2.2. Manage Security Controls for Identity and Access

💡 First Principle: The principle of least privilege is simple to state but deceptively difficult to implement: every identity should have exactly the permissions needed to perform its function—no more, no less.

Think of it like a hospital keycard system. A surgeon needs access to operating rooms but not to the billing department. A janitor needs access to storage closets but not to patient records. When everyone has the same "master key," a single compromised card unlocks everything. The same logic applies to Azure: over-permissioned accounts are the primary vector for lateral movement after an initial breach.

What breaks without proper access controls? When you assign Owner or Contributor to everyone "just to make things work," you've created a ticking time bomb. A compromised developer account can delete production databases. A phishing attack on a marketing user can exfiltrate customer data. The blast radius of any compromise expands to your entire Azure environment.

Consider the real-world impact: In 2023, over 60% of reported cloud security incidents involved excessive permissions. Azure provides sophisticated tools—RBAC, PIM, Conditional Access—specifically designed to implement least privilege at scale. Mastering these tools is essential for both the exam and real-world security.