While preparing for the Azure AZ-104 exam, many candidates stumble on Azure AD tenant governance and delegated user management. In enterprise environments, this challenge often revolves around ensuring correct delegation rights and preserving strong identity governance across multiple Azure AD tenants. Let’s drill into a simulated cross-tenant user management scenario.
The Scenario #
Tailspin Electronics manages a corporate Azure environment with two separate Azure AD tenants. The primary tenant, tailspin.onmicrosoft.com, is their core organizational directory. Recently, Tailspin spun up a distinct secondary Azure AD tenant, partner.tailspin.onmicrosoft.com, intended to onboard partner users and external contractors with strict identity segregation.
- In tailspin.onmicrosoft.com, User1 is a Global Administrator.
- The company needs to create new user accounts directly in the partner.tailspin.onmicrosoft.com tenant.
- The team considers delegating user creation rights to User3 from the primary tenant to manage identities in the partner tenant.
Key Requirements #
Ensure that new user accounts can be created in partner.tailspin.onmicrosoft.com securely by the correct personnel, preserving governance and compliance boundaries.
The Options #
- A) Assign User3 from the primary tenant the permissions to create users in the partner.tailspin.onmicrosoft.com tenant.
- B) Instruct User1 from the primary tenant to create new users in partner.tailspin.onmicrosoft.com.
- C) Enable B2B collaboration inviting external users instead of creating new user accounts.
- D) Use Azure AD Privileged Identity Management (PIM) to delegate user creation rights in the partner tenant.
Correct Answer #
B) Instruct User1 from the primary tenant to create new users in partner.tailspin.onmicrosoft.com.
The Architect’s Analysis #
Correct Answer #
Option B
Step-by-Step Winning Logic #
- Azure AD tenants are security and governance boundaries. Rights from one tenant do not cross over automatically.
- User creation in an Azure AD tenant requires the user to have roles like Global Administrator, User Administrator, or delegated roles within that same tenant.
- User1, a Global Admin in partner.tailspin.onmicrosoft.com, naturally has the privileges to create new users there.
- User3 from tailspin.onmicrosoft.com lacks any inherent rights in the secondary tenant unless explicitly invited and assigned roles—which is not described in the scenario.
- Following Microsoft’s Cloud Adoption Framework governance principles, role assignments should strictly respect tenant boundaries to avoid overprovisioning permissions and reduce attack surface.
- While Azure AD B2B collaboration (option C) is a valid hybrid identity pattern for guest access, it is not a substitute when actual full user accounts must reside in the target tenant.
- PIM (option D) helps manage privileged roles but does not automatically grant cross-tenant rights without an existing membership.
The Traps (Distractor Analysis) #
- Option A: Incorrect, because cross-tenant permissions require role assignments within the target tenant. Assigning User3 permissions in the primary tenant does not extend to the external tenant.
- Option C: While B2B collaboration reduces the need to create new user accounts, it does not meet strict scenarios requiring fully managed user accounts within the target tenant.
- Option D: Overhead and complexity without setting foundational role assignments in the partner tenant; PIM manages activated roles but does not create cross-tenant trust on its own.
The Architect Blueprint #
Diagram Note: User1 has explicit Global Administrator rights in both tenants enabling user creation in the partner tenant. User3 lacks permissions across tenant boundaries, illustrating tenant isolation.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A | Low | $0 | Intuitive delegation attempt | Fails tenant boundary security, no role inheritance |
| B | Low | $0 | Clear governance, respects tenant boundaries | Requires correct role assignment in partner tenant (User1) |
| C | Medium | $0 | Supports partnerships via B2B collaboration | Does not create fully managed internal accounts |
| D | Medium-High | Low | Enhanced control of privileged roles | Overhead if no initial role assignment; no cross-tenant rights |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always remember that Azure AD roles are scoped per tenant. To delegate user management, the principal must be an admin within the tenant in question.”
Real World #
“In enterprise hybrid identity architectures, organizations often maintain separate Azure AD tenants for subsidiaries or partners. Proper governance dictates strict role boundaries, reducing blast radius in case of compromise. Delegation often involves service principals or guest accounts granted roles explicitly—not inherited from a primary tenant.”