All articles
ABACRBACIAMEntra ID

RBAC vs ABAC: when to pick which

Ruben van der Graaf··4 min read·Updated

RBAC is simple and works up to a certain size. ABAC scales better but needs more setup. This is the practical decision point: when do you move from RBAC to ABAC?

Search for access control and you keep hitting two terms: RBAC and ABAC. Most articles explain what they are. This post is about the choice: at which org size and change volume do you switch?

TL;DR

  • RBAC assigns roles. ABAC derives roles from attributes.
  • RBAC works up to about 50 employees or if your churn is minimal.
  • ABAC wins as soon as you hit 50+ employees, multiple locations, or lots of role changes.
  • They're not mutually exclusive. A hybrid is normal.
  • As an illustration, the worked example below shows how the manual hours add up at 200 employees.

What is RBAC

Role-Based Access Control. You define roles ("Sales rep", "Support engineer", "Manager") and assign rights per role. Users receive one or more roles.

In Entra ID: you have manually defined groups and app roles. You add someone or remove them.

Pros:

  • Simple concept
  • Everyone gets it
  • Quick to set up for small orgs
Cons:
  • Manual maintenance
  • Scales poorly with change volume
  • "Role explosion" (you end up with 300 roles)

What is ABAC

Attribute-Based Access Control. Instead of assigning roles manually, you derive rights from user attributes: job title, department, location, employment type.

In Entra ID: dynamic groups with membership rules. Example: user.department -eq "Finance" and user.jobTitle -contains "Controller" puts that user in the Controllers group automatically.

Pros:

  • Scales seamlessly
  • Rights follow role changes and offboardings automatically
  • Fewer human errors
Cons:
  • Needs clean HR data (attributes must be correct)
  • Higher learning curve
  • Troubleshooting is more complex

When RBAC is enough

Pick RBAC if:

  • Your org has fewer than 50 employees
  • Roles are stable (few role changes)
  • Onboardings and offboardings are rare (< 2 per month)
  • You have a small IT team that can handle manual group assignment easily
For a 20-person consultancy or a small tech agency, RBAC is fine. Extra complexity buys nothing.

When to switch to ABAC

Signs you're outgrowing RBAC:

  • More than 10 onboardings per month
  • More than 3 locations or departments with distinct access needs
  • Your IT team spends more than 4 hours per week on manual group memberships
  • You had a compliance audit and couldn't prove who had which access when
  • "Role explosion": more than 150 manual groups in Entra ID
From 50 employees, ABAC becomes attractive. From 200, RBAC is no longer tenable.

The math for 200 employees

The table below is an illustrative model, not measured data. The per-task minutes and volumes are reasonable assumptions; plug in your own numbers to see where you land.

ActivityRBAC hours per yearABAC hours per year
Onboardings (120/yr × 15 min)30 hrs0 hrs
Offboardings (100/yr × 45 min)75 hrs5 hrs
Role changes (300/yr × 30 min)150 hrs0 hrs
Compliance reporting80 hrs10 hrs
License audit60 hrs5 hrs
Total395 hrs20 hrs
In this example the difference is 375 hours, roughly 47 working days per year of manual work, most of which falls away once the access follows rules instead of tickets. Your real figure depends on your volumes and how much is already scripted.

Hybrid is normal

You don't have to choose. In practice almost every organization that runs ABAC also keeps some manual groups alongside it.

Typical setup:

  • ABAC for everything attribute-driven (standard roles, locations, departments)
  • Manual for exceptions: executives, contractors with special contracts, sensitive admin rights
This is called hybrid IAM. You don't have to move everything over in one pass.

Migration pitfalls

  1. Big bang. Don't migrate everything at once. Start with 3-5 pilot groups.
  2. Unreliable HR data. ABAC is only as good as your attributes. Do a data cleanup pass first.
  3. No HR buy-in. If HR isn't committed to accurate attributes, ABAC won't hold over time.

FAQ

Can ABAC be safe for privileged access? Yes, but combine with conditional access and privileged access reviews. For high-sensitivity rights, always add an extra layer.

What do I do with my existing manual groups? Leave them. Add ABAC alongside. After 3 to 6 months, clean up the manual groups now covered by ABAC.

How do I measure success? Three metrics: time spent on manual group management (should drop), number of access tickets on the service desk (should drop), compliance audit time (should drop).

Want a closer look at how the ABAC model works? Read ABAC in Entra ID for the membership rules and the limits you hit in practice. A full side-by-side comparison of both models is on RBAC vs ABAC: models compared.

Next step

ServiceChanger builds the ABAC model on top of your current Entra ID, without breaking your existing groups. Book a demo or read the ABAC docs.

You might also like

Dynamic groups, an IGA platform, or ServiceChanger: when to choose what

You can manage access in Microsoft with native Entra dynamic groups, a full IGA platform, or a rules layer like ServiceChanger. Here are the three approaches, their limits, and when each fits.

Automating Entra ID group membership with attributes

How to let Entra ID group membership follow HR attributes like job title, department, and location automatically. From concept to working dynamic groups.

What is ABAC in Microsoft Entra ID?

ABAC (Attribute-Based Access Control) determines access based on attributes like job title, department, or location. How it works in Entra ID, how it differs from RBAC, and when to use it.