Effective Permissions Evaluation for Microsoft Entra Roles
Why Effective Permissions Evaluation for Microsoft Entra Roles Is Important
Understanding how effective permissions work in Microsoft Entra ID (formerly Azure AD) is critical for identity administrators and for anyone preparing for the SC-300 (Microsoft Identity and Access Administrator) exam. In any organization, users may be assigned multiple roles, may inherit permissions through group memberships, and may have administrative units scoping their authority. If you cannot accurately evaluate the effective set of permissions a user holds, you risk either granting too much access (violating the principle of least privilege) or too little access (blocking legitimate administrative tasks). Effective permissions evaluation is the foundation for troubleshooting access issues, conducting security audits, and maintaining a strong identity governance posture.
What Are Effective Permissions in Microsoft Entra Roles?
Effective permissions represent the cumulative, net result of all role assignments that apply to a given identity (user, service principal, or group) within Microsoft Entra ID. They are determined by combining:
1. Direct role assignments – Roles assigned directly to a user (e.g., User Administrator assigned to alice@contoso.com).
2. Group-based role assignments – Roles assigned to a role-assignable group of which the user is a member.
3. Scoped assignments via Administrative Units (AUs) – Roles that are scoped to a specific administrative unit rather than the entire tenant.
4. Privileged Identity Management (PIM) eligible vs. active assignments – Roles that are eligible (must be activated) versus roles that are permanently active.
5. Custom roles – Roles built with a specific set of permissions (actions) that may overlap or differ from built-in roles.
The effective permissions are the union (additive combination) of all permissions granted through every applicable role assignment. Microsoft Entra ID uses an additive model with no explicit deny. This means:
- If a user holds Role A (which grants Permission X) and Role B (which grants Permission Y), the user effectively has both Permission X and Permission Y.
- There is no deny override in Entra role assignments. Unlike Azure RBAC at the resource level (which supports deny assignments), Entra roles are purely additive.
- Scoping a role to an Administrative Unit does not reduce permissions granted at the directory (tenant) level through another assignment; the AU-scoped assignment simply adds permissions within that AU's scope.
How Effective Permissions Evaluation Works — Step by Step
Step 1: Identify All Role Assignments
Use the Microsoft Entra admin center, Microsoft Graph API, or PowerShell to list all role assignments for the target identity. This includes:
- Direct assignments at directory scope
- Direct assignments scoped to an Administrative Unit
- Indirect assignments through role-assignable groups
- PIM eligible assignments (note whether they are currently activated)
In the Entra admin center: Identity → Roles & administrators → select a user → Assigned roles. This view shows both Active and Eligible assignments.
Step 2: Determine the Scope of Each Assignment
Each role assignment has a scope:
- Directory (tenant-wide): The role applies to all objects in the tenant.
- Administrative Unit: The role applies only to objects within the specified AU.
- App registration (for certain roles): The role applies only to a specific application registration.
A user who is a User Administrator scoped to AU-Sales can manage users only within that AU, while a User Administrator at directory scope can manage all users in the tenant.
Step 3: Aggregate Permissions (Union / Additive Model)
Combine all permissions from all active role assignments. Because the model is additive:
- Broader-scoped assignments are not reduced by narrower ones.
- If one assignment grants microsoft.directory/users/password/update at directory scope and another grants microsoft.directory/groups/members/update at AU scope, the effective permissions include both.
Step 4: Consider PIM Activation State
If PIM is in use, eligible assignments only contribute to effective permissions when they are activated. An eligible Global Administrator who has not activated the role does not currently hold Global Administrator permissions. Exam questions frequently test this distinction.
Step 5: Account for Custom Role Definitions
Custom roles contain a specific set of actions and notActions (note: notActions in custom role definitions remove specific actions from the allowed set within that role definition only; they do not act as a deny across other role assignments). If the user also holds a built-in role that grants the same action, the permission is still available through that built-in role.
Step 6: Evaluate the Result
The final effective permissions are everything granted by every active (or currently activated via PIM) role assignment at every applicable scope. There is no mechanism in Entra roles to explicitly deny a permission that has been granted by another role assignment.
Key Concepts to Remember
- Additive (union) model, no deny: All granted permissions stack. You cannot remove a permission by adding another role.
- Scope matters: A role scoped to an AU only grants authority over objects in that AU. A role at directory scope grants authority over all objects.
- PIM eligible ≠ active: Eligible roles must be activated before they take effect. Time-bound activations expire.
- Role-assignable groups: Only groups specifically marked as role-assignable can hold Entra role assignments. Membership in such a group grants the assigned role to all members.
- Global Administrator is the most powerful role: It grants nearly all permissions across the tenant. Any user with an active Global Administrator assignment effectively overrides all other role considerations.
- Conditional Access policies are separate: Even if a user has the right role permissions, Conditional Access can block the session or require additional authentication. Permissions evaluation and access policy enforcement are distinct layers.
Common Scenarios Tested in the SC-300 Exam
1. A user is assigned Helpdesk Administrator at directory scope and User Administrator scoped to AU-HR. What can the user do?
Answer: The user can reset passwords for non-admin users across the entire tenant (Helpdesk Administrator) AND manage all user properties for users within the AU-HR administrative unit (User Administrator). The permissions are additive.
2. A user has an eligible assignment for Exchange Administrator through PIM but has not activated it. Can they manage Exchange settings?
Answer: No. Until the role is activated, the permissions are not effective.
3. A user is a member of GroupA (role-assignable group) which is assigned the Groups Administrator role, AND the user is directly assigned the User Administrator role. What are their effective permissions?
Answer: The union of Groups Administrator permissions and User Administrator permissions.
4. A custom role grants microsoft.directory/applications/create but includes notActions for microsoft.directory/applications/delete. The user also holds Application Administrator (built-in). Can the user delete applications?
Answer: Yes. The notActions in the custom role only removes the action from that custom role's definition. The built-in Application Administrator role independently grants the delete permission, and permissions are additive.
Exam Tips: Answering Questions on Effective Permissions Evaluation for Microsoft Entra Roles
1. Always check for scope: When a question mentions Administrative Units, remember that AU-scoped roles only apply to objects within that AU. A user with User Administrator scoped to a single AU cannot manage users outside that AU unless they have another assignment at directory scope.
2. Remember: additive, no deny: Microsoft Entra roles follow a purely additive model. If a question asks whether assigning a second role can remove or limit permissions from the first role, the answer is no. To reduce permissions, you must remove a role assignment, not add another one.
3. Distinguish eligible from active (PIM): If a question states that a role is eligible but does not say it has been activated, treat it as not currently in effect. This is one of the most common traps in SC-300 questions.
4. Know the built-in role hierarchy: Global Administrator > Privileged Role Administrator > other admin roles. Helpdesk Administrators cannot reset passwords of higher-privileged roles (e.g., Global Admins). Questions often test whether one admin can manage another admin based on role hierarchy.
5. Watch for role-assignable groups: If a question mentions a group that is assigned a role, verify that it is described as a role-assignable group. Only groups created with the isAssignableToRole property set to true can receive Entra role assignments.
6. Custom roles and notActions: notActions within a custom role definition subtract permissions from that role's own actions list. They do NOT deny permissions granted by other role assignments. Always evaluate each role assignment independently, then take the union.
7. Use process of elimination: For scenario-based questions, list out each role assignment, its scope, and whether it is active or eligible. Map each assignment to its granted permissions, combine them, and match against the answer choices.
8. Conditional Access is a separate layer: Do not confuse role-based permissions with access enforcement. A user may have the correct role but still be blocked by a Conditional Access policy. If a question mentions both, evaluate them independently.
9. Global Administrator can do almost everything: If a user has an active Global Administrator role at directory scope, they effectively have all permissions. The only exceptions are actions explicitly reserved for Microsoft (such as modifying certain service configurations). If the question says the user is an active Global Admin, the answer is almost always that they can perform the action.
10. Review Microsoft Graph and PowerShell commands: You may be asked how to check effective role assignments. Know that Get-MgRoleManagementDirectoryRoleAssignment (Microsoft Graph PowerShell) and the roleManagement/directory/roleAssignments endpoint in Microsoft Graph are the tools used to enumerate assignments. The Entra admin center's Assigned roles blade for a user is the GUI equivalent.
By systematically evaluating each role assignment's permissions, scope, and activation state, and by remembering the additive model with no deny, you can confidently determine effective permissions in any exam scenario.
