Clear Thinking in Data, Cloud, and AI

Practical insights from real-world cloud, data, and AI engineering

Building Secure Azure Identity Without Entra ID P2: A Solo Founder’s Playbook

Written by

Shahzad Khan

in

on

When you’re an early-stage founder, security still matters — but every dollar does too.

Recently, I went through the process of hardening identity and access for my consultancy, Tanolis, using Microsoft Entra ID Free only. No P2. No PIM. No paid identity governance. No shortcuts.

This post documents what actually works today, where the real limits are, and how you can still build a production-safe, least-privilege architecture without enterprise licenses.

The Reality Check: Entra ID Free Has Hard Boundaries

Before designing anything, it’s important to accept Microsoft’s non-negotiables at the free tier:

  • Security Defaults are mandatory
    • MFA is enforced for all users
    • Legacy authentication is blocked
    • No user exclusions
  • Conditional Access customization is locked
  • No Privileged Identity Management (PIM)
  • No Just-In-Time (JIT) elevation
  • No identity protection or risk-based policies

There are no supported “workarounds.”
If someone claims otherwise, they’re relying on expired trials or unsafe configurations.

Once I accepted this, the design became much clearer.

Separate the Planes: Identity vs Azure Resources

One of the most common points of confusion (and mistakes) is mixing up tenant roles and Azure roles.

They are not the same thing.

Identity Plane (Microsoft Entra ID)

  • Controls users, authentication, and directory-wide settings
  • Key role: Global Administrator

Resource Plane (Azure RBAC)

  • Controls subscriptions, resource groups, and Azure services
  • Key roles: Owner, Contributor, Reader

A Global Admin does not automatically control Azure resources.
An Azure Owner does not automatically control the tenant.

Treating these as separate planes is foundational to least privilege.

The Identity Model That Actually Works (Free Tier)

I settled on a four-account model, each with a single, clear purpose:

  1. Daily work account
    • Standard user
    • Contributor in Dev and Prod (not Owner)
    • Used for all real work
  2. Dev account
    • Standard user
    • Contributor at Dev resource group scope only
    • No Prod access
    • Ideal for coding, testing, and automation
  3. Admin account
    • Global Administrator
    • Azure Owner (Dev and Prod)
    • Used only for configuration and RBAC changes
  4. Break-glass account
    • Global Administrator
    • MFA required (because Security Defaults)
    • Credentials stored offline
    • Emergency use only

This structure gives clarity, accountability, and containment — even without PIM.

Accepting the Break-Glass Reality (Free Tier)

In many enterprise designs, break-glass accounts are MFA-excluded.

That is not possible with Entra ID Free.

Security Defaults enforce MFA for everyone, including Global Admins, with no exceptions.

So the correct free-tier model is:

  • Strong password
  • MFA registered and documented
  • Offline credential storage
  • Emergency-only usage
  • Regular verification that the account still works

It’s not perfect — but it is supported, safe, and honest.

Azure RBAC: Least Privilege Still Works

Even without PIM, Azure RBAC gives you powerful control if you scope it correctly.

Key decisions I made:

  • No daily account is ever Owner
  • Owner exists only on the admin account
  • Developers are scoped to resource groups, not subscriptions
  • Dev and Prod are isolated

For Dev work, Contributor at the resource group level is the sweet spot:

  • Enough access to build and deploy
  • No ability to change subscription-wide settings
  • Reduced blast radius

Specialized roles (like Azure AI Developer) only make sense later, when teams grow and responsibilities narrow.

Manual Discipline Replaces Automation

Without PIM, process matters.

That means:

  • Explicit rules about when the admin account is used
  • Immediate role removal after rare elevation
  • Regular sign-in and audit log review
  • Clean onboarding and offboarding

This isn’t glamorous — but it works, and it scales surprisingly well for a solo founder or small consultancy.

The Outcome

At the end of this process, the tenant is:

  • Secure by default
  • Fully supported by Microsoft
  • Free of legacy or unknown admin accounts
  • Least-privilege by design
  • Ready for future P2/PIM adoption without rework

Most importantly, it avoids the two extremes I see all the time:

  • Over-engineering with licenses you don’t need
  • Under-securing because “it’s just a small tenant”

Final Thought

You don’t need enterprise licenses to build a clean, professional identity foundation.

You do need:

  • Clear mental models
  • Acceptance of platform limits
  • Deliberate role scoping
  • And the discipline to treat identity as infrastructure

If you get that right early, everything else becomes easier — and cheaper — later.

FavoriteLoadingAdd to favorites

RECENT POSTS

Categories

Log in

Tags

ADO ai angular asian asp.net asp.net core azure ACA azure administration Azure Key Vault Azure Storage Blazor WebAssembly BLOB bootstrap Branch and Release flow c# containers css datatables design pattern docker excel framework Git guide HTML JavaScript jQuery json knockout lab LINQ linux powershell REST API smart home SQL Agent SQL server SSIS SSL SVG Icon typescript visual studio Web API window os wordpress

ARCHIVE

DISCLAIMER

The information on this weblog is provided “as is,” without warranties of any kind, and confers no rights. The content reflects my personal views and does not represent the thoughts, intentions, plans, or strategies of any organization with which I am affiliated. Discussion and differing viewpoints are welcome; however, I reserve the right to moderate or remove comments that are abusive, profane, rude, or anonymous. Please keep the conversation respectful and constructive.

More posts