Authorization Concepts and Access Control

Authorization Concepts and Access Control – A Complete Guide for SC-900

Why Authorization Concepts and Access Control Matter

Authorization is one of the foundational pillars of cybersecurity and identity management. While authentication verifies who you are, authorization determines what you are allowed to do. Without proper authorization and access control mechanisms, even a perfectly authenticated user could access sensitive data, modify critical configurations, or perform actions well beyond their role. Understanding authorization concepts is essential for the SC-900 exam and for anyone working in security, compliance, and identity.

What Is Authorization?

Authorization is the process of granting or denying a verified user (or service) access to specific resources, data, or functionality. After authentication confirms a user's identity, the authorization layer evaluates what permissions, roles, or policies apply to that identity and enforces the appropriate level of access.

Key terms to understand:

- Subject: The user, device, or application requesting access.
- Resource: The data, application, or service being accessed.
- Permission: A specific right to perform an action on a resource (e.g., read, write, delete).
- Policy: A set of rules that defines who can access what, under which conditions.

Core Access Control Models

There are several access control models you should understand for the SC-900 exam:

1. Discretionary Access Control (DAC)
In DAC, the owner of a resource decides who gets access. The owner can grant or revoke permissions to other users at their discretion. This model is flexible but can lead to security risks if owners make poor decisions.

2. Mandatory Access Control (MAC)
In MAC, access is governed by a central authority using classification labels (e.g., Confidential, Secret, Top Secret). Users cannot change access policies—only administrators or the system can. This model is common in government and military environments.

3. Role-Based Access Control (RBAC)
RBAC assigns permissions based on roles rather than individual users. For example, a user with the "Reader" role can view resources, while a user with the "Contributor" role can also create and modify resources. RBAC is the most widely used model in enterprise environments and in Microsoft Azure.

4. Attribute-Based Access Control (ABAC)
ABAC evaluates a combination of attributes—such as user attributes (department, location), resource attributes (sensitivity level), and environmental attributes (time of day, device type)—to make access decisions. This provides fine-grained control.

5. Rule-Based Access Control
Access decisions are based on a set of predefined rules, such as firewall rules or conditional access policies. For example, a rule might state: "Allow access only from managed devices."

How Authorization Works in the Microsoft Ecosystem

Microsoft implements authorization through several key technologies:

Azure Role-Based Access Control (Azure RBAC):
Azure RBAC is built on Azure Resource Manager and allows you to assign roles at different scopes—management group, subscription, resource group, or individual resource. Built-in roles include Owner, Contributor, Reader, and User Access Administrator. Custom roles can also be created.

Microsoft Entra ID (formerly Azure AD) Roles:
These roles govern access to directory-level resources and services. Examples include Global Administrator, User Administrator, and Security Reader. These are separate from Azure RBAC roles.

Conditional Access:
Conditional Access policies act as if-then statements. For example: If a user is signing in from an untrusted location, then require multi-factor authentication. Conditional Access combines authentication and authorization by evaluating signals (user, location, device, application, risk level) and enforcing decisions (allow, block, or require additional verification).

The Principle of Least Privilege

One of the most critical concepts in authorization is the principle of least privilege. This principle states that users, applications, and services should be granted only the minimum level of access necessary to perform their tasks—nothing more. This limits the blast radius of a security incident and reduces the attack surface.

Related concepts include:
- Just-In-Time (JIT) Access: Access is granted only when needed and for a limited time.
- Just-Enough-Access (JEA): Users receive only the permissions they need for a specific task.
- Privileged Identity Management (PIM): A Microsoft Entra ID feature that provides time-based and approval-based role activation to reduce the risks of excessive or unnecessary access.

Zero Trust and Authorization

In a Zero Trust security model, authorization is continuously evaluated. The key principles are:
- Verify explicitly: Always authenticate and authorize based on all available data points.
- Use least privilege access: Limit user access with JIT/JEA and risk-based adaptive policies.
- Assume breach: Minimize the blast radius by segmenting access and verifying end-to-end encryption.

Authorization in a Zero Trust model is never a one-time check; it is dynamic and context-aware.

Permissions, Scopes, and Consent

In Microsoft Entra ID, when applications request access to resources (such as Microsoft Graph), they use permissions defined as scopes. There are two types:
- Delegated permissions: The application acts on behalf of a signed-in user. The effective permissions are the intersection of the app's permissions and the user's privileges.
- Application permissions: The application acts on its own without a signed-in user. These are typically used by background services and require admin consent.

Consent is the process by which a user or administrator grants an application permission to access resources. Admin consent can be granted on behalf of all users in the organization.

How It All Fits Together

1. A user authenticates (proves identity).
2. The system checks authorization policies (RBAC roles, Conditional Access, attribute-based policies).
3. Based on the evaluation, the user is granted or denied access to specific resources.
4. Access is logged and monitored for audit and compliance purposes.
5. In a Zero Trust model, authorization is continuously re-evaluated based on changing signals.

Exam Tips: Answering Questions on Authorization Concepts and Access Control

Tip 1: Know the Difference Between Authentication and Authorization
The SC-900 exam will test whether you understand that authentication verifies identity, while authorization determines what an authenticated identity can do. Never confuse the two.

Tip 2: Understand Azure RBAC Thoroughly
Know the built-in roles (Owner, Contributor, Reader, User Access Administrator) and understand how role assignments work at different scopes. Remember that permissions are inherited from higher scopes (management group → subscription → resource group → resource).

Tip 3: Distinguish Between Azure RBAC and Microsoft Entra ID Roles
Azure RBAC manages access to Azure resources, while Microsoft Entra ID roles manage access to directory-level features (user management, application registrations, etc.). Exam questions may try to confuse these two.

Tip 4: Master the Principle of Least Privilege
If a question asks about the best practice for granting access, the answer almost always involves least privilege. Look for answers that mention granting only the minimum required permissions.

Tip 5: Understand Conditional Access Policies
Know that Conditional Access policies use signals (user, location, device, application, real-time risk) to make enforcement decisions (block access, grant access, require MFA). Questions often present scenarios and ask which Conditional Access configuration is appropriate.

Tip 6: Know Privileged Identity Management (PIM)
Understand that PIM provides just-in-time privileged access, time-bound role assignments, and requires approval or justification for activation. If a question asks how to reduce standing admin access, PIM is likely the answer.

Tip 7: Relate Authorization to Zero Trust
When questions mention Zero Trust, remember the three principles: verify explicitly, use least privilege access, and assume breach. Authorization under Zero Trust is continuous and context-aware, not a one-time gate.

Tip 8: Understand Delegated vs. Application Permissions
If a question describes an app accessing data on behalf of a user, think delegated permissions. If the app runs as a background service without a user, think application permissions. Know that application permissions typically require admin consent.

Tip 9: Read Scenarios Carefully
Many SC-900 questions present real-world scenarios. Pay attention to keywords like "only when needed" (JIT), "minimum permissions" (least privilege), "based on role" (RBAC), and "based on conditions" (Conditional Access or ABAC).

Tip 10: Eliminate Wrong Answers
If an answer suggests giving broad or permanent access, it is likely incorrect. Prefer answers that involve scoped, temporary, role-based, or condition-based access. The SC-900 exam consistently favors security best practices.

Summary

Authorization and access control are critical components of any security strategy. For the SC-900 exam, focus on understanding what authorization is, how access control models work (especially RBAC), why least privilege matters, and how Microsoft technologies like Azure RBAC, Microsoft Entra ID roles, Conditional Access, and PIM implement these concepts. By mastering these topics and applying the exam tips above, you will be well-prepared to answer authorization-related questions confidently and correctly.