As part of my Cloud Engineering and DevOps learning journey, I recently decided to go beyond theory and start practicing Identity and Access Management (IAM) directly inside Microsoft Azure.
I wanted to understand how organizations manage users, permissions, administrative access, and security in real cloud environments. Instead of just reading about Microsoft Entra ID and RBAC, I performed a complete hands-on lab from start to finish.
In this lab, I:
- created a new Azure user
- configured Microsoft Authenticator
- assigned administrative roles
- logged into the new account using an incognito browser
- created another user using delegated access
- revoked the permissions
- tested whether the account could still perform administrative actions
This exercise gave me a much deeper understanding of how cloud identity management works in enterprise environments.
The screenshots attached throughout this post document the entire process step by step.
Starting From the Default Directory
I began by logging into the Azure Portal using my main administrator account inside the default directory.
From there, I navigated to:
Microsoft Entra ID → Users → All Users
This section contains every identity managed inside the Azure environment, including:
- users
- groups
- applications
- permissions
At this point, I already had administrative privileges, which allowed me to create and manage other users.
One thing I’m beginning to understand about cloud platforms is that structure and organization are extremely important. Without proper identity management, large organizations would struggle to control access securely.
Creating the “Immortel” User
The next step was creating a new user account named “Immortel.”
During the setup process, I configured:
- display name
- username
- password settings
- account information
After creating the account successfully, the new user appeared immediately inside the Azure users list.
This helped me understand how organizations onboard employees into Microsoft Entra ID environments.
At this stage, the account existed but had limited permissions.
Logging Into the Immortel Account Using Incognito Mode
Instead of signing out from my main administrator account, I opened a new incognito browser window and logged into the Immortel account separately.
This allowed me to:
- remain logged into my administrator account
- test the Immortel account independently
- simulate how multiple administrators may work simultaneously
Using incognito mode was actually very useful because it helped me manage both accounts side by side without interrupting my existing Azure session.
At this stage, the Immortel account still had very limited access because no elevated administrative roles had been assigned yet.
This demonstrated an important cloud security principle known as:
Least Privilege Access
This means users should only receive the minimum permissions necessary for their tasks.
Setting Up Microsoft Authenticator (MFA)
While logging into the Immortel account, Azure required Multi-Factor Authentication (MFA) setup using Microsoft Authenticator.
This process involved:
- scanning a QR code
- linking the account to the Authenticator app
- approving sign-in requests
This was one of the most practical parts of the exercise because it showed me how organizations secure user accounts beyond just passwords.
I now understand why MFA is considered one of the most important security practices in cloud computing. Even if a password gets compromised, unauthorized users still cannot access the account without the additional verification step.
Assigning Global Administrator and Global Reader Roles
After setting up the Immortel account successfully, I returned to my original administrator session inside the default directory and assigned two important roles:
- Global Administrator
- Global Reader
This introduced me to Azure Role-Based Access Control (RBAC).
Before this exercise, RBAC sounded theoretical while reading documentation. But seeing it work practically made everything much clearer.
Understanding the Global Administrator Role
Global Administrator is one of the highest privileged roles inside Microsoft Entra ID.
A user with this role can:
- create and manage users
- assign permissions
- manage identity settings
- configure security
- reset passwords
- control administrative settings
In simple terms, this role has broad control over the Azure identity environment.
Understanding the Global Reader Role
Global Reader works differently.
Users with this role can:
- view configurations
- monitor environments
- review settings
but they cannot make administrative changes.
This role is useful for:
- auditors
- compliance teams
- monitoring personnel
who need visibility without modification access.
Logging Back Into the Immortel Session
After assigning the roles, I refreshed and continued working inside the incognito browser session already logged into the Immortel account.
The difference was immediately noticeable.
The account now had elevated privileges and could access administrative capabilities that were unavailable earlier.
This demonstrated how permissions in Azure are controlled dynamically through assigned roles.
It also showed me how powerful RBAC is in enterprise cloud environments.
Creating Another User Named “Dare”
To confirm the permissions were working correctly, I used the Immortel account to create another user named “Dare.”
The creation process was successful.
This confirmed that the Global Administrator privileges assigned earlier were active and functioning properly.
At this point, I fully understood how delegated administration works in Azure environments.
Organizations can temporarily assign elevated permissions to specific users without permanently granting full administrative control to everyone.
Revoking the Administrative Access
After completing the delegated administration test, I returned to my original administrator session inside the default directory.
I then removed:
- Global Administrator access
- Global Reader access
from the Immortel account.
This part of the exercise taught me another important IAM concept:
Permissions can be granted and revoked at any time.
This is critical in real-world environments for situations such as:
- employee resignation
- temporary contractors
- security incidents
- role changes
- access reviews
Testing the Revoked Account
To confirm the permissions were truly removed, I returned to the incognito browser session using the Immortel account and attempted to create another user named “John.”
This time, the operation failed.
The account no longer had sufficient privileges to perform administrative tasks.
This final test clearly demonstrated how Azure immediately enforces permission changes once access is revoked.
It was satisfying seeing the entire IAM workflow function exactly as expected.
What This Lab Taught Me
This hands-on exercise helped me better understand:
- Microsoft Entra ID
- Identity and Access Management (IAM)
- RBAC
- Multi-Factor Authentication (MFA)
- delegated administration
- access control
- permission revocation
- cloud security principles
More importantly, it helped me realize that identity management is one of the most critical aspects of cloud security.
Without proper IAM controls:
- unauthorized access becomes easier
- security risks increase
- governance becomes difficult
- compliance becomes harder to maintain
Final Thoughts
This was one of the most valuable Azure labs I’ve completed so far because it moved beyond theory into practical identity administration and security management.
As I continue learning Cloud Engineering and DevOps, I’m beginning to appreciate how important hands-on practice is. Reading documentation is useful, but actually performing these tasks inside a real cloud environment creates a completely different level of understanding.
I still have a long way to go, but each lab continues to build my confidence and understanding step by step.
I’ll continue documenting my learning journey, projects, and hands-on experiences as I grow in cloud engineering and DevOps.
Top comments (0)