Challenge 17: RBAC, Conditional Access & External Identities
20-30 min | Cost: Free | Domain: Azure Architecture & Services (35-40%)
Exam skills covered
- Describe external identities and guest access (B2B)
- Describe Conditional Access
- Describe Azure role-based access control (RBAC)
Overview
Once users are authenticated (proven who they are), Azure needs to control what they can do. This is where RBAC (Role-Based Access Control) comes in. Conditional Access adds context-aware policies (where, when, how the user is signing in). External identities allow collaboration with people outside your organization.
Explore
Task 1: Understand Azure RBAC
RBAC answers: "Who can do what, on which resources?"
| RBAC component | Description | Example |
|---|---|---|
| Security principal | Who | User, group, service principal |
| Role | What they can do | Reader, Contributor, Owner |
| Scope | Where it applies | Management group, subscription, RG, resource |
Built-in roles:
| Role | Permissions |
|---|---|
| Owner | Full access + can assign roles to others |
| Contributor | Full access EXCEPT assigning roles |
| Reader | View only — cannot change anything |
| User Access Administrator | Manage user access only |
Task 2: Explore RBAC in the Portal
- In Azure Portal, navigate to your Subscription
- Click Access control (IAM) in the left menu
- Click Roles tab — browse available roles
- Click Role assignments tab — see who has access
- Click Check access — see what a specific user can do
- This is read-only exploration
RBAC inheritance:
Task 3: Understand Conditional Access
Conditional Access policies are "if-then" rules:
IF (condition) → THEN (action)
| Signal (IF) | Action (THEN) |
|---|---|
| User is in risky location | Require MFA |
| Device is not compliant | Block access |
| Accessing sensitive app | Require managed device |
| User is internal employee | Allow with MFA |
| User is guest from unknown location | Block |
Common policies:
- Require MFA for all admin accounts
- Block sign-ins from countries you don't operate in
- Require compliant devices for accessing corporate data
- Force password change if sign-in risk is detected
Task 4: Explore Conditional Access in Portal
- In Azure Portal, search for Conditional Access
- Or navigate: Microsoft Entra ID → Security → Conditional Access
- Browse the Policies section
- Click + New policy to see what options exist:
- Assignments: Users, apps, conditions
- Access controls: Grant, Block, Require MFA
- Click Cancel — don't create a policy
Task 5: Understand external identities
B2B (Business-to-Business) allows you to invite external users:
- Partner employees collaborate in your environment
- They use their OWN identity (their company email)
- You control what they can access via RBAC
- They appear as "Guest" users in your directory
| Identity type | Description | Example |
|---|---|---|
| Member | Internal organization user | employee@contoso.com |
| Guest (B2B) | External user invited to collaborate | partner@fabrikam.com |
| B2C | Customer identity for public-facing apps | customer@gmail.com |
# List role assignments on your subscription
az role assignment list --output table --query "[0:5].{Principal:principalName, Role:roleDefinitionName, Scope:scope}"
# List built-in RBAC roles
az role definition list --query "[?roleType=='BuiltInRole'] | [0:10].{Name:roleName, Description:description}" --output table
Key Concepts
| Concept | Description |
|---|---|
| RBAC | Role-based access control — assign permissions to roles, roles to users |
| Role assignment | Combination of security principal + role + scope |
| Scope | Where the role applies (management group → subscription → RG → resource) |
| Conditional Access | If-then policies that evaluate sign-in context |
| B2B | Invite external users to collaborate using their own identity |
| B2C | Customer-facing identity management for apps |
| Least privilege | Give users only the permissions they need |
Knowledge Check
1. A user needs to view Azure resources but should not be able to make any changes. Which RBAC role should be assigned?
2. What is the purpose of Conditional Access policies?
3. A company wants to collaborate with a partner organization. Partner employees should use their existing company credentials to access shared resources. Which feature enables this?
4. If a Contributor role is assigned at the subscription level, what does the user have access to?
5. What is the difference between the Owner and Contributor roles?
Learn More
- 📚 Study Guide AZ-900 — Curated study materials
- Microsoft Learn: Describe Azure identity, access, and security
- Azure RBAC documentation