Users, Groups & Licenses
Every Azure journey starts with identity. Learn how to create and manage users, organise them into groups, assign licenses, invite external guests, and set up self-service password reset β the daily bread of an Azure administrator.
Creating and managing users
Creating a user in Entra ID is like issuing a building pass.
On-prem, youβd open Active Directory Users and Computers, right-click an OU, and create a new user. In Entra ID, you do the same thing β just in the Azure portal or with PowerShell/CLI. The user gets a username (like alex@techcorp.com), a temporary password, and can immediately sign in to cloud services.
There are two types of users: member users (your employees) and guest users (external people you invite). Members have broader default directory permissions than guests, who get restricted access by default.
Cloud users vs synced users
| Type | Source | Created How | Password Managed |
|---|---|---|---|
| Cloud-only | Entra ID | Portal, PowerShell, Graph API | In Entra ID |
| Synced | On-prem AD DS | Microsoft Entra Connect | On-prem (writeback optional) |
| Guest | External tenant or email | Invitation (B2B) | At their home organisation |
Real-world: TechCorp's hybrid identity
TechCorp Solutions has 300 employees in on-prem AD. They installed Microsoft Entra Connect to sync all users to Entra ID. Now every employee has a cloud identity that matches their on-prem account. Password hash sync copies hashes from AD to Entra ID (one-way). With SSPR and password writeback enabled (requires P1), users can reset passwords in the cloud and the new password flows back to on-prem AD.
New contractors are created directly in Entra ID as cloud-only users β no need to create them on-prem first.
Working with groups
Groups in Entra ID organise users for easier management. Instead of assigning permissions to 50 individual users, assign them to one group.
| Feature | Security Groups | Microsoft 365 Groups |
|---|---|---|
| Primary purpose | Assign permissions (RBAC, app access) | Collaboration (shared mailbox, Teams, SharePoint) |
| Can be used for RBAC? | Yes | Yes |
| Creates shared resources? | No | Yes (mailbox, calendar, SharePoint site, Teams channel) |
| Membership types | Assigned, Dynamic (P1) | Assigned, Dynamic (P1) |
| Created by | Admins (or delegated users) | Admins or end users (if allowed) |
Dynamic groups
Dynamic groups automatically add or remove members based on user attributes. For example: βAll users where Department equals Marketing.β
Dynamic groups require Entra ID P1 or P2.
user.department -eq "Marketing" -and user.accountEnabled -eq trueExam tip: Dynamic groups and licensing
A common exam scenario: βAutomatically assign Microsoft 365 E5 licenses to all users in the Sales department.β The answer is a dynamic group with group-based licensing. You need Entra ID P1 for dynamic groups.
Watch for trick answers that suggest manually assigning licenses or using Azure Policy (Policy manages Azure resources, not Entra licensing).
Managing licenses
License management in Entra ID controls which users get access to which Microsoft services.
Two ways to assign licenses:
- Direct assignment β assign a license to a specific user
- Group-based licensing β assign a license to a group; all members get it automatically
Group-based licensing is the preferred method at scale. Combine it with dynamic groups for fully automated license management.
Important: Users must have a usage location set before you can assign a license. This is because Microsoft services arenβt available in all countries, and licensing agreements vary by region.
Real-world: CloudFirst Labs automates licensing
CloudFirst Labs (50 staff) uses dynamic groups and group-based licensing:
- A dynamic group catches all users with
user.jobTitle -contains "Developer"β assigns Azure DevOps licenses - Another catches
user.department -eq "Marketing"β assigns Microsoft 365 E3 - When a new developer joins and HR sets their job title, the license is assigned automatically within minutes
No admin intervention needed. Alex just monitors the license assignment report for errors.
External users (guest access)
External users are invited to your tenant via Microsoft Entra B2B collaboration. They sign in with their own credentials (their home organisationβs identity or a personal Microsoft/Google account) but appear in your directory as guest users.
Key facts for the exam:
- Guest users have limited directory permissions by default (canβt browse other users/groups unless explicitly allowed)
- You can restrict who can invite guests (all members, specific admins only, or nobody)
- Guest invite settings are in: Entra ID β External Identities β External collaboration settings
- Guests can be assigned RBAC roles on Azure resources just like members
Exam tip: Guest user default permissions
By default, guest users in Entra ID cannot enumerate other users and groups in the directory. This is different from member users, who can. If a question asks about restricting guest access to directory data, the answer is usually about the default guest permissions β not about creating a separate tenant.
Self-service password reset (SSPR)
SSPR lets users reset their own passwords without calling the helpdesk. This is a significant exam topic.
SSPR configuration checklist:
- Enable SSPR β for all users, selected groups, or none
- Authentication methods β choose at least one: mobile app notification, mobile app code, email, mobile phone, office phone, security questions
- Number of methods required β 1 or 2
- Registration β require users to register MFA methods at next sign-in
- On-prem writeback β requires Entra ID P1 + Entra Connect (so the cloud password syncs back to AD DS)
| SSPR Setting | What It Controls |
|---|---|
| Enabled for | All users, selected groups, or none |
| Methods required | 1 or 2 authentication methods |
| Methods available | Mobile app, email, phone, security questions |
| Registration | Require registration at next sign-in |
| Password writeback | Sync reset passwords back to on-prem AD (requires P1) |
Real-world: TechCorp's SSPR rollout
TechCorp Solutions used to get 40+ password reset calls per week. Alex configured SSPR with these settings:
- Enabled for all users (phased rollout β pilot group first, then everyone)
- Two methods required: mobile app + phone
- Password writeback enabled (so on-prem passwords update too)
Result: helpdesk password calls dropped 85% in the first month. The only calls remaining were locked-out accounts that needed admin intervention.
Knowledge check
Alex needs to ensure that all new Marketing department employees automatically receive a Microsoft 365 E5 license. What should he configure?
TechCorp Solutions has configured SSPR for all users with two authentication methods required. A user reports they can't reset their password. They've only registered their mobile phone. What's the most likely issue?
Meridian Financial wants to invite an external auditor to review Azure resources. The auditor should be able to view resources in the Production subscription but NOT browse other users in the Entra ID directory. What should Alex do?
π¬ Video coming soon