Azure AD

Azure AD has its own set of roles which apply to Azure AD resources and which are distinct from those of Azure RBAC.

The terms tenant and directory are deeply connected and often confused with one another.

A tenant refers to an instance of Azure AD that is tied to a subscription, and refers to the organization.
Each tenant is associated with a dedicated and trusted directory that includes the tenant's users, groups, and apps.

Roles:

Global Administrator can manage access to administrative features in AAD and can grant administrator roles to other users. An AAD Global Administrator can also temporarily elevate their own access to the Azure RBAC role of User Access Administrator in order to manage all Azure subscriptions and management groups. Whoever signs up for the directory is automatically assigned this role.
Device administrator

In order to make sure AD users can change their password either locally or in the cloud, Azure AD has to be upgraded to Premium. Enterprise State Roaming allows users to securely synchronize user settings and application settings to Azure.

Self-Service Password Reset (SSPR) is supported for all users. SSPR registration can be configured by group or for all domain users, but not individual users.

B2B

Business-to-business (B2B) collaboration allows you to invite guest users into your own (What is guest user access in Azure Active Directory B2B?)

Joining a device

When you join a device to an Azure AD tenant's domain, Azure AD creates local administrator accounts on the device for: - The user joining the device - The Azure AD global administrator - The Azure AD device administrator