Subscriptions, tenants and Entra ID (RBAC, roles)
Before you deploy anything in Azure, you need to understand the identity and resource hierarchy. It is the foundation on which every decision about access, budget and security rests — and it is also what ZEUS reads through its connector.
Hierarchy: from tenant to resource
Azure is organized into four levels, top to bottom:
| Level | What it is | Example |
|---|---|---|
| Tenant (Entra ID) | Identity boundary and user directory | professnet.onmicrosoft.com |
| Management Group | Group of subscriptions sharing a common policy | mg-prod, mg-sandbox |
| Subscription | Billing and quota boundary | sub-zeus-prod |
| Resource Group | Logical container for resources with a shared lifecycle | rg-zeus-app-weu |
A single Entra ID tenant can span many subscriptions. A subscription always belongs to exactly one tenant.
Entra ID — identity, not resources
Microsoft Entra ID (formerly Azure AD) is the identity directory: users, groups, service principals (application identities) and managed identities. This is where people and applications sign in. Note: Entra ID roles (e.g. Global Administrator) are something different from RBAC roles on resources — these are two disjoint permission systems.
RBAC — who can do what and where
Azure RBAC rests on a triple: security principal + role definition
- scope. A role assignment binds these three elements. The most important built-in roles:
- Owner — full control, including granting permissions to others.
- Contributor — manages resources but does not grant access.
- Reader — read-only. This is the level ZEUS needs.
Listing and granting roles via the Azure CLI:
# Sprawdź swoje przypisania ról w subskrypcji
az role assignment list --assignee user@professnet.pl -o table
# Nadaj rolę Reader service principalowi na poziomie subskrypcji
az role assignment create \
--assignee "00000000-0000-0000-0000-000000000000" \
--role "Reader" \
--scope "/subscriptions/<sub-id>"
Tip: the principle of least privilege — grant the role at the narrowest possible scope. Reader on a resource group is better than Owner on the entire subscription.
How ZEUS sees it
ZEUS connects to Azure through a Service Principal with the Reader role at
the management group or subscription level — read-only. This lets it inventory
the entire hierarchy (tenant → subscriptions → resource groups → resources) and
map who holds which RBAC roles, with no risk of modifying the environment.
Additionally, through Microsoft Graph it reads the Entra ID configuration
(e.g. accounts with privileged roles, MFA). We cover the connector details in
lesson 07.
In the next lesson we go one level lower — to networking: VNet, NSG, Private Link and Bastion.