Skip to main content
Cert DevPro
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-104
  6. >
  7. This article

Azure AZ-104 Drill: Azure AD Tenant Management - Delegated User Administration

·683 words·4 mins·
Architecture Drills Microsoft Azure AZ-104 Azure CAF Governance Azure AD
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-104 Microsoft Azure Administrator exam, many candidates struggle with understanding Azure AD tenant boundaries and delegated administration. In the enterprise world, this decision often hinges on ensuring proper governance boundaries between multiple Azure AD tenants while enabling delegated user creation. Let’s drill into a simulated tenant administration scenario.

The Scenario
#

Tailspin Toys is a multinational company that manages multiple Azure Active Directory (Azure AD) tenants to serve different global subsidiaries and partner firms. The primary tenant, tailspin.onmicrosoft.com, contains all corporate user identities for Tailspin Toys employees. Recently, a new subsidiary launched an isolated Azure AD tenant named external.tailspin.onmicrosoft.com to manage identities unique to that business unit.

The corporate IT admin User1 from tailspin.onmicrosoft.com has initiated the creation of this new tenant, aiming to delegate user management for external.tailspin.onmicrosoft.com to select personnel. They want to ensure that the correct users have the ability to create and manage user accounts in the new, separate Azure AD tenant to comply with Tailspin’s enterprise governance and security policies.

Key Requirements
#

To meet governance and operational policies, Tailspin Toys needs to assign permission to the appropriate user(s) so that new user accounts can be created in the external.tailspin.onmicrosoft.com tenant. This delegation must respect security boundaries typical in enterprise hybrid environments.

The Options
#

  • A) Delegate User4 from tailspin.onmicrosoft.com with user creation rights in external.tailspin.onmicrosoft.com
  • B) Delegate User1 from tailspin.onmicrosoft.com with user creation rights in external.tailspin.onmicrosoft.com
  • C) Delegate User2 from tailspin.onmicrosoft.com with user creation rights in external.tailspin.onmicrosoft.com
  • D) Delegate User3 from tailspin.onmicrosoft.com with user creation rights in external.tailspin.onmicrosoft.com

Correct Answer
#

B) Delegate User1 from tailspin.onmicrosoft.com with user creation rights in external.tailspin.onmicrosoft.com

The Architect’s Analysis
#

Correct Answer
#

Option B

Step-by-Step Winning Logic
#

This solution aligns with Azure’s identity and access management best practices as outlined in Microsoft’s Cloud Adoption Framework (CAF) governance disciplines:

  • Security Boundary Management: Azure AD tenants are isolated security boundaries. Users in one tenant do not have implicit administrative rights in another tenant.
  • Delegated Administration: Only users explicitly provisioned or invited into a tenant with appropriate admin roles can create new users in that tenant.
  • Operational Excellence: Ensures clear separation of duties and tenancy boundaries, minimizing risk and complexity.
  • Hybrid Cloud Context: For enterprises managing multiple tenants or hybrid identities, correct delegation avoids accidental privilege escalation across tenants.

The Trap (Distractor Analysis)
#

  • Why not Option A (User4)? User4 exists in the original tenant and lacks administrative roles in the new tenant unless explicitly added, so cannot create users in the new tenant.
  • Why not Options C or D? Same reasoning as A; these users aren’t provisioned with roles in the new tenant, so delegation fails governance requirements.

The Architect Blueprint
#

Diagram depicting tenant boundary and delegated user creation flow:

graph TD User1["User1 (tailspin.onmicrosoft.com)"] -->|Creates tenant| externalTenant["external.tailspin.onmicrosoft.com"] User1 -->|Admin in| externalTenant User4["User4 (tailspin.onmicrosoft.com)"] -.->|No default rights| externalTenant externalTenant -->|User Creation| NewUser["New User Account"] style externalTenant fill:#0078D4,stroke:#333,color:#fff style User1 fill:#5C2D91,stroke:#333,color:#fff style User4 fill:#FF7F50,stroke:#333,color:#fff

Diagram Note: User1, as tenant creator, has delegated administrative rights in the new tenant, enabling user account creation. Other original tenant users do not have those rights by default.

The Decision Matrix (Mandatory for Associate Level)
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A Low $0 Simple delegation concept Fails because no admin role in new tenant
B Low $0 Correct tenant admin delegation; meets governance Requires explicit tenant admin role
C Low $0 Candidate delegation Not valid without tenant roles
D Low $0 Candidate delegation Not valid without tenant roles

Note: User delegation roles in Azure AD do not incur direct costs but improper assignments risk security breaches.

Real-World Practitioner Insight
#

Exam Rule
#

For the exam, always pick the user who has administrative access to the Azure AD tenant in question when dealing with cross-tenant user management scenarios.

Real World
#

In enterprise hybrid cloud deployments involving Azure AD and Azure Arc, managing identity administration across multiple interconnected tenants requires clear governance controls. Typically, tenant creators or designated administrators are provisioned in each tenant to avoid privilege sprawl and to maintain compliance with organizational policy and data residency laws.

Related Articles

Weekly Azure AZ-104 Drills

Master Azure administration from identity to networking.