4.3 Microsoft Entra Roles and Role-Based Access Control
Key Takeaways
- Microsoft Entra roles organize administrative capabilities in Entra scenarios.
- Role-based access control grants permissions through roles rather than unmanaged individual decisions.
- Least privilege means giving identities only the access needed for their tasks.
- Roles are authorization tools, while authentication methods prove identity during sign-in.
Roles answer what can this identity do
Once an identity is authenticated, the next question is authorization. Microsoft Entra roles organize what administrators and other identities are allowed to do in Entra scenarios. Role-based access control, often shortened to RBAC, is the broader access model of granting permissions through roles. For SC-900, you do not need an exhaustive role catalog. You need to know why roles exist and how they support least privilege.
- Authentication proves the identity.
- Authorization determines permitted actions.
- Entra roles organize administrative capabilities.
- RBAC uses roles instead of uncontrolled one-off access decisions.
Least privilege lens
Least privilege means an identity should have only the access needed to perform its work. That principle is central to access management because excessive permissions increase risk. If a scenario says an administrator has too much standing access, roles and privileged access governance become relevant. If a scenario says a user cannot prove identity strongly enough, the better topic is authentication or MFA.
| Scenario clue | Likely topic |
|---|---|
| Identity proves who it is | Authentication |
| Identity can perform admin tasks | Entra roles |
| Permissions are assigned by role | RBAC |
| Standing privilege should be reduced | PIM or governance |
RBAC in plain language
Role-based access control reduces confusion by packaging permissions into roles. Instead of deciding every action from scratch for every person, the organization assigns an identity to an appropriate role. The role then represents the permissions needed for that job function or responsibility. This is an authorization idea, not a password or MFA idea. The exam may phrase it as granting only required access, separating duties, or managing administrator permissions.
- Role: a permission set or access responsibility.
- Assignment: connects an identity to a role.
- Least privilege: choose the smallest sufficient role.
- Governance: review or manage those assignments over time.
Common role question traps
Do not answer MFA just because the scenario involves an administrator. If the administrator already signed in and the problem is excessive capability, the issue is authorization. Do not answer access review when the question asks for the initial model of permission assignment. Access reviews are for checking whether access should continue. Use roles and RBAC when the main issue is defining or assigning what an identity is allowed to do.
- Sign-in strength: MFA.
- Permission model: roles and RBAC.
- Continued access check: access reviews.
- Temporary elevated access: PIM.
Exam anchor
Roles are a permissions topic. The identity may already be known, and the remaining question is what that identity is allowed to do. Whenever the wording emphasizes administrative capabilities, assigned permissions, or least privilege, compare the answers that mention roles, RBAC, governance, and PIM before choosing an authentication feature.
- Allowed actions: roles.
- Permission packaging: RBAC.
- Excess standing power: PIM.
- Continued need: access review.
What question do Microsoft Entra roles primarily answer?
Which principle is best supported by assigning only the role an administrator needs?
Which statement best separates roles from authentication methods?