“Why do I need two different PowerShell modules just to manage Azure?”
That’s the common frustration—Az and Microsoft.Graph are both official modules, but they serve completely different purposes. Let’s look atwhen to use each, with examples, a comparison matrix, and tips for choosing the right one.
What's the Difference?
- Az is for managing Azure resources—think subscriptions, VMs, networking, storage.
- Microsoft.Graph is for managing Microsoft Entra ID (Azure AD) and Microsoft 365 identities—users, groups, licenses, directory roles.
They’re both used in the Azure ecosystem, but they hit different APIs and serve different layers.
Comparison Matrix
| Feature / Action | Az Module |
Microsoft.Graph Module |
Use This When… |
|---|---|---|---|
| Create/Manage VMs, Storage, etc. | ✅ Az.Compute, etc. |
✖️ | You’re managing Azure infrastructure. |
| Create/Update Users & Groups in Entra ID | ✖️ | ✅ Microsoft.Graph.Users |
You’re managing Entra identity objects. |
| Assign RBAC Roles to Azure resources | ✅ | ✅ (via role assignments) | Either works, but Az is more common. |
| Create/Manage Subscriptions & Resource Groups | ✅ Az.Resources |
✖️ | Managing the Azure structure itself. |
| Assign Microsoft 365 licenses | ✖️ | ✅ Microsoft.Graph.Licenses |
Working with SaaS identity entitlements. |
| Use Azure Policy / ARM Templates | ✅ | ✖️ | Infrastructure governance and templates. |
| Modify Conditional Access / Entra Policies | ✖️ | ✅ | Identity security config. |
| Read/Write Entra Group Memberships | ✖️ | ✅ | Directory group automation. |
| Automate Identity Lifecycle (HR sync, etc.) | ✖️ | ✅ | Microsoft Graph is the only option. |
Syntax Side-by-Side
Create Resource Group (Az) #
Connect-AzAccount
New-AzResourceGroup -Name "dev-rg" -Location "eastus"
Create Entra User (Graph) #
Connect-MgGraph -Scopes "User.ReadWrite.All"
New-MgUser -DisplayName "Logphile Test" -UserPrincipalName "[email protected]" -MailNickname "logtest" -AccountEnabled:$true -PasswordProfile @{
Password = "SecurePass123!"
}
Syntax Side-by-Side
Here’s a practical scenario:
- Use Microsoft.Graph to create a user and assign them a role in Entra ID.
- Then use Az to grant that user access to a resource group with New-AzRoleAssignment.
It’s not either/or—it’s knowing when each tool is appropriate.
When: Az vs. Graph
- If you’re dealing with subscriptions, infra, RBAC, use Az.
- If you’re touching users, groups, licenses, roles, use Microsoft.Graph.
- Want automation across both? Combine them in the same script—just authenticate each separately.
References
Thanks for reading. I stepped away to be a stay-at-home dad and now plugging back in—one post, one project at a time. LogPhile is a learning log, a signal to employers, and proof of progress. Spot a mistake? Edge case I missed? Just want to connect? Don’t hesitate to reach out.