ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 58 discussion

Actual exam question from Microsoft's AZ-104
Question #: 58
Topic #: 2
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by wksjiajhuioahkenka at Dec. 9, 2020, 4:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
aaa112
Highly Voted 4 years, 6 months ago
Correct, but the explanation is not. User1 is global admin of contoso.onmicrosoft.com. As he created the new tenant called external.contoso.onmicrosoft.com, he will be the OWNER. Check the scope not just the role, tho.
upvoted 100 times
mikl
4 years, 4 months ago
Thank you for clarifying
upvoted 2 times
...
r3tr0penguin
4 years, 1 month ago
Then if User2 want to create new user on external.contoso.onmicrosoft.com , he can't right ? because User2 is not the one who create tenant external.contoso.onmicrosoft.com that mean User 2 don't be OWNER
upvoted 31 times
RamanAgarwal
4 years, 1 month ago
Yes because user2 wont have any role or connection with the new tenant unless added by user1 specifically.
upvoted 32 times
AzureG0d
2 years, 8 months ago
be mindful of the power of a global administrator. " Because only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat. " https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide
upvoted 5 times
AzureG0d
2 years, 8 months ago
I stand corrected. Only user1 can see and will have access to those. Administrative independence If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then: By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in that organization. The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they sign in to the user account that created 'Test.' If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other Azure AD organization. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence#administrative-independence
upvoted 13 times
...
...
...
...
...
mlantonis
Highly Voted 4 years, 1 month ago
Correct Answer: A - Yes Only User1 has access to the new Tenant, because User1 created the Tenant and became automatically Global Admin.
upvoted 85 times
behradcld
10 months ago
OMG read question carefully, answer is NO
upvoted 3 times
...
Spam101198
2 years, 4 months ago
Question is asking about User 2 not user 1 , hence answer is NO
upvoted 16 times
...
EricMaes
3 years, 9 months ago
Didn't he become owner?
upvoted 3 times
A_GEE
3 years ago
Yes. User1 becomes the owner and the first user in that Tenant
upvoted 4 times
...
...
FlaShhh
1 year, 7 months ago
The Azure God mlantonis is wrong for once, is the world ending?
upvoted 11 times
rodrod
8 months, 1 week ago
I think earth stopped spinning for a few sec till it realizes the wording of the question has changed. We are all safe.
upvoted 1 times
...
...
Load full discussion...
...
cxze
Most Recent 1 month, 4 weeks ago
Selected Answer: B
Global Administrator role in contoso.onmicrosoft.com has no permissions in external.contoso.onmicrosoft.com unless explicitly assigned
upvoted 1 times
...
58b2872
6 months, 1 week ago
Selected Answer: B
Default Behavior When Creating a New Tenant: When User1 creates a new Azure AD tenant (external.contoso.onmicrosoft.com), User1 becomes the only Global Administrator in that new tenant by default. No other users, including User2, will have any roles or permissions in the new tenant unless explicitly added by User1. User2's Role: While User2 is a Global Administrator in the original tenant (contoso.onmicrosoft.com), that role does not carry over to the newly created tenant (external.contoso.onmicrosoft.com). Therefore, User2 cannot create user accounts in the new tenant unless User1 explicitly grants User2 permissions (e.g., by assigning User2 the Global Administrator role in the new tenant)
upvoted 1 times
...
myarali
9 months ago
Selected Answer: B
NO After User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com, User-1 becomes owner and Global Administrator of external.contoso.onmicrosoft.com. BUT User-2 doesn't have any authorization in new tenant. User-2's Global Administrator Role applies to contoso.onmicrosoft.com NOT for external.contoso.onmicrosoft.com. SO User-1 can not instruct User2 to create the user accounts. MAYBE that can be done after User-1 assigns Global Administrator or User Access Administrator Role to User-2.
upvoted 8 times
...
shadad
9 months ago
Selected Answer: B
This was on it and my answer was: B Only User1. not user2 not user3 not user4 .. there are many version of this question and the right answer is User 1. why? because he is the one who created the tenant so he will be granted the Owner.
upvoted 13 times
pravin2917
2 years, 4 months ago
How was your experience bro ?
upvoted 2 times
...
...
Omer87
9 months, 3 weeks ago
Selected Answer: B
The question asks if User 2 can add users to the new tenant. The answer is "NO" as only user1 is the owner of the new tenant and all the other global admins do not have admin access to the new tenant unless User1 grants them the access.
upvoted 1 times
...
mojo86
11 months ago
Answe is No. Tenant Isolation: Azure AD tenants are isolated from each other, meaning that roles and permissions are specific to each tenant. A Global Administrator in one tenant does not have any privileges in another tenant unless they are explicitly granted.
upvoted 1 times
...
ajay01avhad
11 months, 2 weeks ago
User2 cannot create user accounts in the new tenant without being granted the necessary permissions by User1. Therefore, instructing User2 to create the user accounts does not meet the goal. Correct Answer: B. No
upvoted 1 times
...
ajay01avhad
11 months, 2 weeks ago
User Roles and Permissions: User1: Global Administrator in both the old and the new tenant. User2: Global Administrator in the original tenant (contoso.onmicrosoft.com), but not automatically in the new tenant (external.contoso.onmicrosoft.com). User3: User Administrator in the original tenant, but no role in the new tenant. User4: Owner in the original Azure Subscription, but no role in the new tenant. Given these roles, only User1 has the necessary permissions by default to create new user accounts in the new tenant (external.contoso.onmicrosoft.com). User2 would need to be assigned appropriate roles in the new tenant by User1 before they can create user accounts. Conclusion: Correct Answer: No. Instructing User2 to create user accounts in the new tenant will not meet the goal because User2 does not have the necessary permissions in the new tenant until granted by User1.
upvoted 2 times
...
OpOmOp
12 months ago
When you create a new Microsoft Entra tenant, you become the first user of that tenant. As the first user, you're automatically assigned the Global Administrator role. Review your user account by navigating to the Users page.
upvoted 1 times
OpOmOp
12 months ago
Microsoft Entra ID (formerly Azure Active Directory)
upvoted 1 times
...
...
LearnerFL
1 year ago
Selected Answer: B
In Azure, when a new tenant is created, only the user who creates the tenant (in this case, User1) is automatically assigned the Global Administrator role for that tenant. This means that initially, only user1 would have access to the new tenant, external.contoso.onmicrosoft.com.
upvoted 2 times
...
hercule
1 year ago
yes and no, according to the least privilege you need a User Administrator hence (B)
upvoted 1 times
...
aflavien
1 year ago
Instructing User2 to create user accounts will meet the goal if User2 is granted the necessary permissions in the new tenant (external.contoso.onmicrosoft.com). However, since the problem statement does not mention assigning any roles to User2 in the new tenant, the solution as it stands does not fully meet the goal without additional steps. Answer: No, it does not meet the goal, as User2 needs to be assigned an appropriate role in the new tenant first.
upvoted 4 times
...
3c5adce
1 year, 1 month ago
ChatGPT4 says YES: Instructing User2 to create the user accounts in the new Azure Active Directory tenant named external.contoso.onmicrosoft.com does meet the goal. This is because User2 holds the role of "Global administrator" within the Azure Active Directory. A Global administrator has the highest level of administrative privileges across all Azure AD directories and resources, which includes the authority to manage users, assign roles, and create new user accounts in any directory within the Azure environment. Therefore, User2 is appropriately authorized to create new user accounts in the specified tenant.
upvoted 1 times
...
MCLC2021
1 year, 2 months ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles MICROSOFT ENTRA ROLES Global Administrator:Manage access to all administrative features in Microsoft Entra ID, as well as services that federate to Microsoft Entra ID Assign administrator roles to others, Reset the password for any user and all other administrators. User Administrator: Create and manage all aspects of users and groups, Manage support tickets, Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators.
upvoted 1 times
behradcld
10 months ago
Read the question carefully for God sake
upvoted 1 times
...
...
tashakori
1 year, 3 months ago
No is right
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel