Microsoft Entra ID · B2C & External Identity
Tenant Creator
Can create new Microsoft Entra and Azure AD B2C tenants even when tenant creation is disabled for regular users.
Scope: Create new tenants regardless of user settings
Permissions
- Create new Entra ID tenants
- Create new Azure AD B2C tenants
- Bypass tenant creation restrictions
Common use cases
- Setting up new B2C environments
- Creating development/test tenants
- Multi-tenant application setup
- Subsidiary tenant provisioning
Best practices
- Document all created tenants
- Apply security baselines immediately
- Set up proper governance
- Establish naming conventions
Security considerations
- Creator becomes Global Admin of new tenant
- New tenants have default settings
- Orphaned tenants are a risk
- Consider billing implications
Common questions
When should I assign the Tenant Creator role?
Assign Tenant Creator when you need to: Setting up new B2C environments; Creating development/test tenants; Multi-tenant application setup; and Subsidiary tenant provisioning. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Tenant Creator role do?
The Tenant Creator role grants permissions including: Create new Entra ID tenants; Create new Azure AD B2C tenants; and Bypass tenant creation restrictions. See the Permissions section above for the full list.
What are the security risks of the Tenant Creator role?
Key considerations when assigning Tenant Creator: Creator becomes Global Admin of new tenant; New tenants have default settings; Orphaned tenants are a risk; and Consider billing implications. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.