🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-300 Domain 1
Domain 1 — Module 3 of 8 38%
3 of 27 overall

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free
Domain 1: Implement and Manage User Identities Premium ⏱ ~14 min read

Managing Users & Groups

Create users and groups, manage custom security attributes, and automate bulk operations with PowerShell — the daily bread of identity administration.

Users and groups — the building blocks

☕ Simple explanation

Users are people. Groups are teams. Together they’re how you organise who gets what.

Imagine a school. Every student (user) has a name, a class, and a locker. Instead of assigning textbooks to each student individually, the teacher gives them to a class (group) — everyone in Class 3B gets the science textbook automatically.

Entra ID works the same way. Create users, put them in groups, then assign licences, apps, and policies to the groups. When someone joins or leaves, just update the group — everything else follows.

User objects in Microsoft Entra ID represent people or service accounts. Each user has properties (UPN, display name, job title, department), authentication methods, and licence assignments. Users can be cloud-only (created in Entra) or synced (from on-premises AD via Entra Connect).

Group objects are containers for users, devices, or other groups. They simplify access management — assign a licence to a group, and every member gets it automatically. Entra supports security groups (for access control) and Microsoft 365 groups (which also create a shared mailbox, SharePoint site, and Teams team).

User management essentials

Creating users

Two paths to create a user:

  1. Entra admin center → Users → New user → fill in properties
  2. PowerShell → New-MgUser command (for automation)

Key user properties:

PropertyRequired?Example
User principal name (UPN)Yesjake@coastlinecreative.co.nz
Display nameYesJake Torres
PasswordYes (initial)Auto-generated or manually set
Job titleNoIT Administrator
DepartmentNoTechnology
Usage locationYes (for licensing)NZ, US, AU
Account enabledYesTrue / False
💡 Exam tip: usage location is mandatory for licensing

You cannot assign a licence to a user without a usage location set. This catches many admins off-guard — they create users, try to assign M365 licences, and get an error.

Why? Microsoft needs to know the user’s country for legal and service availability reasons (some features aren’t available in all regions).

User types

TypeSourceManaged WhereExample
Cloud userCreated in Entra IDEntra admin centerNew hire at cloud-only org
Synced userCreated in on-prem ADOn-prem AD (changes sync up)Employee at hybrid org
Guest userInvited via B2BExternal (home tenant)Contractor from another company

Group types — security vs M365

FeatureSecurity GroupMicrosoft 365 Group
Primary purposeControl access to resourcesCollaboration (mailbox, SharePoint, Teams)
MembersUsers, devices, service principals, other groupsUsers only
Shared mailbox
SharePoint site
Teams teamCan be Teams-enabled
Can assign licences
Can scope CA policies
Dynamic membership
Nesting (groups in groups)

Membership types

TypeHow Members Are AddedBest For
AssignedManually add/remove membersSmall, stable groups
Dynamic userAutomatic based on user attribute rulesDepartment-based groups (e.g., all Finance users)
Dynamic deviceAutomatic based on device attributesDevice management groups (e.g., all Windows 11 devices)

Dynamic membership rule example: user.department -eq "Finance" -and user.country -eq "NZ"

This automatically adds all NZ-based Finance users to the group. When someone transfers out of Finance, they’re automatically removed.

Custom security attributes

Custom security attributes are business-specific metadata you attach to users and applications. They’re like custom columns you add to a spreadsheet.

Why they matter:

  • Tag users with business-relevant data (project codes, clearance levels, cost centres)
  • Use attributes in Conditional Access policies or entitlement management
  • Data is stored securely — only users with the Attribute Assignment Administrator role can read/write them

Structure:

  • Attribute set = a category (e.g., “HR” or “Security”)
  • Attribute definition = a specific attribute within the set (e.g., “ClearanceLevel”)
  • Attribute value = the value assigned to a user (e.g., “Top Secret”)
ℹ️ Scenario: Priya tags clinical staff at Meridian Health

Priya creates a custom security attribute set called “Clinical” with attributes:

  • ClearanceLevel: “Standard”, “Elevated”, “Critical”
  • Ward: “Emergency”, “Paediatrics”, “Surgery”, etc.

She then creates a Conditional Access policy: IF user’s ClearanceLevel is NOT “Critical” → THEN block access to the patient records app from unmanaged devices.

Why not use groups? Groups are binary (you’re in or out). Custom attributes are multi-valued and more flexible — a user can have ClearanceLevel=Elevated AND Ward=Emergency simultaneously, enabling fine-grained access control.

Bulk operations — don’t click 500 times

When you need to create, invite, or delete many users at once, use bulk operations.

Entra admin center approach:

  1. Download the CSV template from Users → Bulk operations
  2. Fill in user details (one row per user)
  3. Upload the CSV → Entra processes it

PowerShell approach (more powerful):

# Bulk create users from CSV
$users = Import-Csv -Path "NewHires.csv"
foreach ($user in $users) {
    New-MgUser -DisplayName $user.Name `
               -UserPrincipalName $user.UPN `
               -PasswordProfile @{ Password = $user.TempPassword } `
               -UsageLocation $user.Location `
               -AccountEnabled
}
💡 Exam tip: bulk operation types

The Entra admin center supports these bulk operations via CSV:

  • Bulk create — create new users
  • Bulk invite — invite external/guest users
  • Bulk delete — delete users
  • Download users — export user list

PowerShell (Microsoft Graph PowerShell SDK) is more flexible — you can bulk-update properties, assign licences, add to groups, and chain operations together.

🎬 Video walkthrough

🎬 Video coming soon

Managing Users & Groups — SC-300 Module 3

Managing Users & Groups — SC-300 Module 3

~12 min

Flashcards

Question

What is the difference between a security group and a Microsoft 365 group?

Click or press Enter to reveal answer

Answer

Security groups control access to resources (apps, policies). M365 groups create collaboration spaces — a shared mailbox, SharePoint site, and optionally a Teams team. Both support dynamic membership and licence assignment.

Click to flip back
Question

What are custom security attributes in Entra ID?

Click or press Enter to reveal answer

Answer

Business-specific metadata (like clearance levels or project codes) attached to users and applications. Organised into attribute sets and definitions. Can be used in Conditional Access policies and entitlement management. Require Attribute Assignment Administrator role to manage.

Click to flip back
Question

Why must you set a usage location before assigning a licence?

Click or press Enter to reveal answer

Answer

Microsoft requires a usage location (country) to determine service availability and comply with regional legal requirements. Without it, licence assignment fails.

Click to flip back
Question

What is dynamic group membership?

Click or press Enter to reveal answer

Answer

Members are automatically added or removed based on attribute rules (e.g., department = Finance AND country = NZ). When a user's attributes change, their group memberships update automatically.

Click to flip back

Knowledge Check

Knowledge Check

Jake needs to create 30 new user accounts for a batch of freelancers joining Coastline Creative next month. He wants to do this quickly without clicking through the Entra admin center 30 times. What's the most efficient approach?
Knowledge Check

Priya wants to automatically group all Meridian Health employees in the Surgery department into a security group for targeted Conditional Access policies. Which membership type should she use?
Knowledge Check

Anika's client wants to use custom security attributes to tag users with a 'ProjectCode' and then use that attribute in Conditional Access policies. What must they do first?

Next up: Device Registration & Licensing — manage how devices join your tenant and assign the right licences to the right people.

← Previous

Entra Roles & Administrative Units

Next →

Device Registration & Licensing

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.