Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 2 question 58 discussion

Actual exam question from Microsoft's AZ-104
Question #: 58
Topic #: 2
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
aaa112
Highly Voted 2 years, 11 months ago
Correct, but the explanation is not. User1 is global admin of contoso.onmicrosoft.com. As he created the new tenant called external.contoso.onmicrosoft.com, he will be the OWNER. Check the scope not just the role, tho.
upvoted 81 times
r3tr0penguin
2 years, 6 months ago
Then if User2 want to create new user on external.contoso.onmicrosoft.com , he can't right ? because User2 is not the one who create tenant external.contoso.onmicrosoft.com that mean User 2 don't be OWNER
upvoted 23 times
RamanAgarwal
2 years, 6 months ago
Yes because user2 wont have any role or connection with the new tenant unless added by user1 specifically.
upvoted 23 times
AzureG0d
1 year, 1 month ago
be mindful of the power of a global administrator. " Because only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat. " https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide
upvoted 4 times
AzureG0d
1 year, 1 month ago
I stand corrected. Only user1 can see and will have access to those. Administrative independence If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then: By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in that organization. The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they sign in to the user account that created 'Test.' If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other Azure AD organization. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence#administrative-independence
upvoted 12 times
...
...
...
...
mikl
2 years, 9 months ago
Thank you for clarifying
upvoted 2 times
...
...
mlantonis
Highly Voted 2 years, 6 months ago
Correct Answer: A - Yes Only User1 has access to the new Tenant, because User1 created the Tenant and became automatically Global Admin.
upvoted 76 times
FlaShhh
2 days, 16 hours ago
The Azure God mlantonis is wrong for once, is the world ending?
upvoted 1 times
...
Traian
1 year, 2 months ago
If Only User1 has access to the new tenant why is your answer yes? The question asks , can User 2 create..
upvoted 10 times
VincentMarchal
1 year ago
I think that the question has changed regarding every old comments are saying that User1 is owner. But the question today (nov 2022) is : User2 is owner.
upvoted 17 times
...
techtest848
1 year, 2 months ago
Exactly! User 1 can but User 2 has nothing to do with the new directory so he/she will not be able to create users in the new tenant. Answer should be B in my opinion.
upvoted 6 times
...
...
CommanderBigMac
10 months ago
Putting this here, hope it helps someone. Question was reworded at some point, changing the answer to B: No. https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global
upvoted 40 times
Zomato
5 months ago
Yeah. Clears everything.
upvoted 2 times
...
...
Spam101198
9 months, 1 week ago
Question is asking about User 2 not user 1 , hence answer is NO
upvoted 8 times
...
...
Bipinlam
Most Recent 1 month ago
Answer is NO
upvoted 1 times
...
mattpaul
1 month, 2 weeks ago
I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]
upvoted 1 times
...
matrossoft
2 months, 1 week ago
The correct answer is B. It's been checked on the own account and also take a look: https://techcommunity.microsoft.com/t5/azure-governance-and-management/can-global-administrator-of-a-azure-ad-tenant-access-other/m-p/3758143
upvoted 2 times
...
Nicknamefordiscussions69
2 months, 3 weeks ago
Selected Answer: B
Answer is no
upvoted 1 times
...
helenhwy
3 months ago
If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using the Azure portal, the Azure CLI, or PowerShell. In PowerShell, run the cmdlet New-AzureADUser. In the Azure CLI, use az ad user create. https://learn.microsoft.com/en-us/training/modules/create-users-and-groups-in-azure-active-directory/2-user-accounts-azure-ad so YES
upvoted 2 times
...
o0o0
3 months, 2 weeks ago
Just tested it my lab and user2 won't even be able to view the tenant created by User1.
upvoted 3 times
...
DimsumDestroyer
3 months, 3 weeks ago
Selected Answer: B
No is the answer
upvoted 4 times
...
Codelawdepp
3 months, 3 weeks ago
Selected Answer: B
The answer is B: No. User2 was only instructed by User1 to create users in the newly created Active Directory. However, User1 did not grant the necessary permission for this. I tested this in my lab. I created User1 and User2 in the default directory. I assigned both of them the "Global Administrator" role with the scope of Azure Active Directory. Then, using User1 to create a new Azure Active Directory named "LABUserOne" in the Azure portal under "Create a tenant." Next, I logged in with a different browser and user2 to portal.azure.com, navigated to Overview -> Manage tenants (gear icon). Here, I was only shown the default directory. Despite multiple refreshes and waiting, I couldn't see the newly created "LABUserOne" AD with User2. Thus, User2 cannot switch to the new AD (in my case, "LABUserOne") and create users. the owner (User1) would need to grant User2 the permission to access "LABUserOne."
upvoted 5 times
...
raj24051961
5 months, 1 week ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles -Global Administrator Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory Assign administrator roles to others Reset the password for any user and all other administrators -User Administrator Create and manage all aspects of users and groups Manage support tickets Monitor service health Change passwords for users, Helpdesk administrators, and other User Administrators
upvoted 2 times
...
rishisoft1
5 months, 3 weeks ago
Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator.
upvoted 1 times
...
XtraWest
5 months, 3 weeks ago
B. No, a Global Administrator from one Azure AD tenant cannot create new users in another Azure AD tenant, even if they have Global Administrator privileges. Each Azure AD tenant is an isolated directory with its own set of users, resources, and administrative controls.
upvoted 8 times
...
wolf13
6 months, 2 weeks ago
Answer: B - It is another tenant. User2 is a Global administrator on the original tenant, not on the newly created tenant.
upvoted 3 times
...
RandomNickname
6 months, 3 weeks ago
Selected Answer: B
Agree, should be B, No.
upvoted 1 times
...
AnonFox
7 months, 1 week ago
Selected Answer: B
Question was changed at some point. Answer is B. User 1 created the new tenant. User 2 has no power over it.
upvoted 6 times
...
worldkalabe
7 months, 3 weeks ago
Answer is NO, here's why: By default, global administrators of the Contoso tenant do not have any permissions or access to the external.contoso.onmicrosoft.com tenant, as they are separate Azure AD tenants. Global administrators only have permissions to manage objects within the Contoso tenant. To manage objects in the external.contoso.onmicrosoft.com tenant, you need to be granted appropriate permissions within that tenant. This can be done by assigning roles with the necessary permissions in the external.contoso.onmicrosoft.com tenant using Azure RBAC. Only users who have been granted the necessary permissions in the external.contoso.onmicrosoft.com tenant can create and manage objects, such as user accounts, within that tenant.
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...