• https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview
• Azure has two separate/distinct scopes of access control — one for Azure AD and one for Azure resources.
• A user with the Global Administrator role in AAD can elevate themselves to have the RBAC User Administrator role at the root (/) level over all subscriptions and management groups. This allows them to assign RBAC roles to themselves and others.

Azure AD roles – Sometimes referred to as directory roles, Azure AD roles include built-in and custom roles to manage Azure AD and other Microsoft 365 online services.

Azure roles – The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources.

reference

• Windows command dsregcmd /status can be used to check if machine is AAD joined

• Be mindful when joining Windows VMs to an AADDS domain that only the first 15 characters of the VM name are used for the machine name. So when the machine is joined to the domain there will be a name conflict of the first 15 characters are not unique.

• Microsoft 365