Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 98

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User2 to create the user accounts.

Does that meet the goal?

    Correct Answer: B

    When a new Azure Active Directory tenant is created, the user who creates it is automatically assigned the Global Administrator role for that tenant. In this scenario, User1 created the new tenant named external.contoso.onmicrosoft.com, so User1 becomes the Global Administrator of that tenant. Therefore, User2, even though they are a Global Administrator in the original tenant (contoso.onmicrosoft.com), does not automatically have any role or permissions in the new tenant (external.contoso.onmicrosoft.com). Without being explicitly granted permissions in the new tenant by User1, User2 cannot create new user accounts there. Hence, the solution does not meet the goal.

Discussion
aaa112Option: B

Correct, but the explanation is not. User1 is global admin of contoso.onmicrosoft.com. As he created the new tenant called external.contoso.onmicrosoft.com, he will be the OWNER. Check the scope not just the role, tho.

mikl

Thank you for clarifying

r3tr0penguin

Then if User2 want to create new user on external.contoso.onmicrosoft.com , he can't right ? because User2 is not the one who create tenant external.contoso.onmicrosoft.com that mean User 2 don't be OWNER

RamanAgarwal

Yes because user2 wont have any role or connection with the new tenant unless added by user1 specifically.

AzureG0d

be mindful of the power of a global administrator. " Because only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat. " https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide

AzureG0d

I stand corrected. Only user1 can see and will have access to those. Administrative independence If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then: By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in that organization. The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they sign in to the user account that created 'Test.' If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other Azure AD organization. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence#administrative-independence

mlantonisOption: A

Correct Answer: A - Yes Only User1 has access to the new Tenant, because User1 created the Tenant and became automatically Global Admin.

EricMaes

Didn't he become owner?

A_GEE

Yes. User1 becomes the owner and the first user in that Tenant

CommanderBigMac

Putting this here, hope it helps someone. Question was reworded at some point, changing the answer to B: No. https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global

Zomato

Yeah. Clears everything.

Spam101198

Question is asking about User 2 not user 1 , hence answer is NO

FlaShhh

The Azure God mlantonis is wrong for once, is the world ending?

aflavienOption: B

Instructing User2 to create user accounts will meet the goal if User2 is granted the necessary permissions in the new tenant (external.contoso.onmicrosoft.com). However, since the problem statement does not mention assigning any roles to User2 in the new tenant, the solution as it stands does not fully meet the goal without additional steps. Answer: No, it does not meet the goal, as User2 needs to be assigned an appropriate role in the new tenant first.

LearnerFLOption: B

In Azure, when a new tenant is created, only the user who creates the tenant (in this case, User1) is automatically assigned the Global Administrator role for that tenant. This means that initially, only user1 would have access to the new tenant, external.contoso.onmicrosoft.com.

tashakoriOption: B

No is right

mcclane654Option: B

tried creating a new tenant on my normal user. I can't even find it using the global admin. https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant#your-user-account-in-the-new-tenant

OpOmOpOption: B

When you create a new Microsoft Entra tenant, you become the first user of that tenant. As the first user, you're automatically assigned the Global Administrator role. Review your user account by navigating to the Users page. https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant

OpOmOp

Microsoft Entra ID (formerly Azure Active Directory)

herculeOption: B

yes and no, according to the least privilege you need a User Administrator hence (B)

3c5adceOption: A

ChatGPT4 says YES: Instructing User2 to create the user accounts in the new Azure Active Directory tenant named external.contoso.onmicrosoft.com does meet the goal. This is because User2 holds the role of "Global administrator" within the Azure Active Directory. A Global administrator has the highest level of administrative privileges across all Azure AD directories and resources, which includes the authority to manage users, assign roles, and create new user accounts in any directory within the Azure environment. Therefore, User2 is appropriately authorized to create new user accounts in the specified tenant.

MCLC2021Option: A

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles MICROSOFT ENTRA ROLES Global Administrator:Manage access to all administrative features in Microsoft Entra ID, as well as services that federate to Microsoft Entra ID Assign administrator roles to others, Reset the password for any user and all other administrators. User Administrator: Create and manage all aspects of users and groups, Manage support tickets, Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators.

gil906Option: A

Answer is Yes, User2, as a Global Administrator in the Azure Active Directory, has the necessary permissions to create new user accounts in any associated directory, including external.contoso.onmicrosoft.com. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#microsoft-entra-roles

MatAlvesOption: B

Based on the answers, it seems like the question has changed. User1 created the Tenant and, therefore, is the sole owner. User2 has no role and, therefore, can't create user accounts.

JananiTooOption: A

User Admin in active directory right? He can create users in another tenant also like global admin right?

Amir1909Option: B

No is correct

Amir1909Option: B

No is correct

Amir1909Option: A

Yes is correct

NoviaOption: B

User2 is only the previlege admin of the contoso.onmicrosoft.com instead of the new tenant.