Tenant Orchestrator, Active Directory

When you have the authentication configuration with active directory, ¿how should a user be created in a tenant?:

¿When creating a Tenant, the orchestrator must enter an email and a password, it must be the same as the one already created in the active directory or must provide an email already created in the active directory and a new password?