Differences between Azure roles and Azure AD roles

 At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure AD resources. The following table compares some of the differences.

Azure roles	Azure AD roles
Manage access to Azure resources	Manage access to Azure AD resources
Supports custom roles	Supports custom roles
Scope can be specified at multiple levels (management group, subscription, resource group, resource)	Scope is at the tenant level or can be applied to an Administrative Unit
Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API Azure AD roles Azure AD roles are used to manage Azure AD resources in a directory. Actions such as create or edit users are the most common. However, the need to assign administrative roles to others, reset user passwords, manage user licenses, and manage domains are common. The following table describes a few of the more important Azure AD roles. Azure AD role Permissions Notes Global Administrator Manage access to all administrative features in Azure Active Directory, and services that federate to Azure Active Directory The person who signs up for the Azure Active Directory tenant becomes the first Global Administrator. Assign administrator roles to others Reset the password for any user and all other administrators User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators Billing Administrator Make purchases Manage subscriptions Manage support tickets Monitors service health	Role information can be accessed in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Azure AD PowerShell