@Deok Jong Moon Thank you for reaching out to us, As I understand you have queries on the type of privileges you have with Azure AD Domain Services.
Refer to these points - Administrative tasks you can perform on a Azure ADDS managed domain.
Members of the AAD DC Administrators group are granted privileges on the managed domain that enables them to do tasks such as:
- Configure the built-in group policy object (GPO) for the AADDC Computers and AADDC Users containers in the managed domain.
- Administer DNS on the managed domain.
- Create and administer custom organizational units (OUs) on the managed domain.
- Gain administrative access to computers joined to the managed domain.
Administrative privileges you don't have on a managed domain
The managed domain is locked down, so you don't have privileges to do certain administrative tasks on the domain. Some of the following examples are tasks you can't do:
- Extend the schema of the managed domain.
- Connect to domain controllers for the managed domain using Remote Desktop.
- Add domain controllers to the managed domain.
- You don't have Domain Administrator or Enterprise Administrator privileges for the managed domain. Reference: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#:~:text=Administrative%20tasks%20you%20can%20perform%20on%20a%20managed%20domain
Also refer to this faq of for Azure AD DS : - Do I have domain administrator privileges for the managed domain provided by Azure AD Domain Services?
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.