Unit 6: Analyze Microsoft Entra Role Permissions

Understanding Permissions

In Microsoft Entra ID, permissions define what operations a user can perform. They can apply to viewing, modifying, or managing directory objects.

Permissions are generally derived from:

User settings (default permissions).
Role assignments.
Ownership of specific resources.

Member vs. Guest User Permissions

Permission Example	Member Users	Guest Users
Enumerate list of users	Yes	No
Invite guest users	Yes	Yes
Create Security and M365 groups	Yes	No
Register new applications	Yes	Limited (Read-only on apps)
Read directory data	Broad access	Restricted to own info

Example: If Contoso invites an external consultant from Fabrikam, that guest can log in, view their own profile, and access assigned apps — but cannot browse all Contoso users.

Controlling and Restricting Permissions

Administrators manage user permissions primarily via:

User Settings (Default Permissions)
Controls whether users can:
Register apps.
Access the Azure portal.
Manage external collaboration.
Connect LinkedIn profiles.
Roles and Administrators
Used to add new permissions to users/groups through role assignment.

Always apply the principle of least privilege, granting only what’s needed.

Exploring Role Permissions

Each built-in or custom role has an explicit list of permissions. You can view these by navigating to:

Microsoft Entra ID → Roles and administrators → [Role] → Permissions tab.

Example: Viewing the User Administrator role reveals permissions like microsoft.directory/users/read and microsoft.directory/groups/update.

Key Takeaways

Permissions flow from roles, group membership, and resource ownership.
Guest users have a more restricted set of permissions by default.
Always audit roles and apply least privilege principles.
Use the Entra admin center to explore which permissions each role grants.

SC‑300 Study Portal Dark

Unit 6: Analyze Microsoft Entra Role Permissions