I've been auditing a tenant lately, and it's crazy how all over the place everything seems. It feels like Azure IAM roles are scattered in one spot, while Entra ID roles are in another. Then, the app permissions pop up in yet a different menu, and to top it off, Intune and Conditional Access are influencing access decisions too. Honestly, it seems like you need multiple tabs open just to trace a single identity path. Is there a straightforward way to map everything out, or is this just the way Azure is?
3 Answers
Contrary to what some might think, it's not actually as fragmented as it seems. Entra acts as an independent identity provider with its own set of permissions separate from Azure. App permissions you’re referring to are actually scopes, which are part of OIDC, and they logically belong to Entra. Plus, don’t forget that services like Intune and Exchange operate individually as well.
You might want to give PowerShell a shot for mapping things out. It can really help you view relationships however you need them. It’s super flexible for auditing.
One effective way to manage the complexity is to map all your identity assignments back to security groups. This means you'll want to keep track of Azure IAM roles, Entra Admin roles, licensing, Intune policies, and Conditional Access policies, as well as Enterprise App owners and users. It centralizes everything for better understanding.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures