Skip to main content
Cert DevPro
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-104
  6. >
  7. This article

Azure AZ-104 Drill: Azure AD Guest User Permissions - Cross-Tenant User Creation Rights

·1196 words·6 mins·
Architecture Drills Microsoft Azure AZ-104 Azure CAF Governance Azure Active Directory Identity Management Guest Users
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-104 Microsoft Azure Administrator exam, many candidates struggle with Azure AD guest user permissions and cross-tenant administration capabilities. In the enterprise world, this decision often hinges on identity governance principles vs. operational convenience. Let’s drill into a simulated multi-tenant scenario.

The Scenario
#

Fabrikam Ltd. is a multinational manufacturing company that has recently completed an Azure migration. The IT department operates a primary Azure AD tenant named fabrikam.onmicrosoft.com with the following users:

User User Type Role Assignment
User1 Member Global Administrator
User2 Guest None (default guest permissions)
User3 Member User Administrator

As part of a new business unit expansion, User1 has created a separate Azure AD tenant called fabrikamexpansion.onmicrosoft.com to maintain organizational isolation for compliance reasons.

The IT governance team needs to establish user accounts in the fabrikamexpansion.onmicrosoft.com tenant to support the new business unit’s operations.

Key Requirements
#

Determine whether instructing User2 to create user accounts in the fabrikamexpansion.onmicrosoft.com tenant satisfies the business goal of establishing user accounts in the new tenant.

The Options
#

  • A) Yes
  • B) No

Correct Answer
#

B) No

The Architect’s Analysis
#

Correct Answer
#

Option B: No – This solution does NOT meet the goal.

Step-by-Step Winning Logic
#

Guest users in Azure AD operate under constrained permissions that explicitly prevent them from creating users in ANY tenant—including the one they’re invited to. Here’s why this matters from a Microsoft Well-Architected Framework perspective:

Security Pillar:

  • Guest users are assigned the Guest user access restrictions setting by default, which severely limits directory read permissions
  • They cannot enumerate users, groups, or applications beyond what’s explicitly shared with them
  • Creating users requires the User Administrator role or higher—roles that cannot be assigned to guest accounts in a tenant where they don’t have a member identity

Operational Excellence Pillar:

  • Azure AD’s default guest restrictions enforce separation of duties across organizational boundaries
  • This prevents accidental privilege escalation in multi-tenant B2B collaboration scenarios

The Technical Reality: To create users in fabrikamexpansion.onmicrosoft.com, an identity must:

  1. Be a Member user (not Guest) in that tenant, OR
  2. Hold an Azure AD administrative role with user creation permissions (User Administrator, Global Administrator, etc.)

User2, being a Guest in fabrikam.onmicrosoft.com, has no inherent presence or permissions in fabrikamexpansion.onmicrosoft.com. Even if User1 were to invite User2 as a guest to the new tenant, User2 would still lack the permissions to create users.

The Trap (Distractor Analysis)
#

Why “Yes” is Incorrect:

  • The Multi-Tenant Misconception: Candidates often confuse cross-tenant visibility with cross-tenant permissions. Being a guest in one tenant provides zero automatic access to a completely separate tenant.
  • The Permission Inheritance Fallacy: Some assume that because User1 (a Global Admin) created fabrikamexpansion.onmicrosoft.com, other users in the original tenant inherit some transitive rights. Azure AD tenants are isolation boundaries—permissions do not cascade across tenant boundaries.
  • The Guest User Role Confusion: While guest users can be assigned roles in the tenant they’re invited to, they must first BE invited and then explicitly granted an administrative role—neither has occurred in this scenario.

The Architect Blueprint
#

graph TB subgraph Fabrikam Primary Tenant U1[User1<br/>Member - Global Admin] U2[User2<br/>Guest User<br/>Restricted Permissions] U3[User3<br/>Member - User Admin] end subgraph Fabrikam Expansion Tenant Tenant2[fabrikamexpansion.onmicrosoft.com] NewUsers[New User Accounts<br/>Requirement] end U1 -->|Created Tenant| Tenant2 U2 -.->|No Permissions| Tenant2 U3 -.->|No Presence| Tenant2 U1 -->|✓ Can Create| NewUsers U2 -.->|✗ Cannot Create| NewUsers U3 -.->|✗ No Access| NewUsers style U1 fill:#0078D4,stroke:#333,color:#fff style U2 fill:#D13438,stroke:#333,color:#fff style U3 fill:#FFA500,stroke:#333,color:#fff style Tenant2 fill:#5C2D91,stroke:#333,color:#fff style NewUsers fill:#107C10,stroke:#333,color:#fff

Diagram Note: User2’s guest status creates an identity isolation boundary that prevents any administrative actions in the new tenant, even though User1 (who created the tenant) exists in the same source tenant.

The Decision Matrix
#

Solution Approach Implementation Complexity Role Requirements Pros Cons CAF Alignment
User2 creates accounts Low (if it worked) User Administrator or higher • Simple delegation
• Minimal setup		 Doesn’t work (Guest restriction)
• Security violation
• No audit trail		 ❌ Violates Identity Baseline
User1 creates accounts Low Global Administrator • Already has permissions
• Immediate capability
• Full audit trail		 • Not scalable
• Admin bottleneck
• Violates separation of duties		 ⚠️ Works but not ideal
User3 invited as Member Medium Convert to member or create new account • Proper delegation
• Sustainable model
• Role-based access		 • Requires account provisioning
• Licensing considerations		 ✅ Best practice alignment
Azure AD B2B with elevated role Medium-High Invite User2, assign User Admin • Maintains guest model
• Explicit permission grant		 • Guest with admin = security concern
• Audit complexity
• Policy exceptions needed		 ⚠️ Technically possible, not recommended
Privileged Identity Management High PIM-eligible User Admin assignment • Just-in-time access
• Full governance
• Audit-ready		 • Requires P2 licensing
• Setup overhead
• Approval workflow needed		 ✅ Enterprise-grade solution

Real-World Practitioner Insight
#

Exam Rule
#

“For the AZ-104 exam, always remember: Guest users cannot create users in ANY tenant—even if invited to the target tenant, they need explicit administrative role assignments, which should follow least-privilege principles.”

Key Exam Triggers:

  • If you see “Guest user” + “create users/groups” → The answer is almost always No or requires role assignment
  • If you see “cross-tenant” + “administrative action” → Check for explicit permissions in the TARGET tenant
  • If you see “User Administrator role” → Remember this is tenant-scoped, not cross-tenant

Real World
#

“In my consulting practice with multinational enterprises, we encounter this exact scenario during M&A activities. Here’s the pattern that actually works:

Phase 1 - Immediate Need (Week 1):

  • The Global Admin from the parent tenant creates initial break-glass accounts in the new tenant
  • We document this as a temporary measure in the CAF governance log

Phase 2 - Sustainable Model (Weeks 2-4):

  • We create dedicated Member accounts for administrators in the new tenant
  • These accounts receive User Administrator or custom roles via Azure AD PIM
  • We establish Conditional Access policies that require MFA and compliant devices

Phase 3 - Automation (Month 2+):

  • For organizations with Azure AD Premium P2, we implement Entitlement Management access packages
  • Business unit managers can request user provisioning through a governed workflow
  • Identity Governance automatically reviews permissions quarterly

The Anti-Pattern I See Most Often: Organizations trying to ‘shortcut’ multi-tenant management by granting excessive B2B guest permissions. This creates:

  • Audit nightmares (guest activities are harder to trace across tenant boundaries)
  • Security gaps (guest user enumeration can leak directory information)
  • Compliance violations (guest access often doesn’t meet separation requirements for SOX/HIPAA)

The CFO Conversation: ‘Why do we need separate admin accounts? Can’t we just use B2B guests?’ The answer: Azure AD P1 costs ~$6/user/month, while a security incident from improper guest permissions can cost $millions in breach response and regulatory fines. The ROI on proper identity architecture is measured in risk avoidance, not just license costs.”

CAF Alignment: Identity Baseline Discipline
#

This scenario directly tests your understanding of the Identity Baseline discipline in the Microsoft Cloud Adoption Framework:

Design Principle: Tenant Isolation

  • Azure AD tenants are security boundaries
  • Cross-tenant permissions must be explicitly granted
  • Default guest permissions follow Zero Trust principles

Governance Control: Least Privilege Access

  • Administrative rights should be granted only to member identities with business justification
  • Guest accounts should have read-only or application-specific permissions
  • Privileged roles require approval workflows (PIM)

Operational Model: Multi-Tenant Strategy

  • Centralized identity management (single source of truth)
  • Federated administration (delegated tenant management)
  • Hybrid approach (this scenario’s recommended path)

Related Articles

Weekly Azure AZ-104 Drills

Master Azure administration from identity to networking.