What is ABAC in Microsoft Entra ID?

ABAC (Attribute-Based Access Control) is a model where access is determined by the user's attributes, not by pre-assigned roles. Who you are, where you work, what your job title is. Access follows those attributes automatically.

TL;DR

• ABAC = access based on attributes such as job title, department, location
• In Entra ID you use ABAC through dynamic groups, custom claims, and conditional access
• Different from RBAC: RBAC assigns roles manually, ABAC derives them from the user
• More maintainable with many users, frequent role changes, and multiple locations
• Your existing Entra groups keep working. ABAC adds the automatic layer on top

The problem

Say you have 500 employees. Every month, 15 join, 10 leave, 25 change role. Without automation that means someone is manually adjusting groups every week. 20 tickets per week. A week later someone notices they still have access somewhere they should not have.

That is RBAC without process around it.

How ABAC works

Instead of putting every user in a group manually, you define a rule: "everyone with job title = Developer and department = Platform Engineering is in the PlatformDevs group." Entra ID picks up that rule, sees which users match, and adds them to the group. Change someone's job title and the group updates automatically.

Entra ID implements ABAC through three mechanisms:

• Dynamic groups with membership rules (user.jobTitle -eq "Developer")
• Custom claims for application-specific logic
• Conditional access for runtime decisions like "access only if the device is compliant and the location is the Netherlands"

ABAC vs RBAC

Aspect	RBAC	ABAC
Who gets access	Role assignment	Attribute match
New hire maintenance	Manual	Automatic
Flexibility	Low	High
Learning curve	Low	Higher
Works for 10 users	Fine	Overkill
Works for 500 users	Painful	Perfect

RBAC is not wrong. For a 20-person team with fixed roles, RBAC works fine. ABAC wins the moment your volume and churn increase.

When to pick ABAC

Pick ABAC if you recognize at least one of these:

• You process more than 10 onboardings a month
• You have more than 3 locations or departments with distinct access needs
• You know the "they still have access after a role change" problem
• You want compliance audits done in minutes instead of days

Pitfalls

1. Attribute quality. ABAC is only as good as your HR data. Inconsistent job titles (Developer vs Dev vs Software Engineer) break your rules. Start with a Data Cleaner pass before rolling out ABAC.
2. Rules that contradict each other. Two dynamic groups that touch the same user in different ways. Test on a small test group first.
3. Performance. Dynamic groups with complex rules get slow at scale. Split into smaller rules.

FAQ

Can ABAC work alongside my existing Entra groups? Yes. ABAC is not a replacement, it is an automation layer on top. Manual groups keep working.

Does ABAC work for on-prem AD? Through Entra Connect you can sync attributes from AD into Entra ID and apply ABAC rules in Entra. Access then flows back through Connect into AD.

How many ABAC rules can I have? Practical limit in Entra ID is about 15,000 dynamic groups per tenant. Plenty for most organizations.

Ready to write the rules? ABAC in Entra ID covers the concrete membership rules and the pitfalls worth knowing up front.

Next step

Want to roll out ABAC rules without drawing up memberships by hand? ServiceChanger builds and maintains your ABAC model on Entra ID. Book a demo or read the ABAC documentation.