“Why do I need two different PowerShell modules just to manage Azure?”
That’s the common frustration—Az and Microsoft.Graph are both official modules, but they serve completely different purposes. This post breaks down when to use each, with examples, a comparison matrix, and tips for choosing the right one.
🔍 What’s the Difference? #
- Az is for managing Azure resources—think subscriptions, VMs, networking, storage.
- Microsoft.Graph is for managing Microsoft Entra ID (Azure AD) and Microsoft 365 identities—users, groups, licenses, directory roles.
They’re both used in the Azure ecosystem, but they hit different APIs and serve different layers.
🧭 Comparison Matrix #
| Feature / Action | Az Module |
Microsoft.Graph Module |
Use This When… |
|---|---|---|---|
| Create/Manage VMs, Storage, etc. | ✅ Az.Compute, etc. |
❌ | You’re managing Azure infrastructure. |
| Create/Update Users & Groups in Entra ID | ❌ | ✅ Microsoft.Graph.Users |
You’re managing Entra identity objects. |
| Assign RBAC Roles to Azure resources | ✅ | ✅ (via role assignments) | Either works, but Az is more common. |
| Create/Manage Subscriptions & Resource Groups | ✅ Az.Resources |
❌ | Managing the Azure structure itself. |
| Assign Microsoft 365 licenses | ❌ | ✅ Microsoft.Graph.Licenses |
Working with SaaS identity entitlements. |
| Use Azure Policy / ARM Templates | ✅ | ❌ | Infrastructure governance and templates. |
| Modify Conditional Access / Entra Policies | ❌ | ✅ | Identity security config. |
| Read/Write Entra Group Memberships | ❌ | ✅ | Directory group automation. |
| Automate Identity Lifecycle (HR sync, etc.) | ❌ | ✅ | Microsoft Graph is the only option. |
✍️ Syntax Side-by-Side #
Create Resource Group (Az) #
Connect-AzAccount
New-AzResourceGroup -Name "dev-rg" -Location "eastus"
Create Entra User (Graph) #
Connect-MgGraph -Scopes "User.ReadWrite.All"
New-MgUser -DisplayName "Logphile Test" -UserPrincipalName "[email protected]" -MailNickname "logtest" -AccountEnabled:$true -PasswordProfile @{
Password = "SecurePass123!"
}
🧠 When You Might Use Both #
Here’s a practical scenario:
- Use
Microsoft.Graphto create a user and assign them a role in Entra ID. - Then use
Azto grant that user access to a resource group withNew-AzRoleAssignment.
It’s not either/or—it’s knowing when each tool is appropriate.
💡 Tips to Keep in Mind #
- If you’re dealing with subscriptions, infra, RBAC, use
Az. - If you’re touching users, groups, licenses, roles, use
Microsoft.Graph. - Want automation across both? Combine them in the same script—just authenticate each separately.
📎 References #
Not knowing which module to use costs time. Knowing the difference builds momentum.
After several years as a stay-at-home dad, I’m working my way back into the tech field—brushing up on tools, learning what’s changed, and sharing the journey along the way. This blog is part learning tool, part signal to employers, and part proof of work. Thanks for reading!