Azure / Entra ID Glossary

The glossary explains how cloud identities, roles, and configurations are classified, how high-impact identities are identified, and how privilege levels affect security within Azure environments.

Azure / Entra ID Objects

FSProtect analyzes the following identity and configuration objects within Azure environments.

• Tenants

• Users

• Groups

• Devices

• Applications

• Service Principals

• Roles

• Administrative Units

• Conditional Access Policies

Tier 0 (Azure / Entra ID)

What “Tier 0” Means in Azure

Tier 0 identities in Azure represent control over the entire Azure / Entra ID tenant and its identity control plane. Any identity, role, or configuration that can manage authentication, authorization, role assignments, or security policies at the tenant level is considered Tier 0.

Compromise of a Tier 0 identity can result in full control over users, groups, applications, devices, and cloud resources within the tenant.

For this reason, Tier 0 identities must be tightly protected and managed only through secure administrative access by the most-trusted administrators.

Which Azure Objects Are Always Tier 0

The following Azure / Entra ID objects are always considered Tier 0 due to their ability to control the tenant-wide identity and security boundary.

• Azure / Entra ID Tenant

• Global Administrator role

• Privileged Role Administrator role

• Tenant-wide Conditional Access Policies

• Azure AD roles with tenant-wide scope

How Azure Objects Get Their Tier

In Azure environments, the tier of an object is determined by the scope of permissions, role assignments, and relationships to Tier 0 identities.

Objects that are not inherently Tier 0 can become Tier 0 or Privileged through direct or indirect role assignments, delegated administrative permissions, or control over Tier 0 identities.

FSProtect determines the effective tier of Azure objects by analyzing role scopes, assignment chains, and privilege relationships during Azure scans.

Privileged (Azure / Entra ID)

Privileged objects in Azure are identities, roles, or configurations that have high-impact permissions over Azure / Entra ID resources or security controls, but do not represent full tenant-level control.

These objects can significantly affect users, applications, devices, or security settings and may be leveraged to indirectly compromise Tier 0 identities.

FSProtect marks the following types of objects as Privileged in Azure environments:

• Azure roles with high-impact administrative permissions

• Identities assigned to roles that manage users, roles, or security configurations

• Service Principals or applications with broad directory or management permissions

• Objects with delegated permissions that can modify privileged identities or policies

Unprivileged (Azure / Entra ID)

Unprivileged objects in Azure are identities and roles that do not have elevated administrative permissions and cannot directly or indirectly compromise Tier 0 or Privileged objects.

These objects typically have limited scope and impact within the Azure / Entra ID environment.

All Azure objects that are not classified as Tier 0 or Privileged are considered Unprivileged by FSProtect.

Everyone-Like (Azure / Entra ID)

Everyone-Like objects in Azure are identities, groups, or configurations that implicitly or broadly include a large portion of the tenant, resulting in wide-reaching access or impact.

These objects do not necessarily grant high privileges on their own, but their broad membership or scope can significantly increase the attack surface and amplify the impact of misconfigurations or privilege escalation paths.

FSProtect uses the Everyone-Like classification to identify Azure objects that represent broad or implicit access across the tenant.

Shadow Admin (Azure / Entra ID)

Shadow Admin objects in Azure are identities, roles, or configurations that are not explicitly classified as Tier 0 or Privileged, but can indirectly compromise Tier 0 identities or gain high-impact control through role assignments, delegated permissions, or privilege relationships.

These objects may enable privilege escalation paths that result in tenant-level impact without being immediately obvious as administrative identities.

FSProtect identifies Azure Shadow Admins by analyzing role scopes, permission delegations, and indirect control paths within the Azure / Entra ID environment.