Access Control Scenarios: Real-World Patterns

Combine Entra ID, RBAC, and Azure Policy to solve real enterprise access problems
๐ŸŸก Intermediate โฑ 20 Minutes ๐Ÿ“˜ AZ-104 ยท Module 01
Why This Matters

Understanding RBAC, Entra ID, and Policy in theory is one thing. Knowing how to combine them to solve real business problems is another. This doc walks through enterprise scenarios you'll actually encounter: delegating admin duties, securing development environments, controlling costs, enforcing compliance.

Before You Start

PrerequisitesEntra ID Overview, RBAC Fundamentals, Management Groups & Policy
Time to understand20 minutes
Difficulty๐ŸŸก Intermediate (combines multiple identity concepts)
What you'll learnHow to architect identity/access for real organizations

Scenario 1: Delegating Department Admin Duties

The Problem

TechCorp has:

  • Finance department (30 people, their own subscriptions)
  • Engineering department (50 people, their own subscriptions)
  • Operations (20 people, shared infrastructure)

Goal: Finance VP can manage Finance Azure, but NOT see Engineering. Vice versa. Central IT keeps overall control.

Architecture Solution

Step 1: Create Management Groups by Department

Root (TechCorp) โ”œโ”€โ”€ Finance Department (MG) โ”‚ โ”œโ”€โ”€ Finance-Prod (Subscription) โ”‚ โ”œโ”€โ”€ Finance-Dev (Subscription) โ”‚ โ””โ”€โ”€ Finance-Backup (Subscription) โ”œโ”€โ”€ Engineering Department (MG) โ”‚ โ”œโ”€โ”€ Eng-Prod (Subscription) โ”‚ โ”œโ”€โ”€ Eng-Dev (Subscription) โ”‚ โ””โ”€โ”€ Eng-Test (Subscription) โ””โ”€โ”€ Operations (MG) โ”œโ”€โ”€ Ops-Infra (Subscription) โ””โ”€โ”€ Ops-Network (Subscription)

Step 2: Create Entra Groups

grp-finance-admins โ”œโ”€โ”€ Members: Finance VP, Finance team leads โ””โ”€โ”€ Purpose: Finance management grp-engineering-admins โ”œโ”€โ”€ Members: Engineering VP, Engineering team leads โ””โ”€โ”€ Purpose: Engineering management grp-operations-admins โ”œโ”€โ”€ Members: Ops director, senior ops engineers โ””โ”€โ”€ Purpose: Infrastructure management

Step 3: Assign RBAC Roles by Management Group

Finance Management Group: Role: Contributor Assigned to: grp-finance-admins Scope: Finance Management Group (applies to all Finance subscriptions) Result: Finance team can create/modify resources in Finance only Engineering Management Group: Role: Contributor Assigned to: grp-engineering-admins Scope: Engineering Management Group Result: Engineering team can create/modify in Engineering only Root Level: Role: Owner Assigned to: grp-operations-admins Scope: Root (all subscriptions) Result: IT has full control everywhere

Result

Finance VP logs in

โ”œโ”€ Can see Finance subscriptions โœ“ โ”œโ”€ Can create/modify Finance resources โœ“ โ”œโ”€ Cannot see Engineering subscriptions โœ— โ”œโ”€ Cannot access Operations โœ— โ””โ”€ Billing isolated by department โœ“

Engineering VP

โ”œโ”€ Can see Engineering subscriptions โœ“ โ”œโ”€ Can create/modify Engineering resources โœ“ โ”œโ”€ Cannot see Finance subscriptions โœ— โ””โ”€ Complete isolation achieved โœ“

IT Director

โ”œโ”€ Can see ALL subscriptions โœ“ โ”œโ”€ Can manage everything โœ“ โ””โ”€ Central oversight maintained โœ“

Scenario 2: Securing Development vs. Production

The Problem

TechCorp's DevOps team:

  • 10 junior developers (low trust, learning)
  • 5 senior developers (high trust, ship code)
  • Need to prevent accidents: "Don't delete prod database by mistake"

Goal: Juniors can experiment in Dev, not touch Production.

Architecture Solution

Step 1: Create Subscriptions by Environment

Subscriptions: โ”œโ”€โ”€ Dev (dev-team can play here) โ”œโ”€โ”€ Staging (vetted changes only) โ””โ”€โ”€ Prod (locked down, seniors only)

Step 2: Create Entra Groups

grp-junior-developers โ”œโ”€โ”€ Members: 10 junior devs โ””โ”€โ”€ Purpose: Dev environment learning grp-senior-developers โ”œโ”€โ”€ Members: 5 senior devs โ””โ”€โ”€ Purpose: All environments, ship code grp-devops-engineers โ”œโ”€โ”€ Members: 2 DevOps engineers โ””โ”€โ”€ Purpose: Deployment and infrastructure

Step 3: Create Resource Groups with Scoped Access

DEV Subscription: Resource Groups: rg-web-dev, rg-api-dev, rg-db-dev Role: Contributor Assigned to: grp-junior-developers Result: Juniors can create/delete freely in Dev โœ“ STAGING Subscription: Role: Contributor Assigned to: grp-senior-developers + grp-devops-engineers Result: Only seniors/DevOps can touch staging โœ“ PROD Subscription: Role: Reader Assigned to: grp-senior-developers + grp-junior-developers Result: Everyone can VIEW prod, but only DevOps can modify โœ“ Role: Contributor Assigned to: grp-devops-engineers Result: Only DevOps can change production โœ“

Step 4: Add Policies to Production

Policy 1: "All PROD resources must have 'backup' tag set to 'enabled'" Action: Deny resources without tag Result: No backup-less prod resource can be created โœ“ Policy 2: "Prevent deletion of production databases" Action: Deny delete operations on SQL databases in PROD Result: Even DevOps must explicitly override this (audit trail) โœ“ Policy 3: "All PROD VMs must use premium disks" Action: Deny VM creation with standard disks Result: Enforce performance standards โœ“

Result

Junior Developer

โ”œโ”€ Dev: Full access (create, modify, delete) โœ“ โ”œโ”€ Staging: Read-only โœ“ โ”œโ”€ Prod: Read-only, can't change anything โœ“ โ””โ”€ Safe to experiment without breaking prod โœ“

Senior Developer

โ”œโ”€ Dev: Full access โœ“ โ”œโ”€ Staging: Full access โœ“ โ”œโ”€ Prod: Read-only (change via DevOps) โœ“ โ””โ”€ Peer review forced before prod changes โœ“

DevOps Engineer

โ”œโ”€ All subscriptions: Full access โœ“ โ”œโ”€ Prod changes: Recorded in audit logs โœ“ โ”œโ”€ Prod safety policies: Can override but traced โœ“ โ””โ”€ Full control with full accountability โœ“

Scenario 3: Cost Control & Chargeback

The Problem

TechCorp's CFO says:

  • "We're spending $50K/month on Azure, but we don't know who's spending what"
  • "Engineering says they need expensive VM types, but are they really using them?"
  • "We need to prevent runaway spending"

Goal: Enforce cost controls, track spending by department, prevent expensive mistakes.

Architecture Solution

Step 1: Use Tags for Cost Allocation

All resources must have tags: โ”œโ”€โ”€ CostCenter: Finance, Engineering, Operations โ”œโ”€โ”€ Environment: Dev, Staging, Prod โ”œโ”€โ”€ Owner: Department head email โ””โ”€โ”€ Project: Name of the project/app

Step 2: Enforce Tags with Policy

Policy: "All resources must have CostCenter tag" Action: Deny resources without CostCenter Result: Can't spin up resources without charging them โœ“ Policy: "All resources must have Owner tag" Action: Deny resources without Owner Result: Know who to ask about each resource โœ“

Step 3: Use Azure Policies to Prevent Expensive Choices

Policy: "Only allow Standard_B and Standard_D VM sizes" Action: Deny Premium VM creation Result: Prevent expensive mistakes, force justification for exceptions โœ“ Policy: "Limit storage redundancy to LRS/ZRS only" Action: Deny GRS/RA-GRS unless explicitly approved Result: Prevent unintended expensive replication โœ“ Policy: "Only allow certain regions (cost optimization)" Action: Deny resources in expensive regions Result: "Tier 1" regions only unless justified โœ“

Step 4: Create Cost Anomaly Alert

Azure Cost Management Alert: โ”œโ”€โ”€ Alert when: Cost exceeds budget by 10% in any subscription โ”œโ”€โ”€ Owner: Finance team โ””โ”€โ”€ Action: Auto-investigate, notify department head

Result

Monthly spending tracking

โ”œโ”€โ”€ Finance Department: $5K (Dev/Prod accounted for) โ”œโ”€โ”€ Engineering Department: $30K (broken down by project) โ”œโ”€โ”€ Operations: $15K (infrastructure/shared) โ””โ”€โ”€ Total: $50K with full visibility โœ“

Developer tries to create expensive VM

โ”œโ”€ Selects Premium_D64s_v3 โ”œโ”€ Policy blocks: "Not in allowed list" โ”œโ”€ Must request exception (creates audit trail) โ”œโ”€ Finance reviews justification โ”œโ”€ If approved, cost charged to project/department โœ“

Month-end

โ”œโ”€โ”€ CFO sees exact spend per department โœ“ โ”œโ”€โ”€ Can show Finance: "You used $5K on these 12 resources" โ”œโ”€โ”€ Can challenge Engineering: "Why did you spin up โ”‚ expensive VMs?" โ””โ”€โ”€ Full accountability achieved โœ“

Scenario 4: Compliance & Audit Requirements

The Problem

TechCorp's compliance officer says:

  • "We need audit trail of who accessed what"
  • "All data must be encrypted at rest"
  • "All data must only exist in US regions"
  • "We need SOC 2 compliance"

Goal: Enforce compliance automatically, not through human checking.

Architecture Solution

Step 1: Create Compliance-Focused Policies

Policy: "All storage accounts must use encryption" Action: Modify (auto-enable encryption if missing) Result: Zero unencrypted storage โœ“ Policy: "Only allow US regions" Action: Deny non-US regions Result: Data residency requirement met โœ“ Policy: "All databases must have backup enabled" Action: Deny DB creation without backups Result: Recovery guaranteed โœ“ Policy: "All VMs must have disk encryption" Action: Modify (auto-enable if missing) Result: Encrypted disks everywhere โœ“

Step 2: Enable Auditing & Logging

All subscriptions: โ”œโ”€โ”€ Enable Activity Logs (who did what) โ”œโ”€โ”€ Enable Diagnostic Settings (resource logs) โ”œโ”€โ”€ Forward to Log Analytics Workspace โ””โ”€โ”€ Set retention to 90 days (compliance requirement)

Step 3: Create Audit Role with Read-Only Access

Entra Group: grp-auditors โ”œโ”€โ”€ Members: Internal auditors, compliance team โ””โ”€โ”€ Role: Reader (read-only across all subscriptions) Result: โ”œโ”€ Auditors can VIEW resources โœ“ โ”œโ”€ Auditors cannot MODIFY anything โœ“ โ”œโ”€ Auditors can query logs for investigation โœ“ โ””โ”€ Separate audit trail of who audited what โœ“

Result

At audit time: โ”œโ”€โ”€ Query: "Show me all resources created in Jan-Jun" โ”œโ”€โ”€ Result: Complete list with who created them, when โœ“ โ”œโ”€โ”€ Query: "Show me all failed login attempts" โ”œโ”€โ”€ Result: Security events visible in Activity Logs โœ“ โ”œโ”€โ”€ Query: "Confirm all storage is encrypted" โ”œโ”€โ”€ Result: Policy compliance report shows 100% โœ“ โ”œโ”€โ”€ Query: "Verify all data is in US regions" โ”œโ”€โ”€ Result: No resources found outside US โœ“ โ””โ”€โ”€ SOC 2 audit passes with evidence โœ“

Key Patterns

ScenarioManagement GroupRBACPolicyAudit
Delegate by DeptBy departmentScoped roles per MGNoneStandard logs
Dev vs ProdBy environmentDifferent roles per subProd-specific rulesActivity logs
Cost ControlBy departmentSame across deptsTag enforcement, VM limitsCost mgmt alerts
ComplianceCentral controlAuditors read-onlyEncryption, region, backupEnhanced logging, 90d retention

How This Connects to Other Topics

Related to Module 02-05

  • Identity controls everything: Every module's security starts with identity/access
  • Policies prevent misconfigurations: Compliance requirements cascade into policies
  • Audit trails hold people accountable: Logging enables oversight

Related Labs

Key Takeaways

๐Ÿ’ก Summary
  • Delegate strategically with management groups + scoped RBAC
  • Separate environments (Dev/Staging/Prod) with different permissions
  • Enforce with policy (cost, compliance, standards)
  • Audit everything (who did what, when, why)
  • Tag for accountability (cost center, owner, project, environment)

Next Steps

  1. Review: Read this doc (you're here)
  2. Practice: Apply scenarios in Labs 02-03
  3. Secure: Read Identity Best Practices (hardening tactics)
Azure AZ-104 Professional Concept Documentation
Module 01 โ€” Identity & Governance
Generated June 15, 2026
© 2026 โ€” AZ-104 Learning Hub. For study purposes only.