Read as
Last updated: April 29, 2026
Why this module exists. Azure has two parallel permission systems — RBAC for management plane (resources), Entra ID roles for identity plane. Most engineers treat them as one. Attackers know they’re separate, and the mismatched grants are where privilege escalation lives.
Why this module exists. Azure has two parallel permission systems — RBAC for management plane (resources), Entra ID roles for identity plane. Most engineers treat them as one. Attackers know they’re separate, and the mismatched grants are where privilege escalation lives.
The two-plane model
- Management plane (Azure RBAC). Who can create / read / modify Azure resources. Roles like Owner, Contributor, Reader, Storage Blob Data Contributor. Scoped to management group / subscription / resource group / resource.
- Identity plane (Entra ID roles). Who can manage users, groups, applications. Roles like Global Administrator, User Administrator, Application Administrator. Scoped to the tenant.
The bridge: Application Administrator (Entra) can add credentials to enterprise applications. Some enterprise applications have RBAC roles in the management plane (e.g., a deployment service principal with Contributor). Add a credential → take over the SP → inherit its RBAC.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants