Azure Active Directory (AD) vs Role-Based Access Control (RBAC)

Azure AD

Azure RBAC

Description

An identity and access management service that helps you access internal and external resources.

An authorization system that manages user’s access to Azure resources including what they can do with those resources and what areas they can access.

Focus

Grants permissions to manage access to Azure Active Directory resources.

Grants permissions to manage access to Azure resources.

Scope

Tenant level

Specify at multiple levels (management group, subscription, resource group, and resource)

Roles

 Important Azure AD built-in roles:

1.  Global Administrator – manage access to all the administrative features in Azure AD.

2.  User Administrator – create and manage different types of users and groups in Azure.

3. Billing Administrator – it can manage subscriptions, support tickets, make purchases, and monitor service health.

 Supports custom roles.

 You can assign multiple roles on a user.

 Fundamental Azure RBAC built-in roles:

1. Owner – full access to all Azure resources.

2. Contributor – create and manage all types of resources in Azure.

3. Reader – a user with this role can only view Azure resources

4. User Access Administrator – it has permissions to manage user access to all types of resources.

 Supports custom roles in P1 and P2 licenses.

 You can assign multiple roles on a user.

Role information

You can access the role information in the Azure Portal, Microsoft 365 admin center, Microsoft Graph, and AzureAD PowerShell.

You can access the role information in the Azure Portal, CLI, PowerShell, Resource Manager templates, and REST API.

Pricing

Azure AD has three editions: Free, Premium P1, and Premium P2. For the P1 and P2 licenses, you are charged on a monthly basis.

Azure RBAC is free and included in your Azure subscription.