Enterprise Identity and Access Design
Design a large-scale RBAC model using management groups, custom roles, and Privileged Identity Management to enforce just-in-time access for sensitive operations.
Identity at Enterprise Scale
In enterprise Azure environments, identity and access management must scale to hundreds of subscriptions, thousands of users, and dozens of teams — all with different resource access needs. A well-designed identity model prevents both over-permissioning (users with too much access) and under-permissioning (users unable to do their jobs). The foundation is Microsoft Entra ID combined with Azure RBAC and governance tools like Privileged Identity Management (PIM).
RBAC Fundamentals Revisited
Azure Role-Based Access Control (RBAC) grants access through three components:
- Security principal — who (user, group, service principal, or managed identity)
- Role definition — what (a set of allowed actions, e.g., 'Contributor')
- Scope — where (management group, subscription, resource group, or individual resource)
Combining these three elements creates a role assignment. Roles are inherited down the hierarchy — a role assigned at a management group applies to all subscriptions below it.
# Assign the Reader role at a management group level:
az role assignment create \
--assignee 'user@company.com' \
--role 'Reader' \
--scope '/providers/Microsoft.Management/managementGroups/LandingZones'All lessons in this course
- Cloud Adoption Framework Overview
- Azure Landing Zones
- Hub-and-Spoke Network Topology
- Enterprise Identity and Access Design