Status: IN
Azure's cross-layer default-deny enforcement (Standard LB blocks inbound, Storage firewall blocks all requests, Policy denies non-compliant resources) is itself governed by the identity-to-authorization chain: RBAC role assignments determine who can create NSG exceptions and policy exemptions, and the additive RBAC model means identity misconfiguration can silently widen the aperture of both denial layers.