Microsoft Entra ID · B2C & External Identity

Tenant Creator

Can create new Microsoft Entra and Azure AD B2C tenants even when tenant creation is disabled for regular users.

Scope: Create new tenants regardless of user settings

Permissions

  • Create new Entra ID tenants
  • Create new Azure AD B2C tenants
  • Bypass tenant creation restrictions

Common use cases

  • Setting up new B2C environments
  • Creating development/test tenants
  • Multi-tenant application setup
  • Subsidiary tenant provisioning

Best practices

  • Document all created tenants
  • Apply security baselines immediately
  • Set up proper governance
  • Establish naming conventions

Security considerations

  • Creator becomes Global Admin of new tenant
  • New tenants have default settings
  • Orphaned tenants are a risk
  • Consider billing implications

Common questions

When should I assign the Tenant Creator role?

Assign Tenant Creator when you need to: Setting up new B2C environments; Creating development/test tenants; Multi-tenant application setup; and Subsidiary tenant provisioning. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Tenant Creator role do?

The Tenant Creator role grants permissions including: Create new Entra ID tenants; Create new Azure AD B2C tenants; and Bypass tenant creation restrictions. See the Permissions section above for the full list.

What are the security risks of the Tenant Creator role?

Key considerations when assigning Tenant Creator: Creator becomes Global Admin of new tenant; New tenants have default settings; Orphaned tenants are a risk; and Consider billing implications. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →