User4 is the Owner of an Azure Subscription. Subscriptions sit inside a tenant, so RBAC permissions assigned on a subscription won’t apply to the parent tenant. See https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/media/az-scop... for this hierarchy.

Also there is no “owner” role in Azure Active Directory ( https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference ), so this permission is irrelevant in this scenario. User4 would need appropriate permissions assigned at the Azure Active Directory level to meet this goal.