Archives
Security Blogs
About me

Entra ID & Azure Built-In or Custom Roles: Which Should You Use and When?

Managing access across Microsoft Entra ID and Azure is often confusing—especially when you discover that Entra ID roles cannot always provide the fine-grained permissions you expect, particularly around protected actions. Meanwhile, Azure RBAC offers far more granular control and customizability.

This blog breaks down the differences, when to use each role type, and why some permissions simply cannot be granted through Entra ID custom roles.

Understanding the Two Permission Models

Microsoft uses two separate authorization models:

1. Entra ID role-based access control (Entra ID roles)

  • Used for directory-level operations.
  • Controls access to:
    • Users and groups
    • Enterprise apps & app registrations
    • Conditional Access
    • Security configurations
    • Policies and Identity governance

2. Azure RBAC (built-in or custom roles)

  • Used for Azure resource-level operations.
  • Controls access to:
    • VMs, Storage, Networking
    • Key Vault
    • App Services
    • Azure Kubernetes Service (AKS)
    • Subscription / resource group management

Key difference:
Entra ID roles = identity & directory management.
Azure RBAC roles = cloud resource management.

Why Entra ID Custom Roles Have Limitations

While Azure RBAC allows fully customizable permissions, Entra ID does not. This is because:

✔ Some directory actions are protected

Microsoft classifies certain identity-related actions as sensitive, such as:

  • Managing Conditional Access policies
  • Granting privileged roles
  • Resetting passwords for high-privilege accounts
  • Managing authentication methods
  • Updating federation settings
  • Privileged Identity Management (PIM) operations

These can only be performed by built-in Entra ID roles, not custom roles.

✔ Entra ID custom roles cannot include permissions for:

  • Highly sensitive (protected) operations
  • Actions tied to Microsoft internal security boundaries
  • Privileged role assignments
  • Full policy management

This is by design, to prevent accidental over-permissioning and to maintain Zero Trust principles in the identity layer.

Why Azure Custom Roles Do Not Have the Same Limitations

Azure RBAC is resource-scoped.
Permissions apply only within a subscription, resource group, or resource, not the identity plane.

Because Azure RBAC doesn’t control global identity configuration, Microsoft allows:

  • Hundreds of fine-grained actions
  • Full creation of custom roles
  • Ability to mix and match any resource-related permissions

In short:
Identity is a protected perimeter. Azure resources are not.
So Azure custom roles are much more flexible.

When to Use Entra ID Built-In Roles

Use Entra ID built-in roles when you need to manage:

  • Conditional Access
  • PIM (Privileged Identity Management)
  • Authentication methods
  • User or group lifecycle management
  • App registration / Enterprise App deep controls
  • Tenant-wide identity security policies
  • Privileged roles (Global Admin, Security Admin, etc.)

Examples

  • Security Admin → Manage MFA, CA, identity protection
  • Application Administrator → Create/manage app registrations
  • User Administrator → Manage users and groups

If an operation is “protected,” you must use a built-in Entra ID role.

When to Use Entra ID Custom Roles

Use Entra ID custom roles when:

  • You want to delegate specific non-protected directory actions
  • You need least privilege access for identity or app-related operations
  • Built-in roles are too broad

Examples

✔ Read-only access for app registrations
✔ Limited write access for enterprise apps
✔ Ability to update specific user profile fields
✔ Delegated group management permissions

But remember: you cannot assign protected actions to custom roles.

When to Use Azure RBAC Built-In Roles

Use Azure built-in roles when:

  • You don’t need granular customization
  • You want quick, standardized privilege levels
  • You want Microsoft-approved permission sets for common resource operations

Examples:

  • Reader
  • Contributor
  • Virtual Machine Contributor
  • Storage Blob Data Reader
  • Key Vault Reader

These roles are broad but predictable.

When to Use Azure Custom Roles

Use Azure custom roles when:

  • You need precise permission control on resources
  • Built-in roles provide too much access
  • You want separation of duties for DevOps, IT, developers, or automation

Examples

✔ A role that can start/stop VMs but not delete them
✔ A role that can read Key Vault secrets but not list keys
✔ A role that can manage tagging across all resources
✔ A role limited to specific resource providers

Azure custom roles offer the highest customization across the Microsoft cloud.

#Azure #Security #EntraID #Global #Microsoft #Perimeter #RBAC #IAM