Instructor Runbook - Lab 01 Permission Model Checkpoint
Teaching Intent
This is a low-friction checkpoint before live tooling. The goal is to make sure students can separate directory authorization, application authorization, Azure RBAC, and resource data-plane access before they start reading ROADtools output.
Timing
- Target: 15 minutes.
- Shortcut: use only Exercise B if the class already understands Azure basics.
- Deepening path: ask students to identify which observation would come from
Graph, Azure Resource Manager, Storage, or Key Vault.
Answer Guide
- User, group, application registration, service principal, Entra role:
identity plane.
- Subscription, resource group, resource provider, Azure role assignment:
Azure resource management plane.
- Storage data and Key Vault secrets: resource data plane. Access can be
affected by Azure RBAC, service-specific RBAC, access policies, and resource configuration.
- Managed identity crosses the model: it is an identity object used by an Azure
resource to obtain tokens.
Common Misunderstandings
- Do not let students equate Azure Contributor with automatic access to every
secret or blob.
- Do not let students treat service principals as only "apps"; in attack paths,
they are identities with credentials, owners, and assignments.
- Do not over-teach OAuth here. Keep it at the decision level and return to
protocol detail only when the initial-access lab is selected.
Observation Prompts
Ask students to name concrete observations. They do not need to submit output:
- Entra role or object ownership from Graph / directory inventory.
- App role assignments or OAuth grants from Graph.
- Azure role assignment and scope from ARM.
- Storage Blob Data Reader / Contributor or Key Vault data-plane role before
claiming direct data read.
Sources
MS-CONSENTMS-ROLESMS-AZURE-RBACMS-STORAGE-BLOB-RBACMS-KEYVAULT-RBAC
Original Markdown source
# Instructor Runbook - Lab 01 Permission Model Checkpoint
## Teaching Intent
This is a low-friction checkpoint before live tooling. The goal is to make sure
students can separate directory authorization, application authorization, Azure
RBAC, and resource data-plane access before they start reading ROADtools output.
## Timing
- Target: 15 minutes.
- Shortcut: use only Exercise B if the class already understands Azure basics.
- Deepening path: ask students to identify which observation would come from
Graph, Azure Resource Manager, Storage, or Key Vault.
## Answer Guide
- User, group, application registration, service principal, Entra role:
identity plane.
- Subscription, resource group, resource provider, Azure role assignment:
Azure resource management plane.
- Storage data and Key Vault secrets: resource data plane. Access can be
affected by Azure RBAC, service-specific RBAC, access policies, and resource
configuration.
- Managed identity crosses the model: it is an identity object used by an Azure
resource to obtain tokens.
## Common Misunderstandings
- Do not let students equate Azure Contributor with automatic access to every
secret or blob.
- Do not let students treat service principals as only "apps"; in attack paths,
they are identities with credentials, owners, and assignments.
- Do not over-teach OAuth here. Keep it at the decision level and return to
protocol detail only when the initial-access lab is selected.
## Observation Prompts
Ask students to name concrete observations. They do not need to submit output:
- Entra role or object ownership from Graph / directory inventory.
- App role assignments or OAuth grants from Graph.
- Azure role assignment and scope from ARM.
- Storage Blob Data Reader / Contributor or Key Vault data-plane role before
claiming direct data read.
## Sources
- `MS-CONSENT`
- `MS-ROLES`
- `MS-AZURE-RBAC`
- `MS-STORAGE-BLOB-RBAC`
- `MS-KEYVAULT-RBAC`