resize it. User3 assigned User Access Administrator at Tenant Root Group can assign roles anywhere in the entire hierarchy — including assigning Owner on RG3 to other users.


Group Type Nesting for RBAC:

Security Group Nesting — RBAC Inheritance Flows Through

If Group1 (Security type) has the Owner role on RG1, and Group2 (Security type) is added as a member of Group1, then User2 (a member of Group2) inherits the Owner role on RG1. RBAC role inheritance flows through nested Security groups.

Microsoft 365 Groups Cannot Transfer RBAC via Nesting

If Group3 is a Microsoft 365 group and is added as a member of Group1 (Security type with Owner on RG1), users in Group3 do not inherit the Owner role. Azure RBAC does not process Microsoft 365 groups nested inside Security groups for role inheritance. The nesting is simply ignored for RBAC purposes.

Direct RBAC Assignment to M365 Groups — Does Work

Microsoft 365 groups can be directly assigned Azure RBAC roles. If Group3 (M365 type) is directly assigned the Owner role on RG1, then User3 (a member of Group3) receives Owner on RG1. The limitation is only on inheriting roles through nesting — direct assignment works normally.


02

Custom RBAC Role — The Five JSON Sections

When no built-in role exactly matches the principle of least privilege for a requirement, a custom RBAC role can be defined. The role definition is a JSON document with five sections controlling what operations are allowed, what is explicitly blocked, and where the role can be assigned. Knowing which section to modify for a given requirement is a frequently tested concept.

The Six Sections
SectionPlaneEffectModify To…
actionsManagementGrants management-plane operations (ARM)Allow creating/modifying/deleting Azure resources
notActionsManagementExplicitly excludes operations (overrides actions)Block role assignment or other specific management ops
dataActionsDataGrants data-plane operationsAllow VM sign-in, blob read/write, queue access
notDataActionsDataExplicitly excludes data-plane operationsBlock specific data access even if granted in dataActions
assignableScopesMetadataRestricts where the role can be assignedLimit role to a specific subscription, RG, or resource
VM Sign-In Is a dataAction, Not an action

The ability to sign in to a virtual machine (RDP/SSH) is a data-plane operation: Microsoft.Compute/virtualMachines/login/action. It must be placed in the dataActions section of the role definition. Adding it to actions will not grant sign-in capability — actions governs only ARM management operations, not data-plane authentication.

assignableScopes Path Format
  • "/" — entire tenant; role can be assigned anywhere.
  • "/subscriptions/{subId}" — any RG or resource within that subscription.
  • "/subscriptions/{subId}/resourceGroups/" — only resource groups within that subscription. This is the correct value when the requirement says "can only be assigned to resource groups in Subscription1."
  • "/subscriptions/{subId}/resourceGroups/{rgName}" — a single specific resource group.
⚠ notActions for Blocking Role Assignment

To prevent a custom role from managing access permissions (assigning roles), add "Microsoft.Authorization/*" to notActions. This blocks all Authorization operations regardless of what actions contains. The exam may also present "Microsoft.Authorization/*/Delete" and "Microsoft.Authorization/*/Write" as the specific entries — either approach achieves the same result.


03

Permission String Patterns — Least Privilege for Common Requirements

Azure RBAC permission strings follow the pattern Provider/ResourceType/Operation. The wildcard /* grants all operations on a resource type. Choosing the narrowest permission string that satisfies the stated requirement is how the principle of least privilege is applied in custom role definitions.

Common Permission Requirements
RequirementCorrect PermissionWhy Not the Others
All actions on a virtual network"Microsoft.Network/virtualNetworks/*"/write alone omits read and delete; /delete alone is too narrow
View the configuration data of a storage account"Microsoft.Storage/storageAccounts/read"/* allows write/delete (too broad); the blob path reads blob data, not account configuration
Read/write blob data (data plane)"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" in dataActionsAccount-level read is a management action, not a data action
⚠ /* vs /read — The Least Privilege Trap

When a requirement uses the word "view" or "read configuration," the answer is always the specific /read permission — never the wildcard /*. The wildcard includes create, update, and delete operations. Similarly, a blob data read permission (blobServices/containers/blobs/read) does not grant access to the storage account's configuration properties — those are management-plane operations at a different level of the hierarchy.


04

Reading RBAC Role Assignment JSON — Scope Paths and Effective Access

The AZ-104 exam frequently presents a table or JSON snippet of raw RBAC role assignments and asks questions about who can perform specific operations on specific resources. The key skill is reading the scope path correctly and understanding that inheritance only flows downward.

Scope Path — What Each Level Covers
Scope PathAccess Covers
/subscriptions/{subId}Entire subscription — all RGs and all resources within (inherits down)
/subscriptions/{subId}/resourceGroups/{rgName}That specific RG and all resources within it
/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}That one VM only — does not grant access to the parent RG
Worked Example

Role assignments: User1 = Owner at subscription scope, User2 = Owner at RG2 scope, User3 = Owner at VM1 (in RG1) scope, User4 = Contributor at RG1 scope.

Who has Owner on VM1? User1 (subscription Owner inherits to VM1) and User3 (directly on VM1). User2's Owner is on RG2, not RG1, so no access to VM1. User4 is Contributor (not Owner).

Who can create a VM in RG1? User1 (sub-scope Contributor includes RG1) and User4 (RG1 Contributor can create resources in RG1). User3's scope stops at VM1 — cannot create new VMs in RG1.

⚠ Resource-Scoped Owner Cannot Create New Resources in the Parent RG

A user with Owner on a specific VM can fully manage and assign roles on that VM, but cannot create new VMs in the same resource group — their authorisation scope ends at the resource boundary. Creating any new resource requires Contributor or Owner at the resource group level or higher.


05

Virtual Machine RBAC — Managing vs Signing In

VM management (creating, resizing, configuring) and VM sign-in (RDP/SSH) are handled by separate roles. This distinction trips up many people who assume that managing a VM implies the ability to log into it. They are entirely independent capabilities.

VM Role Capabilities
RoleManage VM (resize, configure)Sign In (RDP/SSH)
Virtual Machine ContributorYesNo
Virtual Machine User LoginNoYes (standard user)
Virtual Machine Administrator LoginNoYes (with admin/root)
Owner / ContributorYesNo — alone
⚠ To Both Manage AND Sign In — Two Roles Are Needed

If a user must both manage VMs (resize, add disks) and sign in via RDP/SSH, they need two role assignments: Virtual Machine Contributor (or Contributor) for management, plus Virtual Machine User Login or Virtual Machine Administrator Login for sign-in. Neither role alone provides both capabilities.


06

Virtual Network & NSG Role Permissions

Network resources — VNets, NSGs, load balancers, and private DNS zones — each have specific role requirements. The least-privilege principle means using the narrowest role scoped to exactly the resources that need to be managed.

Network Role Reference
  • Adding or modifying subnets in a VNet — requires Owner, Contributor, or Network Contributor scoped at or above the VNet.
  • Assigning a role to a VNet — requires Owner or User Access Administrator scoped at or above the VNet.
  • Adding a backend pool or health probe to a load balancer — Network Contributor scoped to that specific load balancer is the least-privilege answer. Scoping to the resource (not the RG) is more restrictive and more appropriate.
  • Security Admin — manages NSG security rules and Microsoft Defender policies, but cannot modify VNet topology (subnets, address spaces).
  • Private DNS Zone Contributor — manages Private DNS zones only. Combine with Network Contributor when both VNet and DNS zone management are required.
NSG Role Scope — Resource vs RG

Contributor (or Network Contributor) scoped to a specific NSG grants full management of that NSG's rules. However, it does not allow creating new resources in the parent resource group or modifying the DNS settings of a network interface in that RG. To create new storage accounts or resources in the RG, Contributor must be scoped to the resource group, not an individual resource.


07

Logic App Roles — Operator vs Contributor for Creating Logic Apps

Azure has two built-in RBAC roles specifically for Logic Apps. They differ fundamentally in what they permit, and the critical distinction is whether a user needs to create new logic apps or just operate existing ones.

Logic App Role Comparison
RoleCreate Logic AppsRead, Run, Enable/DisableModify Triggers/Actions
Logic App ContributorYesYesYes
Logic App OperatorNoYesNo
Creating Logic Apps Requires Logic App Contributor

To grant a group the ability to create Azure Logic Apps in a resource group, assign the Logic App Contributor role scoped to that resource group. The role must be scoped at least to the RG where logic apps will be created. Logic App Contributor on the subscription also works (broader than needed). Assigning Logic App Contributor to the subscription instead of the specific RG satisfies the requirement but is not least-privilege.

What Does Not Work for Creating Logic Apps
  • Logic App Operator — only manages (runs, enables/disables, reads) existing logic apps. Cannot create new ones.
  • DevTest Labs User — scoped to DevTest Labs environments. Has no effect on Logic Apps.
  • Contributor on the subscription — technically works but is far broader than necessary (violates least privilege).

08

ABAC Conditions for Blob Access Control

Attribute-Based Access Control (ABAC) adds a condition layer on top of an RBAC role assignment. While RBAC controls whether a user can perform an action, an ABAC condition restricts which specific resources that action applies to. For Azure Storage, ABAC conditions can filter blob access by blob index tags, container names, or other resource attributes.

How ABAC Conditions Work

An ABAC condition is attached to a role assignment and uses the pattern: !(ActionMatches{'action'}) OR @Resource[attribute] = 'value'. The condition only restricts the named action — all other actions permitted by the role pass through without the condition being evaluated. For example, a condition that restricts blob reads to those with tag Environment = Production does not affect write or delete operations.

Blob Index Tags — Role Assignment Condition Is the Correct Mechanism

To restrict users to viewing only blobs with specific blob index tags, use a role assignment condition (ABAC) on a blob data role such as Storage Blob Data Reader or Storage Blob Data Contributor. A condition like @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Environment<$key>] = 'Production' filters access at evaluation time. Stored access policies and SAS tokens cannot filter by blob index tags — conditions are the only mechanism for tag-based access filtering.

ABAC Storage Support — Blobs and Queues Only

ABAC conditions for Azure Storage are supported only on Blob containers and Queues. They are not supported on File shares or Tables. Eligible roles for conditions include Storage Blob Data Contributor, Storage Blob Data Owner, and Storage Blob Data Reader.


09

Managed Identity vs SAS — Permanent Access vs Time-Limited Access

When Azure-hosted applications need to access storage accounts, two approaches are common: managed identity with an RBAC role assignment (no secrets, permanent), and Shared Access Signatures (time-limited, secret-based). Choosing between them depends on whether the access needs to be permanent or bounded to a specific time window.

Choosing the Right Mechanism
RequirementUseWhy
Permanent access, minimise secretsAccess Control (IAM) + managed identityManaged identity authenticates without any stored secret; RBAC role grants the permission permanently
Time-limited access (e.g., next 30 days only)Shared Access Signature (SAS)SAS tokens have a built-in expiry date; access automatically revokes after the expiry
⚠ "Minimise Secrets" Points to Managed Identity + IAM

When a requirement says "minimise the number of secrets used" alongside permanent access for an app that has a managed identity, the answer is to configure Access Control (IAM) on the storage account and assign the appropriate role to the app's managed identity. No secret is created or stored — the managed identity token is issued by Entra ID automatically. Using Access Keys or a SAS token both involve managing a secret value.


10

Microsoft Entra — Adding a Custom Domain to a Tenant

By default, a Microsoft Entra tenant uses the .onmicrosoft.com domain for all user principal names (UPNs). To allow users to sign in with addresses matching the organisation's public domain (e.g., @contoso.com), the custom domain must be added to the tenant and its ownership verified. This is a three-step process that must happen in the correct order.

Correct Three-Step Sequence
  1. Add the custom domain name in Microsoft Entra ID — go to Entra ID → Custom domain names → Add custom domain. This registers the domain name within the tenant and generates a verification token.
  2. Add a TXT or MX record to the public DNS zone of the domain — at the third-party registrar where contoso.com is registered. This record contains the verification token Entra provided in step 1 and proves you control the domain.
  3. Verify the domain in Microsoft Entra ID — Azure queries the public DNS for the verification record. After confirmation, users can be created with the @contoso.com UPN suffix.
Common Distractors — What Is Not Needed
  • Creating an Azure DNS zone — not required. The verification record is added at the third-party registrar, not in an Azure DNS zone. Azure DNS is only needed if you want to host the domain's DNS records in Azure, which is a separate choice.
  • Adding a new Microsoft Entra tenant — a new tenant is not created; you are adding a domain to the existing one.
  • Configuring company branding — unrelated to domain ownership verification.

11

Hybrid Identity — Which Attributes Can Be Modified in Entra ID

In a hybrid Entra deployment using Microsoft Entra Connect, users are synchronised from on-premises Active Directory to Entra ID. For synced users, on-premises AD is the authoritative source for most attributes — changes made directly in Entra ID will be overwritten on the next sync cycle. Understanding which attributes can always be edited in Entra ID versus which must be changed on-premises prevents wasted effort.

Editable Attributes by User Type
User TypeStandard Attributes (JobTitle, Dept, etc.)UsageLocation
Cloud-only (no sync)Yes — modify in Entra IDYes
Synced from on-premisesNo — modify in on-prem AD (changes in Entra are overwritten)Yes — exception
Guest user (B2B)Yes — typically cloud-managedYes
⚠ UsageLocation Is the Important Exception

UsageLocation is a cloud-side attribute that is not synchronised from on-premises AD — not even for fully synced users. It must always be set in Entra ID. This means UsageLocation can be modified in Entra ID for every user type, including synced users. This attribute matters for license assignment because Microsoft 365 licenses can only be assigned to users who have a UsageLocation set.


12

Group-Based Licensing — Types, Nesting & Removal

Microsoft Entra group-based licensing allows a license to be assigned to a group so that all members automatically receive it. Understanding which group types support license assignment, how nested group membership interacts with license inheritance, and what constraints exist when removing licenses is important for both identity management questions and exam scenarios.

Which Group Types Support License Assignment
Group TypeLicense Assignment Supported?
Security group (enabled, not mail-enabled)Yes
Microsoft 365 group (with securityEnabled = TRUE)Yes
Mail-enabled security groupNo
Distribution groupNo
⚠ Nested Group Members Do NOT Inherit Licenses

Group-based licensing does not propagate through nested groups. If Group1 (Security) has a P2 license assigned, and Group2 (Security) is a member of Group1, the members of Group2 do not automatically receive the P2 license. Only direct members of Group1 receive the license. To license Group2's members, the license must be assigned directly to Group2.

Removing a Group-Based License from a User

To remove a group-based license from a specific user, you must remove that user from the licensed group. You cannot revoke a group-based license from an individual user directly — the license is managed at the group level. An administrator can also remove a directly-assigned license from a user account, but group-based ones require group membership changes.

Assigning an Additional License Directly to a Group-Licensed User

A user who already receives a license through group membership can additionally be assigned other licenses directly. This does not remove or conflict with the group-based license — both apply. If a user receives P2 through Group1, and is also directly assigned a Fabric license, both licenses are active simultaneously.


13

User & Group Deletion Constraints

Not all Entra users and groups can be deleted freely. Certain conditions — particularly directly assigned licenses on groups — block deletion. Understanding what prevents deletion and what does not helps troubleshoot identity management operations.

Users — Can Always Be Deleted

Individual user accounts can be deleted regardless of their license status. A user who receives a license through group membership, or who has a directly assigned license, can still be deleted. Deleting the user removes them from all group memberships and revokes all licenses automatically.

Groups with Directly Assigned Licenses — Cannot Be Deleted

A group that has a license directly assigned to it cannot be deleted without first removing that license from the group. If Group2 and Group4 each have P2 directly assigned, neither can be deleted until those license assignments are removed. Groups that are only members of other licensed groups can be deleted freely — the membership constraint does not block deletion.

Worked Example

Tenant has: Group1 (P2 assigned directly), Group2 (no direct license — member of Group1), Group3 (P2 assigned directly), Group4 (no direct license).

Groups that can be deleted: Group2 and Group4 (no directly assigned licenses). Groups blocked from deletion: Group1 and Group3 (must remove license first).


14

Dynamic Group Membership — Rules, Operators & Evaluating User Membership

Dynamic group membership rules automatically add or remove users (or devices) from a group based on their attribute values in Entra ID. Rules are evaluated continuously — when a user's attributes change, group membership is updated automatically. This is the correct solution for auto-populating groups from bulk-imported users based on department or other attributes, as it requires no ongoing manual management.

Common Attributes and Operators
AttributeExample ValueCommon Operators
user.department"Marketing", "Engineering"-eq, -ne, -startsWith, -in
user.country"France", "US"-eq, -ne
user.usageLocation"FR", "US" (2-letter code)-eq
user.jobTitle"Manager"-eq, -contains
user.mail"@contoso.com"-match, -contains
Marketing Department in France — Complete Rule

To match users who are in the Marketing department AND located in France:

(user.department -eq "marketing") -and (user.country -eq "France")

Dropdown1 = user.department, Dropdown2 = -and (logical AND — both conditions must be true), Dropdown3 = -eq (equals). The -or operator would include users who are in Marketing OR in France — too broad. The word and without the hyphen is not a valid rule operator; typeof is JavaScript syntax with no role in Entra dynamic rules.

⚠ user.department vs user.country vs user.usageLocation

These three attributes are often confused. user.country is the country field from the user's profile (full name like "France"). user.usageLocation is the usage location for license assignment (two-letter ISO code like "FR"). They are different attributes with different formats and different purposes. Device attributes start with device. — always use user.* attributes for user-based dynamic group rules.

Dynamic Groups for Bulk User Import

When bulk-importing users from a CSV file, the most efficient way to automatically assign them to groups based on their department is to create groups with Dynamic User membership type and rules based on user.department. As soon as the users are imported and their department attribute is populated, they are automatically added to the matching dynamic group. No manual group assignment or PowerShell script is needed afterwards.


15

Group Naming Policy

A group naming policy in Microsoft Entra ID enforces a consistent naming format for new Microsoft 365 groups. Prefixes and suffixes can be either fixed literal strings or dynamically derived from user attributes. The distinction between String and Attribute types determines whether the value is fixed or personalised.

String vs Attribute Type for Prefix/Suffix
  • String — applies a fixed literal value to every group name. For example, a prefix String of "Contoso-" makes every group name start with "Contoso-".
  • Attribute — dynamically inserts a value from the group creator's user profile. For example, a prefix Attribute of "Department" inserts the creator's department value (e.g., "Sales", "Engineering") at the start of the group name.
Creating a Department-Prefixed Naming Policy — Sequence
  1. Create a group naming policy (initialise the policy object).
  2. Set the prefix type to Attribute and select Department as the attribute.
  3. Set "Add prefix" configuration to use the Department attribute.

This results in group names formatted as <Department><Group name> — the department of the group creator is automatically prepended. The suffix type (String vs Attribute) is configured separately if a suffix is also needed.


16

External Collaboration Settings vs Cross-Tenant Access Settings

Microsoft Entra provides two distinct settings areas for controlling how external users and organisations interact with your tenant. They serve different purposes and are configured in different parts of the Entra admin centre.

External Collaboration Settings → Collaboration Restrictions

This setting controls which external domains can receive invitations from your tenant. To restrict so that only users from a specific partner domain (e.g., fabrikam.com) can be invited, configure the Collaboration restrictions setting under External Collaboration Settings. Options include allowing all domains, denying specific domains (blocklist), or allowing only specific domains (allowlist). This is the correct setting when the requirement is "only allow invitations to be sent to fabrikam.com users."

Cross-Tenant Access Settings — Different Purpose

Cross-Tenant Access Settings configure trust and access controls between two specific Azure AD tenants — for example, whether MFA claims from a partner tenant are trusted, or whether B2B direct connect (shared channels in Teams) is enabled. This is not for controlling which domains can be invited; it is for managing the trust relationship after a guest relationship exists.


17

Entitlement Management — Access Package Lifecycle & External Users

Microsoft Entra Entitlement Management governs access to groups, applications, and SharePoint sites through access packages. The external user lifecycle settings control what happens to guest accounts when access expires. It is particularly useful for managing time-limited access for external partners. Understanding the two-phase lifecycle — resource removal versus account removal — is critical for interpreting entitlement management scenarios.

Key Concepts
  • Connected organisation — an external tenant explicitly configured for access requests. Users from connected organisations can request access packages if the policy allows.
  • Non-connected organisation — not explicitly configured. Whether their users can request access depends on whether the access package policy allows requests from "All users" (including unconnected external users).
  • Access expiration — when an access package assignment expires, the user is removed from all resources in that package (groups, app assignments, SharePoint sites).
Two-Phase External User Removal
  1. Day 365 (access expires) — the user is removed from Group1 and all other resources in the access package. The guest account still exists in the tenant.
  2. Day 395 (365 + 30-day grace period) — if the external user lifecycle settings specify "remove the user after N days with no active access packages," the guest account itself is deleted from the tenant.
⚠ Removal from Resources ≠ Removal from Tenant

These are two separate events with separate timelines. After 365 days the user is removed from Group1 (resource removal). Only after an additional 30-day grace period (day 395) is the user account removed from the tenant. The exam tests this distinction directly — "removed from Group1 after 365 days" = Yes, "removed from the tenant after 365 days" = No.


18

Custom Security Attributes

Microsoft Entra Custom Security Attributes allow organisations to add custom metadata properties to identity objects — users, security groups, and service principals. They are used for fine-grained access filtering and are managed by administrators with specific Entra roles.

Two Roles — Definition vs Assignment
  • Attribute Definition Administrator — creates and manages attribute sets and individual attribute definitions. Cannot assign attribute values to objects.
  • Attribute Assignment Administrator — assigns attribute values to Entra identity objects. Cannot create new attribute definitions.

Both roles are needed together to set up and use custom security attributes: one creates the definition, the other assigns values. To configure both tasks (create Property1 AND ensure Admin1 can assign it to users), configure Custom security attributes (to create the definition) and Roles and administrators (to grant the Attribute Assignment Administrator role to Admin1) in the Entra ID blade.

Supported Identity Types for Attribute Assignment

Custom Security Attributes can be assigned to users, security groups, and service principals. All three are supported. A service principal represents an application's identity in Entra — it is a valid target for attribute assignment. Custom Security Attributes cannot be assigned to Azure resources (VMs, storage accounts, etc.) — only to Entra identity objects.


19

Entra Default User Role Permissions

The Microsoft Entra admin centre contains a "Default user role permissions" section under User Settings. These settings control what standard (non-admin) users can do across the tenant by default — without any elevated role. Restricting specific defaults is how organisations tighten their security posture without individually managing every user.

Key Default Permission Settings
SettingControlsRestrict By Setting To
Users can register applicationsWhether users can create app registrations (which creates service principals)No — prevents standard users from creating service principals/app registrations
Restrict non-admin users from creating tenantsWhether users can create new Entra tenantsYes
Restrict access to Microsoft Entra admin centerWhether users can access the Entra admin portal GUIYes — forces users to use PowerShell or Microsoft Graph instead
Users can create security groupsWhether users can create security groupsNo
Two Settings for "No Service Principals + PowerShell/Graph Only"
  • "Users can register applications" → No — prevents standard users from creating app registrations (which create service principals).
  • "Restrict access to Microsoft Entra admin center" → Yes — blocks portal access, forcing users to use PowerShell cmdlets or the Microsoft Graph API for any Entra management tasks.
⚠ Restricting Entra Admin Center ≠ Restricting Azure Portal

Restricting the Microsoft Entra admin center prevents access to entra.microsoft.com for managing Entra objects. It does NOT prevent users from accessing portal.azure.com to manage Azure resources like VMs and storage accounts. These are different portals with different access controls.


20

Assigning Entra Admin Roles — The Directory Role Blade

Microsoft Entra administrative roles (such as User Administrator, Global Administrator, and Authentication Policy Administrator) are different from Azure RBAC roles. They are assigned through the Entra ID portal, not through Azure's Access Control (IAM) blade. The specific location for assigning an Entra admin role to a user is the user account's Directory role blade.

Where to Assign an Entra Administrative Role

To assign an Entra admin role (e.g., User Administrator) to a user: open the user's profile in the Microsoft Entra admin centre → navigate to the Directory role blade → click "Add assignments" and select the desired role. The Licenses blade assigns product licenses. The Groups blade manages group memberships. The Directory role blade is the only location for Entra admin role assignment from the user account properties.


21

SSPR — Configuration Blades and What Each Controls

Self-Service Password Reset (SSPR) is configured in the Microsoft Entra admin centre under Password reset. The configuration is divided across several blades, each controlling a distinct aspect of the SSPR experience. Understanding which blade to use for a given requirement is tested directly.

SSPR Settings Blades
BladeWhat It Configures
PropertiesEnable SSPR for None / Selected (specific groups) / All users. This is where you turn SSPR on for the organisation.
Authentication methodsWhich methods are available (mobile app, email, phone, security questions); how many methods are required to reset; number of security questions required to register and to reset.
RegistrationWhether users must register when they next sign in; how often they must re-confirm their registration.
NotificationsWhether users and admins receive email notification when a password is reset.
On-premises integrationPassword writeback to on-premises AD DS (requires Entra Connect to be configured).
Enable for All Users + Require 4 Security Questions = Properties + Authentication methods

To enable SSPR for all users: navigate to Properties → set to All. To require users to answer 4 security questions during registration: navigate to Authentication methods → enable security questions and set the required question count. These are two separate blades — both must be configured.


22

SSPR — Eligible Group Types & Who Can Configure SSPR

Two commonly confused SSPR constraints involve which group types can be used to scope SSPR deployment, and which administrative roles have the authority to configure SSPR settings for the organisation.

SSPR Scope — Security Groups Only

When SSPR is enabled for "Selected" users (rather than All), it can only be scoped to Security groups. Microsoft 365 groups and Mail-enabled security groups cannot be used to scope SSPR. This is consistent with the general pattern that SSPR group targeting requires Security groups specifically.

Admin Roles That Can Configure SSPR Settings
  • Global Administrator — full SSPR configuration authority.
  • Authentication Policy Administrator — can configure authentication policies including all SSPR settings. This is the dedicated role for this purpose.
  • Authentication Administrator — can manage authentication methods for non-admin users; limited SSPR scope.
  • Security Administrator — manages security policies, Defender settings, and security posture. Does not have authority to configure SSPR settings.
⚠ Security Administrator ≠ SSPR Configurator

Security Administrator is a frequently presented distractor for SSPR configuration questions. Despite its name, Security Administrator does not include the ability to configure SSPR. Authentication Policy Administrator is the correct least-privilege role for SSPR configuration tasks.


23

SSPR — Security Questions & Privileged Admin Exclusions

SSPR security question configuration has a specific constraint that affects privileged administrators. For security reasons, Microsoft excludes certain privileged roles from being able to use security questions as their SSPR method — they must use stronger authentication methods instead.

Security Questions — Configuration Details
  • Security questions are an optional SSPR method that must be explicitly enabled in the Authentication methods blade.
  • Administrators configure how many questions users must register (e.g., 3) and how many they must correctly answer to reset (e.g., 3). These two numbers can differ — a user might register 5 questions but only need to answer 3 to reset.
  • A user who has successfully answered the required number of security questions AND any other required methods can reset their password immediately.
Privileged Admins Cannot Use Security Questions for SSPR

Users assigned privileged administrative roles — including Global Administrator, Security Administrator, Billing Administrator, Privileged Authentication Administrator, and others — are excluded from using security questions as an SSPR authentication method. This is a Microsoft security control that cannot be overridden. The full list of excluded roles is documented in the SSPR policy settings reference. These accounts must use stronger methods (authenticator app, phone, email to another admin address). If a user has the Security Administrator role assigned and SSPR is configured with security questions only, that user cannot use SSPR to reset their password via security questions.


24

Resource Locks vs Tags — Scope Differences

Locks and tags are both Azure governance tools, but they apply to different levels of the resource hierarchy. The difference between them is subtle but tested directly — tags support one additional scope level (Management Groups) compared to locks.

Scope Comparison
Scope LevelLocks Supported?Tags Supported?
Tenant Root GroupNoNo
Management GroupNoYes
SubscriptionYesYes
Resource GroupYesYes
Individual Resource (VM, storage, etc.)YesYes
⚠ Locks Stop at Subscription Level — Management Groups Are Excluded

Locks can only be applied at Subscription, Resource Group, and individual Resource scope. Management Groups and the Tenant Root Group cannot have locks applied to them. Tags go one level higher — they include Management Groups but still exclude the Tenant Root Group. When presented with a hierarchy question listing TRG → MG1 → Sub1 → RG1 → VM1, locks apply to Sub1, RG1, and VM1; tags apply to MG1, Sub1, RG1, and VM1.


25

Azure Private DNS — Auto-Registration & VNet Link Behaviour

Azure Private DNS zones can automatically create and maintain DNS A records for virtual machines in linked virtual networks. This feature is called auto-registration and is configured on the virtual network link between the private DNS zone and the VNet — not on the VMs themselves. Understanding exactly what determines whether a VM is auto-registered prevents a common misread involving Windows DNS suffix settings.

Auto-Registration Is Controlled by the VNet Link Setting
  • Auto-registration is enabled or disabled on the virtual network link in the private DNS zone — specifically the "Enable auto registration" toggle on that link.
  • When enabled, Azure creates an A record in the private zone whenever a VM in the linked VNet starts up, and removes it when the VM is deallocated.
  • All VMs in the linked VNet are auto-registered — there is no per-VM opt-in or opt-out.
  • Auto-registration only works with private DNS zones. Public DNS zones do not support it.
The Windows DNS Suffix Setting Does NOT Control Auto-Registration

The DNS suffix configured inside a Windows Server VM (e.g., the "Primary DNS suffix" set to Contoso.com in the OS network settings) is a Windows networking configuration that affects what domain name the VM appends when resolving short hostnames. It has absolutely no bearing on whether Azure registers the VM's IP address in an Azure Private DNS zone. A VM with Windows DNS suffix "Contoso.com" is not automatically registered in an Azure private DNS zone named contoso.com — only the VNet link's auto-registration toggle determines that.

⚠ Public DNS Zones Cannot Auto-Register VMs

When a question presents a public Azure DNS zone (e.g., adatum.com as a public zone) and asks whether a VM's record is automatically added when the VM starts, the answer is always No. Auto-registration is exclusively a feature of private DNS zones with VNet links. Public DNS zones require records to be added manually or via automation.


26

Co-Administrator — Subscription Scope Only

The co-administrator role is a legacy concept from the Azure classic deployment model. It grants permissions equivalent to Owner at the subscription level, but with a hard limitation: it can only be assigned at subscription scope. It cannot be assigned to management groups, resource groups, or individual resources.

Co-Administrator Scope Is Strictly Subscription-Level

Co-administrator can only be added to an Azure subscription. When presented with a list of possible targets — Management Group, Subscription, Resource Group, VM — the only valid answer is the subscription. Attempting to add a co-administrator to a resource group, VM, or management group is not possible.

Co-Admin vs Modern RBAC Owner
Co-AdministratorOwner (RBAC)
Available scopeSubscription onlyAny scope (MG, Sub, RG, Resource)
Deployment modelClassic (legacy)Azure Resource Manager (current)
Recommended?No — legacyYes

27

App Service Deployment Credentials

Azure App Service supports three distinct deployment credential mechanisms. They differ in how the user authenticates and what identity is used during the deployment. The principle of least privilege determines which mechanism to select.

Three Deployment Credential Options
  • User-level FTPS credentials — a username and password set by the developer in the Azure portal. These are specific to the user but use a custom deployment password, not the user's Microsoft Entra credentials. Valid for FTP/FTPS deployments but not for Entra-authenticated deploys.
  • App-level FTPS credentials — auto-generated per web app. These are shared by anyone who deploys to that app and also do not use Entra credentials.
  • Microsoft Entra credentials (Web Deploy) — uses the developer's actual Entra identity for deployment via Web Deploy. The least-privilege RBAC role that enables this is Website Contributor. This is the correct answer when the requirement specifies using Entra credentials with least privilege.
⚠ Owner Role Is Not Least Privilege

Assigning the Owner role to enable Web Deploy would work technically, but it violates the principle of least privilege — Owner grants full control over all Azure resources, not just deployment rights. Website Contributor is the narrowest role that grants the specific ability to deploy content to a web app using Microsoft Entra credentials.


28

Azure Key Vault — Application Access via Managed Identity

When an Azure-hosted application (App Service, VM, Function App, Container Instance) needs to retrieve secrets, keys, or certificates from Azure Key Vault, the recommended pattern is to use a managed identity rather than storing any credentials in the application's configuration. The managed identity authenticates to Key Vault using Entra ID tokens, eliminating the need to create, store, or rotate any secrets.

How to Grant an Application Access to Key Vault
  1. Enable a system-assigned managed identity on the Azure resource (App Service, VM, etc.).
  2. Assign the managed identity a Key Vault role — Key Vault Secrets User for read-only secret access, or Key Vault Secrets Officer for read/write.
  3. The application uses DefaultAzureCredential or ManagedIdentityCredential in the SDK to authenticate automatically.

No credentials are stored anywhere — the managed identity token is issued by Entra ID at runtime.

⚠ Use a Managed Identity, Not a Service Principal or User Account

Creating a service principal or a user account to grant vault access requires managing a secret (client secret or password), which defeats the purpose of Key Vault. A private endpoint controls network access but does not provide the identity the application uses to authenticate. A managed identity is the correct answer for granting an Azure-hosted app access to Key Vault secrets.


29

Azure Key Vault — Network Access Scope

Key Vault access is not restricted by Azure region or resource group membership by default. Network-level access controls are configured separately through the vault's Networking blade and are independent of the identity-based access controls configured through RBAC or vault access policies.

Key Vault Network Access — Region Is Irrelevant for Permissions

Any application with the appropriate role assignment can access a Key Vault regardless of which Azure region it is in. An App Service in West Europe can access a Key Vault in East US — region proximity does not affect access permissions. Network restrictions (firewall rules, VNet service endpoints, private endpoints) must be explicitly configured if you want to limit access by network location.

Network Access Configuration Options
  • Allow all networks — the default; any internet IP can reach the vault (subject to RBAC/access policies).
  • Selected networks — allow access from specific VNets (via service endpoints) or specific IP address ranges.
  • Private endpoint only — all public access is blocked; vault is accessible only through the private endpoint from within the VNet.
📋 Want to know exactly how this domain is tested on the exam? See the Domain 01 Exam Guide — it maps every sub-topic to the type of question you'll face. You can also check the full AZ-104 Exam Syllabus for domain weightings.

Discussions (0)

Share how you reason through topics on this page. You can also share your feedback on this guide.

0 / 200 words
No comments yet — be the first to start the thread.