Identity Plane vs Resource Plane Entra tenant objects issue tokens that are used against Microsoft Graph or Azure Resource Manager. Azure resources have separate management and data access boundaries. Identity Plane vs Resource Plane Teaching point: Entra directory, tokens, Azure management, and resource data are related but not the same boundary. Identity plane: Entra ID Directory objects and token issuance decisions User / Group who signs in Role admin context Application app definition Service Principal Token API boundary Audience decides who accepts token Microsoft Graph Azure ARM management API Resource plane: Azure Scopes, providers, and data access Subscription RBAC scope Resource Group Resource data plane may differ