Azure RBAC / Entra Roles: MFA, SSO, Conditional Access, and User Management Guide 2026
Why Microsoft Entra RBAC Problems Keep Breaking Your Access
You've been there. A developer opens a ticket saying they can't register an app. A helpdesk analyst gets "Access Denied" when trying to reset a password. An automated service principal suddenly stops working overnight , even though nothing changed. I've seen this exact pattern on dozens of enterprise tenants, and almost every time the root cause comes back to the same thing: a misunderstood or misconfigured Microsoft Entra RBAC role assignment.
Microsoft Entra role-based access control is the system that governs who can do what inside your Azure Active Directory tenant, now officially called Microsoft Entra ID. It controls access to directory objects like users, groups, and enterprise applications through the Microsoft Graph API. That last part matters a lot, and I'll come back to it. Because Entra RBAC is often confused with Azure RBAC (the system that controls access to Azure resources like VMs and storage accounts), administrators end up granting the wrong permissions entirely and wonder why nothing works.
The two systems look nearly identical from the outside. Both use role definitions and role assignments. Both support built-in roles and custom roles. But they are completely separate. A permission you define in an Entra custom role cannot be dropped into an Azure custom role, and vice versa. Microsoft's error messages don't tell you this clearly. You'll get a generic "Insufficient privileges to complete the operation" message with no pointer to whether the problem is on the Entra side or the Azure side.
There's also the scope problem. Entra RBAC supports three scope levels, tenant-wide, administrative unit, and individual resource. When a role is assigned at tenant scope, the member gets those permissions across every object of that type in your directory. Assign it at resource scope (say, a single app registration), and the permissions are locked to that one object. I've seen teams accidentally assign Global Administrator at tenant scope when they only needed a developer to manage one specific application. That's a serious over-privilege mistake, and it's surprisingly common.
On top of all this, Conditional Access policies, MFA requirements, and SSO configurations layer on top of role assignments and can silently block access even when permissions are technically correct. A user might have the right Entra role but hit a Conditional Access policy that blocks their sign-in because they're on a non-compliant device, or because MFA wasn't satisfied. The error they see has nothing to do with RBAC, but admins often start troubleshooting in the wrong place.
I know this is frustrating, especially when it blocks your work or your team's work. This guide cuts through all of it. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into custom roles and Conditional Access policies, run this fast diagnostic. In my experience, about 60% of Microsoft Entra RBAC access problems come down to one of three things: the role assignment doesn't exist at the right scope, the user's token hasn't refreshed to pick up a new assignment, or the role was assigned to a group that isn't flagged as role-assignable.
Start at the Microsoft Entra admin center. Go to Identity > Roles & admins > All roles. Search for the role you think the user should have. Click into it, then click Assignments. Find the user in the list. If they're not there, either directly or via a group, that's your problem. The role simply isn't assigned.
If they are listed but still can't do the thing they need to do, check the scope column next to their name. A role assigned at administrative unit scope only covers objects inside that unit. If the user needs to manage something outside that unit, the assignment won't cover it and you'll need either a separate assignment at tenant scope or a second administrative unit assignment.
If the assignment looks correct, the token is the next suspect. When you assign a new Entra role to a user, that assignment takes effect almost immediately in terms of the directory, but the user's current access token won't reflect it until they sign out and back in. Ask the user to sign out of all Microsoft sessions completely, not just close the browser tab, and sign back in. This forces a new token to be issued with the updated wids claim, which is exactly what Microsoft Entra ID checks when evaluating role memberships. Nine times out of ten, this resolves the "I just got assigned a role but still can't do X" complaint.
For service principals and automated tools hitting access errors, restart the service or re-authenticate the application. The token refresh cycle applies there too.
wids claim baked into the access token at sign-in time. If you assign a role and the user still can't access the resource, don't waste 30 minutes clicking through settings, just have them sign out completely, clear their browser cache, and sign back in. This forces a fresh token with the new role claim included. It's the single fastest fix in the entire Entra RBAC troubleshooting playbook.
Before changing anything, you need a clear picture of what's actually assigned. Surprises happen when you start modifying role assignments without knowing the baseline state. This is especially true in environments where multiple admins have been adding assignments over time without documentation.
Open the Microsoft Entra admin center at entra.microsoft.com. In the left nav, go to Identity > Roles & admins. Click All roles to see every built-in and custom Entra role in your tenant. For a targeted audit, use Microsoft Graph PowerShell instead:
# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
# List all active role assignments in the tenant
Get-MgRoleManagementDirectoryRoleAssignment | Select-Object RoleDefinitionId, PrincipalId, DirectoryScopeId
This will return every role assignment, including ones made through Privileged Identity Management (PIM) that might not be obviously visible in the UI. Pay attention to the DirectoryScopeId column. A value of / means tenant-wide scope. A value like /administrativeUnits/<guid> means it's scoped to an administrative unit. A value pointing to an application registration GUID means it's scoped to just that resource.
Note: Azure CLI is not supported for Microsoft Entra role assignments. If you see advice online telling you to use az role assignment list for Entra roles, that's incorrect, that command only covers Azure resource roles. You need either the Microsoft Entra admin center, Microsoft Graph PowerShell, or the Microsoft Graph API directly.
When the audit completes, you should have a clear list of who has what at which scope. That list is your troubleshooting baseline. If a user is missing a necessary assignment, you'll add it in the next steps. If someone has broader access than they should (like tenant-wide scope when they only need object-level access), you'll flag that for remediation.
This is where most issues get fixed. You're going to either confirm an existing assignment's scope is correct or create a new assignment at the right scope. Remember the core principle: Microsoft Entra RBAC is a two-part process, first you have a role definition (a collection of permissions), and then you create a role assignment that connects a security principal to that definition at a specific scope.
In the Microsoft Entra admin center, navigate to Identity > Roles & admins > All roles. Find the role you want to assign, for example, Application Administrator or a custom role you've created. Click on it, then click + Add assignments.
In the assignment panel, the first thing to set is scope. You have three options:
- Tenant, the user can act on all resources of the relevant type across your entire directory
- Administrative unit, permissions are limited to objects inside a specific administrative unit you select
- Resource, permissions are limited to one specific Microsoft Entra resource, such as a single app registration or enterprise application
For example, if a developer only needs to manage the Contoso Expense Reports app registration, set scope to the specific app registration. Don't assign Application Administrator at tenant scope just because it's easier, that grants them the same permissions over every app registration in your directory.
After setting scope, select the user, group, or service principal as the security principal. Click Assign. The assignment takes effect in the directory almost immediately. As covered earlier, the user will need to sign out and back in to get a refreshed token.
If you're using PowerShell:
$roleDefinitionId = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Application Administrator'").Id
$principalId = (Get-MgUser -Filter "userPrincipalName eq 'dev@contoso.com'").Id
New-MgRoleManagementDirectoryRoleAssignment `
-RoleDefinitionId $roleDefinitionId `
-PrincipalId $principalId `
-DirectoryScopeId "/"
Replace "/" with "/administrativeUnits/<unit-id>" or "/applications/<app-id>" to scope to an administrative unit or specific resource respectively.
Built-in Entra roles cover a lot of ground, but they're fixed. You can't modify them. When your requirements don't match any built-in cleanly, say, you need someone who can read user profiles and reset passwords but shouldn't be able to delete users or manage groups, a custom role is the answer.
Custom Entra roles require Microsoft Entra ID P1 or P2 licensing. If you try to create one without the right license, you'll hit an error in the portal. Check your license tier first at Identity > Overview > Licenses.
To create a custom role, go to Identity > Roles & admins > All roles > + New custom role. Give it a clear, descriptive name. On the Permissions tab, search for specific permissions from the preset list. For password reset, look for microsoft.directory/users/password/update. For reading user profiles, add microsoft.directory/users/standard/read.
Here's the important thing about custom role permissions: they come from the exact same permission set used in built-in roles. You're not inventing new capabilities, you're selecting a subset. This keeps the permission model consistent and auditable.
Using PowerShell to create a custom role:
$rolePermissions = @{
allowedResourceActions = @(
"microsoft.directory/users/password/update",
"microsoft.directory/users/standard/read"
)
}
New-MgRoleManagementDirectoryRoleDefinition `
-DisplayName "Password Reset Operator" `
-Description "Can read user profiles and reset passwords" `
-IsEnabled $true `
-RolePermissions @($rolePermissions) `
-TemplateId (New-Guid).Guid
Once the custom role definition exists, assign it exactly as you would a built-in role, select the principal, set the scope, create the assignment. You can assign the same custom role definition many times at different scopes. One user might have it at tenant scope; another might have it scoped to a specific administrative unit. The definition is reusable.
Here's a scenario I see constantly: an admin assigns an Entra role correctly, the user can see it in their account settings, but they still can't perform the action. The error message is something vague like "Authentication required" or "Your sign-in was blocked." This is almost always a Conditional Access policy running interference.
Conditional Access sits above RBAC in the authorization chain. Even if a user has the right Entra role with the right scope, a Conditional Access policy can block the sign-in or the specific action entirely. The most common culprits:
- MFA not satisfied: A policy requires MFA for privileged directory roles, but the user signed in without completing MFA (common when signing in from a trusted location that was recently removed from the trusted IP list)
- Non-compliant device: A policy requires Intune-compliant devices for directory admin actions, and the user's machine failed compliance
- Sign-in risk block: Microsoft Entra ID Protection flagged the sign-in as medium or high risk, and a policy blocks risky sign-ins from completing
To diagnose, go to Protection > Conditional Access > Sign-in logs in the Microsoft Entra admin center. Filter by the affected user and the timeframe of the failed access. Look for sign-in entries with a status of Failure or Interrupted. Click into the entry and go to the Conditional Access tab. You'll see exactly which policy applied, what condition it checked, and what it decided. This is the most direct way to find out which policy is blocking access.
If MFA is the issue and the user legitimately completed MFA, check whether their MFA methods are still valid. A phone number change or an authenticator app reset can leave the account in a state where existing sessions think MFA is satisfied but new policy checks disagree.
# Check MFA registration status for a user
Get-MgUserAuthenticationMethod -UserId "user@contoso.com"
For SSO issues where users are getting authentication prompts they shouldn't be seeing, check the enterprise application's SSO configuration under Applications > Enterprise applications > [App name] > Single sign-on. Verify the SAML entity ID, reply URL, and signing certificate haven't expired. An expired SAML certificate will break SSO silently and produce very unhelpful error messages in the browser.
If you're managing access at scale, assigning roles directly to individual users doesn't hold up. You end up with dozens of direct assignments that are impossible to audit cleanly. Groups are the answer, but not just any group. Microsoft Entra RBAC has a specific requirement: a group must be flagged as a role-assignable group before you can assign Entra directory roles to it.
This is a one-time, irreversible setting per group. Once a group is marked as role-assignable, its membership can only be managed by Global Administrators, Privileged Role Administrators, and group owners. This tighter control is intentional, a group with a directory role assignment is a high-value target, and Microsoft restricts who can modify its membership to prevent privilege escalation through group membership changes.
To create a role-assignable group, go to Identity > Groups > All groups > + New group. Set the group type to Security. You'll see a toggle labeled Microsoft Entra roles can be assigned to the group. Set that to Yes. You cannot flip this toggle on an existing group, you have to create a new one. Plan ahead.
Using PowerShell:
New-MgGroup `
-DisplayName "Entra-AppAdmins" `
-MailEnabled $false `
-MailNickname "entra-appadmins" `
-SecurityEnabled $true `
-IsAssignableToRole $true
For service principals, the identities used by applications, hosted services, and automation tools, role assignments work the same way as for users. Get the service principal's object ID (not the application ID, they're different), then create the role assignment with that object ID as the principal. A common mistake is using the application ID instead of the service principal object ID, which silently fails or assigns to the wrong object.
# Get service principal object ID
$sp = Get-MgServicePrincipal -Filter "displayName eq 'MyAutomationApp'"
$sp.Id # This is the object ID you need for role assignments
Once your role-assignable groups are set up, manage access by managing group membership rather than individual role assignments. Onboarding a new developer means adding them to the right group. Offboarding means removing them. Your role assignment list stays clean and auditable.
Advanced Troubleshooting for Microsoft Entra RBAC
When the standard fixes don't work, the problem is usually either in Privileged Identity Management (PIM), administrative unit configuration, or a token/session state issue that isn't obvious from the UI. Let me walk through each.
Privileged Identity Management and Eligible Assignments
If your tenant uses PIM, role assignments come in two flavors: active and eligible. An eligible assignment means the user can activate the role on demand, but they aren't holding it right now. If someone says "I have the Application Administrator role but I still get Access Denied," ask them: did you activate the role in PIM today? Eligible assignments do nothing until the user goes to Identity Governance > Privileged Identity Management > My roles and clicks Activate next to the eligible role. Until they do that, they effectively have no assignment.
Activation requires MFA by default and may require a justification entry. After activation, the role is active for a time window you configure (default is often 8 hours). If the window has expired, the role goes inactive again and the user needs to reactivate.
Administrative Unit Scope Conflicts
Administrative units restrict role assignment scope to a subset of the directory. When a role is assigned over an administrative unit, the member gets permissions only over objects inside that unit. If an admin tries to reset the password for a user who is not a member of their administrative unit, they'll get an access denied error, even if their role technically allows password resets. The scope constraint is working as designed.
To diagnose this, check whether the affected object (the user, group, or app) is actually a member of the administrative unit the admin is scoped to. Go to Identity > Administrative units > [Unit name] > Members and verify the object is listed.
Token Cache and Authentication Session Issues
Access tokens in the Microsoft identity platform have a lifetime of typically 60–90 minutes. Role membership data is embedded in the token at issuance. If you assign or remove a role and the user's token hasn't expired yet, they'll still see the old permissions until the token refreshes. For high-urgency situations where you can't wait for natural token expiry, revoke the user's refresh tokens:
# Revoke all refresh tokens for a user, forces re-authentication
Revoke-MgUserSignInSession -UserId "user@contoso.com"
This is more aggressive than a simple sign-out. It invalidates all existing sessions across all devices and apps. Use it when you've made a security-sensitive role change and need the change to take effect immediately.
Checking the Sign-In and Audit Logs
The Microsoft Entra audit log is your best friend for advanced investigation. Go to Identity > Monitoring & health > Audit logs. Filter by Category: RoleManagement to see every role assignment and removal. Filter by Activity: Add member to role to find when a specific assignment was created and who created it. The audit log retains data for 30 days on free tenants and up to 90 days on P1/P2. For longer retention, export to Azure Monitor Logs or a Storage Account.
For sign-in failures, Identity > Monitoring & health > Sign-in logs gives you the full picture, including which Conditional Access policies evaluated the sign-in, what MFA methods were checked, and what the final access decision was. Event IDs in the sign-in logs that are worth knowing: error code 50158 means external MFA wasn't satisfied, 53003 means Conditional Access blocked the request, and 70011 means the requested scope is invalid for the application.
Prevention & Best Practices for Microsoft Entra RBAC
The teams that avoid Entra RBAC headaches aren't the ones who are smarter, they're the ones who set up guardrails early. Here's what actually works in real enterprise environments.
First, document every custom role definition and every non-standard assignment in a central location. When an admin leaves or a new admin joins, they need to understand why certain assignments exist. An undocumented assignment that you can't explain is a security risk. Use the description field on custom role definitions to record the business justification.
Second, always apply the principle of least privilege. This sounds obvious, but I still see Global Administrator handed out like it's the default "give them access" option. Use the Microsoft Entra admin center's built-in roles list, which documents the least privileged role for each specific task. Need to reset passwords? That's Helpdesk Administrator, not User Administrator and definitely not Global Admin. Need to manage just one app registration? Scope Application Administrator to that specific app registration, don't go tenant-wide.
Third, use role-assignable groups and Privileged Identity Management together. Eligible assignments through PIM mean people are not holding powerful roles 24/7, they request access when they need it, and the request is audited. This dramatically reduces the blast radius if an account is compromised.
Fourth, run quarterly access reviews. Microsoft Entra ID Governance includes access review functionality that automatically asks managers or resource owners to confirm whether users still need their assigned roles. Set up a recurring review for all privileged roles, anything above standard user access. The review data is logged and auditable.
- Enable Privileged Identity Management (PIM) for all built-in directory roles, eliminate standing privileged access and require just-in-time activation
- Block Global Administrator assignment to personal accounts, require a dedicated admin account with no mailbox and no Microsoft 365 licenses attached
- Set up an alert in Microsoft Entra ID to notify your security team whenever a Global Administrator, Privileged Role Administrator, or Security Administrator role is assigned
- Require phishing-resistant MFA (FIDO2 or Windows Hello for Business) specifically for accounts that hold Entra directory roles, standard authenticator app MFA is good, but privileged accounts deserve stronger authentication
Frequently Asked Questions
What is Microsoft Entra RBAC and how is it different from Azure RBAC?
Microsoft Entra RBAC controls access to directory resources, users, groups, applications, and similar objects, and operates through the Microsoft Graph API. Azure RBAC controls access to Azure infrastructure resources like virtual machines, storage accounts, and resource groups, and operates through Azure Resource Management. They share a similar conceptual model (role definitions + role assignments + scope) but are completely separate systems. Permissions defined in Entra custom roles cannot be used in Azure custom roles, and the other direction is equally blocked. If you're granting access to a person to manage Active Directory objects, that's Entra RBAC. If you're granting access to a VM or a storage container, that's Azure RBAC.
Why does my user still get "Access Denied" after I assigned them an Entra role?
The most likely explanation is a stale access token. Microsoft Entra ID embeds role membership data in the access token when it's issued, and that token lives for up to 90 minutes. If you assigned the role after their last sign-in, their current token doesn't include the new assignment yet. Ask the user to sign out of all Microsoft sessions completely and sign back in. If that doesn't work, check whether you assigned the role at the correct scope, a role assigned to an administrative unit only covers objects inside that unit, so if the resource they're trying to manage is outside that unit, access will still be denied despite the assignment existing.
Can I use Azure CLI to manage Microsoft Entra role assignments?
No. Azure CLI does not support Microsoft Entra role assignments. The az role assignment commands work exclusively with Azure resource roles (Azure RBAC), not Entra directory roles. For Entra role assignments, you need one of three options: the Microsoft Entra admin center UI, Microsoft Graph PowerShell (Connect-MgGraph with the appropriate scopes), or direct calls to the Microsoft Graph API. This is a common point of confusion because the two RBAC systems look similar, but the tooling is separate.
How do I create a custom Entra role that only covers one specific app?
Creating a custom role for a specific app is a two-step process. First, create the custom role definition with the permissions you want, in the Microsoft Entra admin center under Roles & admins > + New custom role, add permissions like microsoft.directory/applications/credentials/update or microsoft.directory/applications/standard/update from the preset list. Second, when you create the role assignment, set the scope to the specific app registration rather than the tenant. In the admin center, go to the role's Assignments tab, click + Add assignments, and under Scope type select Application, then pick the specific app registration. This scopes the permissions so the assignee can only act on that one app.
A Conditional Access policy is blocking access, how do I find out which one?
Go to Identity > Monitoring & health > Sign-in logs in the Microsoft Entra admin center. Filter by the affected user's name and the timeframe of the failure. Click the failed sign-in entry, then open the Conditional Access tab. This tab shows every policy that was evaluated during that sign-in, what each policy checked, whether the conditions were met, and what the grant decision was. Policies listed as Failure or showing a red icon are the ones that blocked access. Common error codes to look for: 53003 (Conditional Access block) and 50158 (external MFA requirement not satisfied). Once you identify the policy, you can modify its conditions, exclusions, or grant controls to address the legitimate user's scenario.
What's the difference between an eligible assignment and an active assignment in Entra PIM?
An active assignment means the user holds the role right now and can exercise its permissions immediately. An eligible assignment means the user is authorized to activate the role when they need it, but they don't hold it continuously. With an eligible assignment, the user must go to Privileged Identity Management > My roles and click Activate to actually get the permissions, this typically requires completing MFA and providing a justification. The activated role then lasts for a configured time window (often 1–8 hours) before automatically expiring. Eligible assignments are the recommended approach for privileged Entra roles because they prevent standing access, reduce the attack surface, and generate an audit trail every time someone activates elevated permissions.