I have a question on AZURE Active directory and trying to understand the RBAC. I have a azure subscription and default directory created in it. I have a created a user in the default directory say user1@xyz.onmicrosoft.com and assigned a reader permission on ONE of STORAGE ACCOUNT. Ideally , the user should be able to read the storage account and its properties.
Now , when I login to with user1@xyz.onmicrosoft.com , and try to create a new TENANT in the azure (For testing the access of the user) , Azure is letting me create a NEW TENANT. Its confusing for me. I have restricted the access to only to STORAGE Account in default directory. Why is this behaviour?
Anybody can create a new tenant. If Microsoft didn't allow this, they would have difficulty getting new customers!
However, note that the new tenant is not related in any way to your existing tenant. So your user1@xyz account can do whatever they like with the tenant they created, but it won't affect what they can do in your tenant.