Most organizations have implemented (internal or customer) Azure workloads in the same Microsoft Entra ID tenant environment as their corporate production environment for Microsoft 365 and other SaaS solutions. Delegate access and managing separated Azure environments in a single-tenant environment could be challenging.

In this context, various other questions come to mind:
Which aspects should be considered in securing identities or access as part of privileged DevOps pipeline and assigned permissions to Azure Resources? How can I delegate or separate objects such as service principals or test users within one Azure AD tenant? When should I start to isolate my resources in multiple tenants and what are the disadvantages?

Microsoft implemented new features and published white papers that address this need recently. In my session we will go into details about the subjects:

- Microsoft Entra ID Tenant Boundary and multi tenant scenarios
- Limitations and differences of Azure and Entra ID RBAC delegation
- Custom Azure RABC roles and scopes (UX and RBAC-as-Code)
- Delegated permissions on level of Administrative Units
- Approval process to gain scoped access to Entra ID objects
- Azure PIM Privileged Access Groups for Azure DevOps roles

Level 300 session
including Live-Demos