AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 100

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User3 to create the user accounts.

Does that meet the goal?

Show Answer
Correct Answer: B

In the scenario where a new Azure Active Directory (Azure AD) tenant is created, the default global administrator role belongs to the user who created the tenant, which in this case is User1. User3, being a user administrator in the original tenant, does not have any roles or permissions in the new tenant (external.contoso.onmicrosoft.com) by default. Thus, User3 cannot create user accounts in the new tenant unless User1 explicitly grants User3 the necessary permissions in that tenant. Therefore, instructing User3 to create the user accounts does not meet the goal.

Discussion

17 comments
Sign in to comment
pgmppOption: B
Aug 23, 2022

The answer is No! I tested this. 1. I created a new Tenant contosogmpp. 2. Added 2 users, User1 and User 2 in this tenant and gave them global privileges 3. I logged through User1 and created a new tenant called externalcontossgmpp 4. Now when I logged in through User2 and try to switch tenants, the new tenant externalcontossgmpp is not available at all for User2. Hence User1 needs to invite User2 first

ELearn
Jul 13, 2024

Correct answer is: B.NO Clear explanation: In Azure only a Global Administrator can create a new Azure Active Directory (Azure AD) tenant. In this scenario, User1, who is a Global Administrator, creates a new Azure AD tenant named external.contoso.onmicrosoft.com. However, User3, who is an Owner of an Azure subscription, does not automatically have access to this new tenant. User1, as the one who created the new tenant, would be the only Global Administrator in the new tenant by default. Therefore, User3 would not be able to create user accounts in the new tenant unless User1 grants them the necessary permissions. So, instructing User3 to create the user accounts in the new tenant would not meet the goal, unless User1 first adds User3 as a User administrator/Global administrator in the new tenant.

JohnPiOption: B
Aug 23, 2022

it is another tentant

Renss78Option: B
Mar 18, 2023

Answer is NO, the one who just created the tenant is the only one who can add Users. But when he assign "user 3" the User Administrator or Global Administrator role then he/she can. And yes NOT only the Global Adminsitrator can add AD Users. Source: ""Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator." https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory

myaraliOption: B
Feb 10, 2023

NO After User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com, User-1 becomes owner and Global Administrator of external.contoso.onmicrosoft.com. BUT User-3 doesn't have any authorization in new tenant. User-3's User Administrator Role applies to contoso.onmicrosoft.com NOT for external.contoso.onmicrosoft.com. SO User-1 CAN NOT instruct User3 to create the user accounts. MAYBE that can be done after User-1 assigns Global Administrator or User Access Administrator Role to User-3.

raj24051961Option: A
Jun 29, 2023

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles -User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators

JayLearn2022Option: B
Feb 18, 2023

There are several version of this question. The following are the valid and invalid solutions that may be presented. Valid Solution: Meets the Goal Solution: Solution: You instruct User1 to create the user accounts. Invalid Solutions: Does not Meet the Goal -Solution: You instruct User2 to create the user accounts. -Solution: You instruct User3 to create the user accounts. -Solution: You instruct User4 to create the user accounts.

MothePro
Mar 29, 2023

what is the difference between user 1 and user2? they are both Global Admin..

fateman17
Aug 5, 2023

user 1 made the tenant.

raj24051961Option: A
Jun 29, 2023

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles -User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators

zellckOption: B
Jan 28, 2023

B is the answer. https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-overview#scope When you assign a role, you specify one of the following types of scope: - Tenant - Administrative unit

AK4U_111Option: B
Feb 28, 2023

how can a tenant such as external.contoso.onmicrosoft.com even be created? i cant find anything on how to do this. when i go to create tenant i can create a new one but not a sub tenant which is a part of the original tenant

NejmeddineBchOption: A
Aug 4, 2023

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator.

UmbongoDrinkOption: B
Feb 9, 2023

No, only GA can.

tomasek88Option: B
Feb 26, 2023

NO = B --> because User2 OR User3 OR User4 - have nothing to do with NEW Azure Active Directory tenant named external.contoso.onmicrosoft.com

VV11_SS22Option: B
Aug 11, 2023

Correct answer is B

rreghiouaOption: A
Jan 6, 2024

Selected Answer: A https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#user-administrator

tashakoriOption: B
Mar 14, 2024

No is right

MCLC2021Option: A
May 4, 2024

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles MICROSOFT ENTRA ROLES Global Administrator:Manage access to all administrative features in Microsoft Entra ID, as well as services that federate to Microsoft Entra ID Assign administrator roles to others, Reset the password for any user and all other administrators. User Administrator: Create and manage all aspects of users and groups, Manage support tickets, Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators.

TechThameem
May 29, 2024

You should understand the question properly, User1 (the Global admin) creates a new tenant, that means User1 has created a new domain where User1 only will have access no one other admins will have access in that tenant. So, User 3 cannot create a user account in that new tenant.

herculeOption: A
Jun 22, 2024

according to the documentation you need at least a User Administrator hence A is correct. https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users

chucklu
Jul 2, 2024

User3's User Administrator role is scoped to the original tenant contoso.onmicrosoft.com and does not extend to the new tenant external.contoso.onmicrosoft.com by default.