Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 100

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User3 to create the user accounts.

Does that meet the goal?

    Correct Answer: B

    In the scenario where a new Azure Active Directory (Azure AD) tenant is created, the default global administrator role belongs to the user who created the tenant, which in this case is User1. User3, being a user administrator in the original tenant, does not have any roles or permissions in the new tenant (external.contoso.onmicrosoft.com) by default. Thus, User3 cannot create user accounts in the new tenant unless User1 explicitly grants User3 the necessary permissions in that tenant. Therefore, instructing User3 to create the user accounts does not meet the goal.

Discussion
pgmppOption: B

The answer is No! I tested this. 1. I created a new Tenant contosogmpp. 2. Added 2 users, User1 and User 2 in this tenant and gave them global privileges 3. I logged through User1 and created a new tenant called externalcontossgmpp 4. Now when I logged in through User2 and try to switch tenants, the new tenant externalcontossgmpp is not available at all for User2. Hence User1 needs to invite User2 first

ELearn

Correct answer is: B.NO Clear explanation: In Azure only a Global Administrator can create a new Azure Active Directory (Azure AD) tenant. In this scenario, User1, who is a Global Administrator, creates a new Azure AD tenant named external.contoso.onmicrosoft.com. However, User3, who is an Owner of an Azure subscription, does not automatically have access to this new tenant. User1, as the one who created the new tenant, would be the only Global Administrator in the new tenant by default. Therefore, User3 would not be able to create user accounts in the new tenant unless User1 grants them the necessary permissions. So, instructing User3 to create the user accounts in the new tenant would not meet the goal, unless User1 first adds User3 as a User administrator/Global administrator in the new tenant.

JohnPiOption: B

it is another tentant

Renss78Option: B

Answer is NO, the one who just created the tenant is the only one who can add Users. But when he assign "user 3" the User Administrator or Global Administrator role then he/she can. And yes NOT only the Global Adminsitrator can add AD Users. Source: ""Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator." https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory

raj24051961Option: A

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles -User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators

myaraliOption: B

NO After User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com, User-1 becomes owner and Global Administrator of external.contoso.onmicrosoft.com. BUT User-3 doesn't have any authorization in new tenant. User-3's User Administrator Role applies to contoso.onmicrosoft.com NOT for external.contoso.onmicrosoft.com. SO User-1 CAN NOT instruct User3 to create the user accounts. MAYBE that can be done after User-1 assigns Global Administrator or User Access Administrator Role to User-3.

raj24051961Option: A

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles -User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators

JayLearn2022Option: B

There are several version of this question. The following are the valid and invalid solutions that may be presented. Valid Solution: Meets the Goal Solution: Solution: You instruct User1 to create the user accounts. Invalid Solutions: Does not Meet the Goal -Solution: You instruct User2 to create the user accounts. -Solution: You instruct User3 to create the user accounts. -Solution: You instruct User4 to create the user accounts.

MothePro

what is the difference between user 1 and user2? they are both Global Admin..

fateman17

user 1 made the tenant.

NejmeddineBchOption: A

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator.

AK4U_111Option: B

how can a tenant such as external.contoso.onmicrosoft.com even be created? i cant find anything on how to do this. when i go to create tenant i can create a new one but not a sub tenant which is a part of the original tenant

zellckOption: B

B is the answer. https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-overview#scope When you assign a role, you specify one of the following types of scope: - Tenant - Administrative unit

herculeOption: A

according to the documentation you need at least a User Administrator hence A is correct. https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users

chucklu

User3's User Administrator role is scoped to the original tenant contoso.onmicrosoft.com and does not extend to the new tenant external.contoso.onmicrosoft.com by default.

MCLC2021Option: A

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles MICROSOFT ENTRA ROLES Global Administrator:Manage access to all administrative features in Microsoft Entra ID, as well as services that federate to Microsoft Entra ID Assign administrator roles to others, Reset the password for any user and all other administrators. User Administrator: Create and manage all aspects of users and groups, Manage support tickets, Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators.

TechThameem

You should understand the question properly, User1 (the Global admin) creates a new tenant, that means User1 has created a new domain where User1 only will have access no one other admins will have access in that tenant. So, User 3 cannot create a user account in that new tenant.

tashakoriOption: B

No is right

rreghiouaOption: A

Selected Answer: A https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#user-administrator

VV11_SS22Option: B

Correct answer is B

tomasek88Option: B

NO = B --> because User2 OR User3 OR User4 - have nothing to do with NEW Azure Active Directory tenant named external.contoso.onmicrosoft.com

UmbongoDrinkOption: B

No, only GA can.