Identity Plane (Microsoft Entra ID)

6.1 Identity Plane Overview

The Identity Plane consists of the customer’s Microsoft Entra ID tenant, which provides centralized authentication and access governance for both layers of the Hybrid Architecture. Entra ID enforces who may sign in, what policies apply at login, and whether the user may access:

• the R3 GovCloud Workplace (Execution Plane)
• the customer’s Microsoft 365 tenant (Document Control Plane)

Identity governance is fully customer-owned. R3 maintains no separate identity store, and R3 personnel have no access to the customer’s Entra ID environment. This creates a unified identity perimeter while keeping all identity authority within the customer’s domain.

The Identity Plane does not handle CUI, does not store content, and does not control authorization inside either plane. It provides the authentication and policy layer that enables the Document Control Plane and Execution Plane to operate securely and independently under customer-owned identity governance.

 

6.2 Entra ID Cloud Alignment (Identity Must Match the M365 Tenant)

Microsoft Entra ID resides in different cloud boundaries depending on the Microsoft 365 tenant selected for the Document Control Plane.

To maintain compliance alignment and avoid mixed-boundary identity configurations:

The Entra ID cloud must match the M365 cloud.

M365 Tenant Type	Document Plane Cloud	Required Identity Plane Cloud (Entra ID)
Commercial	Commercial / Global Azure	Entra ID (Commercial)
GCC	Commercial Azure (GCC feature set)	Entra ID (Commercial)
GCC High	Azure Government (Sovereign Cloud)	Entra ID (Azure Government)

Identity inherits the compliance boundary of the customer’s Microsoft 365 tenant — not the other way around.

 

6.3 Customer-Owned Identity Governance

The customer controls all identity and access governance within Entra ID, including:

• user provisioning and deprovisioning
• MFA and Conditional Access enforcement
• device and network policies
• role and group assignments
• privileged identity management
• access reviews and lifecycle management
• identity audit log retention and export

R3 neither administers nor modifies tenant identity settings.

 

6.4 Authentication & Authorization Model (Two-Layer Access Control)

The Hybrid Architecture uses a two-layer access control model:

 Layer 1 — Identity Plane Authorization (Entra ID)

Entra ID governs system-level access and login policies, including:

• user authentication
• MFA / Conditional Access
• directory membership
• whether the user may access R3 GovCloud
• whether the user may access the customer’s Microsoft 365 tenant

Once authenticated, authorization to document content is enforced entirely by the Document Control Plane, not by Entra ID itself.

Entra ID is the gatekeeper — it does not grant content permissions.

 Layer 2 — Execution Plane Authorization (R3 RBAC)

After authentication, R3 applies a separate layer of role-based access control within the R3 GovCloud Workplace.
R3 RBAC governs:

• access to business records
• workflow actions
• metadata visibility
• operational permissions inside R3 applications

Entra ID roles do not control R3 workflow permissions; R3 RBAC enforces least privilege based upon business authorization within the Execution Plane. This separation avoids cross-boundary permission elevation and maintains a clean, assessable scope for each plane.

 

6.5 Zero Trust Identity Controls

The Identity Plane enforces Zero Trust principles for both R3 GovCloud and Microsoft 365, including:

• MFA or phishing-resistant MFA
• Conditional Access (device, location, risk, compliance)
• continuous access evaluation (CAE)
• session and token policies
• risk-based sign-in evaluation
• least-privilege role assignments

Identity is the enforcement point for all user access before any interaction with either plane occurs.