AZ-500 · Question #38
AZ-500 Question #38: Real Exam Question with Answer & Explanation
The correct answer is D: From the Users blade, modify the External collaboration settings.. Explanation Modifying the External collaboration settings in the Users blade is correct because these settings control who can invite external guest users to the Azure AD tenant - by default, only specific roles or administrators may be permitted to send invitations, and this res
Question
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the [email protected] sign in. Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user [email protected] Generic authorization exception." You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant. What should you do?
Options
- AFrom the Roles and administrators blade, assign the Security administrator role to Admin1.
- BFrom the Organizational relationships blade, add an identity provider.
- CFrom the Custom domain names blade, add a custom domain.
- DFrom the Users blade, modify the External collaboration settings.
Explanation
Explanation
Modifying the External collaboration settings in the Users blade is correct because these settings control who can invite external guest users to the Azure AD tenant - by default, only specific roles or administrators may be permitted to send invitations, and this restriction is what causes the "Generic authorization exception" error that Admin1 encounters. Adjusting these settings (e.g., allowing members and users with specific roles to invite guests) will grant Admin1 the necessary permission to invite external partners.
Why the distractors are wrong:
- Option A is incorrect because the Security administrator role relates to managing security policies and alerts, not guest invitation permissions - Admin1 already has the User Administrator role, which should be sufficient once collaboration settings are configured correctly.
- Option B is incorrect because adding an identity provider is used to enable federation with external identity systems (e.g., Google), not to fix invitation authorization errors for existing Microsoft accounts.
- Option C is incorrect because adding a custom domain relates to branding and user UPN suffixes, and has no bearing on the ability to invite external guests.
Memory Tip 🧠
Think "External problem → External collaboration settings." Whenever an issue involves inviting or restricting guest users, your first instinct should be the External collaboration settings - it's the master switch for guest invitation behavior in Azure AD.
Topics
Community Discussion
No community discussion yet for this question.