Differences

This shows you the differences between two versions of the page.

--- azure:az-104_2024:identity_and_access_management [2024/10/16 16:53] – [Licensing] mmuze
+++ azure:az-104_2024:identity_and_access_management [2025/11/29 17:48] (current) – mmuze
@@ Line 121: / Line 121: @@
 ====== Global Admin Elevated Access ======
+  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
   * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
    * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
+   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
    * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
+   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>
+====== Multi-factor Authentication (MFA) ======
+  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.
+====== Conditional Access ======
+  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]