Identity & Access Management

How to design Azure AD, RBAC, and privileged access for enterprise landing zones.

Identity Foundation

Hybrid Identity Options

Option 1: Password Hash Sync (Recommended)

Benefits:

Simplest to implement
No on-prem dependency for auth
Supports cloud-only features

Option 2: Pass-through Authentication

Benefits:

Passwords never leave on-prem
Enforces on-prem policies

Option 3: Federation (AD FS)

Best for: Complex claims requirements, third-party identity

Comparison

Feature	Password Hash	Pass-through	Federation
Cloud availability	✅ High	⚠️ Depends on agents	⚠️ Depends on ADFS
Password location	Cloud	On-prem only	On-prem only
On-prem dependency	Sync only	Auth required	Auth required
Complexity	Low	Medium	High
Smart lockout	✅	⚠️ Limited	❌
Recommendation	Default choice	Security requirement	Legacy/complex

RBAC Design

RBAC Hierarchy

Built-in Roles

Role	Description	Typical Use
Owner	Full access + RBAC management	Subscription owners
Contributor	Full access, no RBAC	Application teams
Reader	Read-only access	Auditors, support
User Access Administrator	Manage RBAC only	Delegation scenarios

Specialized Roles

Role	Scope	Use Case
Network Contributor	Network resources	Network team
Virtual Machine Contributor	VMs only	Compute team
Storage Blob Data Contributor	Blob data	Data teams
Key Vault Secrets User	Read secrets	Applications
Monitoring Reader	Monitor data	SRE teams

RBAC Strategy by Landing Zone

Custom Role Example

{
  "Name": "Landing Zone Owner",
  "IsCustom": true,
  "Description": "Full control in landing zone except networking and policy",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/policyAssignments/*",
    "Microsoft.Authorization/policyDefinitions/*",
    "Microsoft.Authorization/policySetDefinitions/*",
    "Microsoft.Network/virtualNetworks/peer/*",
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/*"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/alz-landingzones"
  ]
}

Bicep: Custom Role

targetScope = 'managementGroup'

resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: guid('landing-zone-owner', managementGroup().id)
  properties: {
    roleName: 'Landing Zone Owner'
    description: 'Full control in landing zone except networking and policy'
    type: 'CustomRole'
    permissions: [
      {
        actions: ['*']
        notActions: [
          'Microsoft.Authorization/policyAssignments/*'
          'Microsoft.Authorization/policyDefinitions/*'
          'Microsoft.Network/virtualNetworks/peer/*'
        ]
      }
    ]
    assignableScopes: [
      managementGroup().id
    ]
  }
}

Privileged Identity Management (PIM)

Why PIM?

PIM Configuration

Setting	Production	Non-Production
Activation duration	4 hours	8 hours
Require justification	✅	✅
Require MFA	✅	✅
Require approval	✅ (Owner)	❌
Notification on activate	✅	✅

PIM Roles Setup

Sample: PIM Alert Policy

resource pimAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = {
  name: 'pim-role-activated'
  location: 'global'
  properties: {
    enabled: true
    scopes: [
      subscription().id
    ]
    condition: {
      allOf: [
        {
          field: 'category'
          equals: 'Administrative'
        }
        {
          field: 'operationName'
          equals: 'Microsoft.Authorization/roleAssignments/write'
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroup.id
        }
      ]
    }
  }
}

Conditional Access

Zero Trust Policies

Essential Policies

Policy	Condition	Control
Require MFA for admins	Admin roles	MFA
Block legacy auth	Legacy protocols	Block
Require compliant device	Corp apps	Compliant device
Require MFA outside network	External IPs	MFA
Block high-risk sign-ins	Risk: High	Block
Require MFA for Azure management	Azure portal/CLI	MFA

Sample: Require MFA for Azure Management

{
  "displayName": "Require MFA for Azure Management",
  "state": "enabled",
  "conditions": {
    "applications": {
      "includeApplications": [
        "797f4846-ba00-4fd7-ba43-dac1f8f63013"  // Azure Management
      ]
    },
    "users": {
      "includeUsers": ["All"]
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["mfa"]
  }
}

Service Principals & Managed Identities

Types

Type	Use Case	Credential Management
User-assigned Managed Identity	Shared across resources	Azure-managed
System-assigned Managed Identity	Single resource	Azure-managed
Service Principal	CI/CD pipelines	Manual rotation
Workload Identity Federation	GitHub Actions, etc.	Federated tokens

Managed Identity Architecture

Best Practices

Bicep: User-Assigned Managed Identity

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: 'mi-${workload}-${environment}'
  location: location
}

// Assign to Key Vault
resource kvRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(keyVault.id, managedIdentity.id, 'Key Vault Secrets User')
  scope: keyVault
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User
    )
    principalId: managedIdentity.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

Emergency Access (Break Glass)

Break Glass Account Design

Configuration

Setting	Value
Account type	Cloud-only
MFA	Hardware FIDO2 key
Password	256-bit, stored securely
Conditional Access	Excluded
PIM	Permanent Global Admin
Monitoring	Alert on any sign-in
Access frequency	Tested quarterly

Identity Security Checklist

✅ Foundation

Entra ID Connect configured (Password Hash Sync)
Seamless SSO enabled
Password writeback enabled

✅ Security

MFA enforced for all users
Legacy authentication blocked
Conditional Access policies active
Sign-in risk policies enabled
Break glass accounts configured

✅ Privileged Access

PIM enabled for all admin roles
Just-in-time access required
Approval workflow for production
Access reviews configured

✅ Service Accounts

Managed identities used where possible
Service principal secrets rotated (90 days)
Workload identity federation for CI/CD

Quick Reference Card

Concept	Best Practice
Hybrid Identity	Password Hash Sync as default
RBAC Scope	Assign at highest applicable level
PIM	Eligible assignments, not permanent
Conditional Access	Block legacy auth, require MFA
Break Glass	2 cloud-only accounts, monitored
Service Accounts	Managed Identity > Service Principal

Next Steps

Continue to Network Topology to learn about hub-spoke, Virtual WAN, and DNS design.

Identity Foundation​

Hybrid Identity Options​

Option 1: Password Hash Sync (Recommended)​

Option 2: Pass-through Authentication​

Option 3: Federation (AD FS)​

Comparison​

RBAC Design​

RBAC Hierarchy​

Built-in Roles​

Specialized Roles​

RBAC Strategy by Landing Zone​

Custom Role Example​

Bicep: Custom Role​

Privileged Identity Management (PIM)​

Why PIM?​

PIM Configuration​

PIM Roles Setup​

Sample: PIM Alert Policy​

Conditional Access​

Zero Trust Policies​

Essential Policies​

Sample: Require MFA for Azure Management​

Service Principals & Managed Identities​

Types​

Managed Identity Architecture​

Best Practices​

Bicep: User-Assigned Managed Identity​

Emergency Access (Break Glass)​

Break Glass Account Design​

Configuration​

Identity Security Checklist​

✅ Foundation​

✅ Security​

✅ Privileged Access​

✅ Service Accounts​

Quick Reference Card​

Next Steps​