This chapter covers Microsoft Entra ID (formerly Azure Active Directory) users and groups, the foundational identity objects in Azure. For the AZ-104 exam, this topic is critical because identity governance underpins access control for all Azure resources. Approximately 10-15% of exam questions touch on user and group management, including creation, configuration, and lifecycle. You will be tested on the differences between cloud-only and synced identities, group types and membership types, and how to manage them using the Azure portal, PowerShell, and CLI.
Jump to a section
Think of Microsoft Entra ID as a corporate security badge system for a large office building. When a new employee joins the company, HR creates a badge (a user account) with their name, photo, and department. This badge is stored in a central registry (Entra ID). The badge alone doesn't grant access to every room; instead, security assigns badge permissions based on groups: all employees in 'Finance' get access to the finance floor, all in 'IT' get the server room, etc. When an employee swipes their badge at a door, the badge reader sends the badge ID to the central security server (Entra ID authentication). The server checks if the badge is active, not expired, and if the employee belongs to a group with permission to that door (authorization via group membership). If yes, the door unlocks. If the employee is terminated, HR deactivates the badge in the central registry, and immediately all door access is denied everywhere—no need to collect the physical badge. Similarly, if an employee changes departments, HR updates their group membership, and access adjusts automatically. The key mechanism is that the central registry holds the identity and group memberships, and every access request goes through it for real-time validation. This mirrors how Entra ID provides identity and access management for Azure and Microsoft 365: user objects are stored in the tenant, groups define role assignments and access policies, and every authentication and authorization request is checked against this directory.
What is Microsoft Entra ID?
Microsoft Entra ID is a cloud-based identity and access management service. It provides authentication and authorization for users, applications, and resources. Unlike Active Directory Domain Services (AD DS), which is a directory service for on-premises Windows networks using Kerberos and LDAP, Entra ID is a REST API-based identity platform using OAuth 2.0, OpenID Connect, and SAML. Entra ID is not a replacement for AD DS; it is a different technology optimized for cloud and SaaS applications.
User Objects in Entra ID
A user object represents a person or service principal that needs access to resources. Each user object has a set of attributes defined by the Microsoft Graph schema. Key attributes include: - userPrincipalName (UPN): The internet-style sign-in name (e.g., user@contoso.com). Must be unique across all Microsoft accounts. - displayName: The name shown in the portal. - mail: Email address. - onPremisesSyncEnabled: Boolean indicating if the user is synced from on-premises AD DS. - immutableId: Used for directory synchronization (source anchor). - objectId: Globally unique identifier (GUID) assigned by Entra ID. - userType: 'Member' or 'Guest' for B2B collaboration.
Types of User Identities
Cloud-only identity: Created and managed entirely in Entra ID. No on-premises AD DS dependency. Authentication happens against Entra ID using password hash or federation.
Synced identity: Created in on-premises AD DS and synchronized to Entra ID using Azure AD Connect. The source of authority is on-premises. Password changes must be made on-premises and then synced.
Guest user (B2B): External user invited to access resources. They authenticate using their own identity provider (Microsoft, Google, etc.). Represented as a user object with UserType='Guest'.
Group Objects in Entra ID
Groups are used to manage access to resources efficiently by assigning permissions to a group rather than individual users. Two group types: - Security group: Used to assign permissions to resources. Members can be users, other groups, service principals, or devices. - Microsoft 365 group: Used for collaboration (shared mailbox, calendar, files, etc.). Membership can include users and guests.
Membership Types
Assigned (static): Administrator manually adds or removes members. Best for small, stable groups.
Dynamic user: Membership is evaluated based on user attributes (e.g., department = 'Sales'). Rules are written using expressions. Users are automatically added or removed when attributes change. Requires Entra ID P1 license.
Dynamic device: Similar but for device objects. Requires Entra ID P2 license.
How Entra ID Authenticates Users
When a user signs in to an application (e.g., Azure portal), the application redirects to Entra ID's sign-in endpoint. The user provides credentials (username/password, MFA, etc.). Entra ID validates the credentials against its directory. If the user is synced and password hash synchronization is enabled, Entra ID compares the provided password hash with the stored hash. If federation is used (e.g., AD FS), Entra ID redirects to the on-premises identity provider. After successful authentication, Entra ID issues an access token (JWT) containing claims (e.g., user objectId, group memberships, roles). The application uses this token to authorize access.
Defaults and Limits
Default user permissions: In a free Entra ID tenant, users can create up to 250 groups, register applications, and read directory information. These defaults can be restricted using user settings.
Directory size limits: Free tier allows up to 500,000 directory objects (users, groups, contacts, etc.). Paid tiers (P1, P2) allow up to 500,000 additional objects per license.
Group nesting: Security groups can be nested (up to 300 levels). Microsoft 365 groups cannot be nested.
Dynamic group rules: Maximum 15,000 dynamic groups per tenant. Rule evaluation can take up to 30 minutes after attribute change.
Guest user limits: Free tier allows up to 500,000 guest users. Paid tiers have no limit.
Creating Users and Groups via Portal, PowerShell, CLI
Azure Portal:
Users: Azure Active Directory > Users > New user. Fill in UPN, display name, password (auto-generated or user-defined). Optionally assign roles or groups.
Groups: Azure Active Directory > Groups > New group. Select group type (Security or Microsoft 365), membership type (Assigned, Dynamic User, Dynamic Device). Add members or define rule.
PowerShell (Microsoft Graph module):
# Connect to Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All"
# Create a user
New-MgUser -DisplayName "John Doe" -UserPrincipalName "john@contoso.com" -PasswordProfile @{ Password = "P@ssw0rd!" } -AccountEnabled $true
# Create a security group
New-MgGroup -DisplayName "Sales Team" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "SalesTeam"
# Add user to group
Add-MgGroupMember -GroupId "group-id" -DirectoryObjectId "user-id"Azure CLI:
# Create a user
az ad user create --display-name "John Doe" --user-principal-name john@contoso.com --password "P@ssw0rd!"
# Create a group
az ad group create --display-name "Sales Team" --mail-nickname "SalesTeam"
# Add member
az ad group member add --group "Sales Team" --member-id "user-id"Interaction with Other Azure Services
Azure RBAC: Assign roles (e.g., Contributor) to a security group to grant permissions to Azure resources. Users inherit permissions via group membership.
Enterprise applications: Assign users or groups to SaaS apps for SSO.
Conditional Access: Policies target users and groups. Dynamic groups ensure policy automatically applies to new users matching criteria.
Identity Protection: Risk events are associated with user objects. Remediation actions (e.g., block sign-in) apply to users.
Privileged Identity Management (PIM): Provides just-in-time admin roles for users. Groups can be used as eligible members.
Deleting and Restoring Users
When a user is deleted, the object is moved to the recycle bin and retained for 30 days. During this period, the user can be restored. After 30 days, the object is permanently deleted and cannot be recovered. The same applies to groups (30-day soft delete).
Bulk Operations
Bulk create users: Use a CSV file with headers (Name, UPN, Initial password, etc.). Upload via Azure portal or PowerShell.
Bulk invite guests: CSV file with email addresses and optional message.
Bulk remove members: CSV file listing group and member IDs.
Licensing Requirements
Free tier: Basic user and group management, up to 500K objects.
Entra ID P1: Dynamic groups, self-service password reset (on-premises writeback), conditional access.
Entra ID P2: Identity Protection, Privileged Identity Management, risk-based conditional access.
Exam Tip: Know the Difference Between Azure AD and Entra ID
As of 2023, Azure AD was renamed to Microsoft Entra ID. The exam objectives still reference "Azure Active Directory" but you should be comfortable with both terms. The underlying service is the same.
Create a new cloud-only user
In the Azure portal, navigate to Microsoft Entra ID > Users > New user. Choose 'Create new user' (not 'Invite external user'). Enter User principal name (UPN) which must be unique in the tenant. The domain can be the default 'contoso.onmicrosoft.com' or a custom verified domain. Enter display name. Under 'Password', you can auto-generate or set an initial password. The password must meet tenant password policy (default: 8-16 characters, requires 3 of 4: lowercase, uppercase, digit, symbol). Set 'Usage location' if the user will be assigned licenses (required for paid features). Click Create. The user object is immediately created and can be assigned roles or groups. The user will be prompted to change password on first sign-in if 'Require password change on next sign-in' is checked.
Invite a guest user (B2B)
Navigate to Entra ID > Users > New user > Invite external user. Enter the guest's email address. Optionally add a personal message. Under 'Properties', you can set Display name, UPN (default is email), and group membership. The guest will receive an email invitation with a link. When they accept, a user object is created in the tenant with UserType='Guest'. The guest authenticates with their home identity provider. Their access is limited by default (can read directory info but not browse users). To grant access, assign them to an app or group. Guest users can be added to security groups and Microsoft 365 groups. They can also be assigned Azure RBAC roles.
Create a dynamic security group
In Entra ID > Groups > New group, select Security group type and Dynamic User membership type. Write a rule using the rule builder or syntax. Example: (user.department -eq "Sales"). The rule can combine attributes with -and, -or, -not. Supported attributes include: department, jobTitle, city, country, userType, etc. The group will be evaluated periodically (up to 30 minutes delay) and members added/removed automatically. Dynamic groups require Entra ID P1 license. The rule syntax is case-sensitive. For device groups, use device-specific attributes (e.g., device.deviceOSType). Dynamic groups cannot be nested. The maximum number of dynamic groups per tenant is 15,000.
Assign a user to a group via PowerShell
First, connect to Microsoft Graph using Connect-MgGraph with appropriate scopes (Group.ReadWrite.All, User.ReadWrite.All). Get the user object ID and group object ID. Use Add-MgGroupMember -GroupId <group-id> -DirectoryObjectId <user-id>. The user is immediately added to the group (for assigned groups). For dynamic groups, membership is evaluated by the rule, so manual add will be overridden. To verify, use Get-MgGroupMember -GroupId <group-id>. PowerShell is efficient for bulk operations: you can loop through a CSV or array of users. Note: The Microsoft Graph PowerShell module is the recommended replacement for AzureAD module.
Configure self-service password reset (SSPR)
SSPR allows users to reset their own passwords without admin intervention. Requires Entra ID P1 or P2 license. Navigate to Entra ID > Password reset > Properties. Select 'All' or 'Selected' users. Under Authentication methods, choose number of methods required (default: 2) and which methods (email, phone, security questions, etc.). Under Registration, enable 'Require users to register when signing in'. Users will be prompted to register contact info. Under Notifications, configure admin alerts. SSPR works for cloud-only users. For synced users with password hash sync, the password is written back to on-premises AD DS if password writeback is enabled. The reset process: user clicks 'Can't access your account?', enters username, solves CAPTCHA, verifies identity via registered methods, then sets new password. The new password must meet tenant policy.
Enterprise Scenario 1: Onboarding New Employees with Dynamic Groups
A global company with 20,000 employees uses Entra ID for identity management. HR system (e.g., Workday) updates user attributes (department, location, job title) in on-premises AD DS, which syncs to Entra ID via Azure AD Connect. The IT team creates dynamic security groups based on department: 'Sales-Group', 'Engineering-Group', etc. When a new salesperson is hired, HR creates their AD account with department='Sales'. After sync, the user is automatically added to 'Sales-Group' within 30 minutes. This group has an Azure RBAC role assignment granting Contributor access to the Sales resource group. The user also gets a Microsoft 365 license assigned via group-based licensing. No manual intervention needed. Problem: If the sync fails or the attribute is misspelled, the user won't be added. Monitoring Azure AD Connect health alerts is critical. Performance consideration: Dynamic group evaluation can take up to 30 minutes; for immediate access, use assigned groups temporarily.
Enterprise Scenario 2: B2B Collaboration for Vendor Access
A company partners with external vendors who need access to a specific SharePoint site. The IT admin invites vendor employees as guest users via Entra ID B2B. Each vendor is added to a security group 'Vendors-ProjectX'. The SharePoint site permissions are assigned to this group. Vendors authenticate with their own corporate credentials (e.g., Google or Microsoft). The company uses Conditional Access policies to require MFA for all guest users accessing sensitive sites. If a vendor leaves the partner company, their guest account is automatically disabled if the partner uses cross-tenant synchronization. Otherwise, the admin must manually remove the guest. Common misconfiguration: Not setting guest user access restrictions (e.g., guests can see other users). To limit visibility, set 'Guest user access restrictions' to 'Guest users have limited access to properties and membership of directory objects'.
Scenario 3: Mergers and Acquisitions
Company A acquires Company B. Both have separate Entra ID tenants. To enable collaboration, they set up cross-tenant access settings (B2B direct connect) or migrate users. For a smooth transition, they sync Company B's on-premises AD to Company A's Entra ID using Azure AD Connect with a new forest. This creates duplicate user objects unless a matching attribute (e.g., mail) is used. They use soft-match to link existing cloud users. After migration, they decommission Company B's tenant. Challenges include UPN conflicts, group membership loss, and licensing. Proper planning with identity governance tools (e.g., Microsoft Identity Manager) is required.
AZ-104 Exam Focus: Identity Governance (Objective 1.1)
The exam tests your ability to create, configure, and manage users and groups in Microsoft Entra ID. Key objective codes: 1.1 Manage Azure Active Directory users and groups. Specific sub-objectives: create users and groups, manage user and group properties, manage licenses, manage external identities, configure self-service password reset (SSPR).
Common Wrong Answers and Why
'Users must be assigned a license before they can be added to a group.' WRONG. Users can be added to groups without a license. Licenses are assigned separately, often via group-based licensing. The exam may present a scenario where a user cannot access a resource because they lack a license, but the group membership is valid.
'Dynamic group membership is evaluated immediately when a user attribute changes.' WRONG. Evaluation can take up to 30 minutes. The exam may ask about the delay. The correct answer is 'up to 30 minutes' or 'not immediate'.
'Guest users can be added to dynamic groups.' WRONG. Guest users cannot be added to dynamic groups based on user attributes because dynamic group rules do not evaluate guest users by default. However, you can include guests in dynamic groups using a rule like (user.userType -eq 'Guest'). The exam might test this nuance.
'You can delete a user and immediately reuse the UPN for a new user.' WRONG. After deletion, the user object goes to recycle bin for 30 days. The UPN is still considered used. You must either restore the user or wait 30 days. The exam may ask about recovering a deleted user or creating a new user with the same UPN.
Specific Numbers and Terms
30 days: Soft-delete retention for users and groups.
250 groups: Default maximum groups a user can create (free tier).
500,000 objects: Maximum directory objects in free tier.
300 levels: Maximum group nesting depth for security groups.
15,000: Maximum dynamic groups per tenant.
Password policy: 8-16 characters, 3 of 4 complexity.
SSPR: Requires P1 license; default authentication methods: 2 methods required.
Edge Cases and Exceptions
Synced user cannot be deleted in the cloud: If a user is synced from on-premises, you must delete them on-premises. Deleting in the cloud will result in re-creation on next sync.
Guest user UPN: Guest UPN is typically their email address, but you can change it. However, the guest still authenticates with their home identity.
Group-based licensing: If a user is removed from a group, the license is removed after up to 30 minutes. The exam may test that license removal is not immediate.
How to Eliminate Wrong Answers
Read every question carefully for keywords: 'cloud-only', 'synced', 'dynamic', 'guest', 'immediately', '30 minutes', 'license'. If a question says 'immediately' for a dynamic group, it's wrong. If it says 'delete synced user from Azure portal', it's wrong. Use the underlying mechanism: Entra ID is a REST-based directory with eventual consistency for group evaluation and license assignment.
Microsoft Entra ID is the cloud identity service; it is not the same as on-premises Active Directory.
User identities can be cloud-only, synced, or guest (B2B). Synced users must be managed on-premises.
Groups are either Security (for permissions) or Microsoft 365 (for collaboration).
Dynamic groups automatically add/remove members based on rules; evaluation can take up to 30 minutes.
Dynamic groups require Entra ID P1 license and cannot include guests by default.
Soft-delete retention for users and groups is 30 days.
Default user permissions allow creation of up to 250 groups; this can be restricted.
SSPR requires P1 license and can be configured for all or selected users with up to 2 authentication methods.
These come up on the exam all the time. Here's how to tell them apart.
Assigned (Static) Group
Members are manually added and removed by an administrator.
Membership is stable and predictable.
No licensing requirement beyond Free tier.
Best for small teams or roles with few changes.
Can include guest users without special rules.
Dynamic Group
Membership is automatically evaluated based on user attributes.
Membership changes automatically when attributes are updated.
Requires Entra ID P1 or P2 license.
Best for large organizations with frequent user attribute changes.
Guest users are excluded by default; must be explicitly included via rule.
Mistake
Azure AD and Entra ID are different services.
Correct
Microsoft Entra ID is the new name for Azure Active Directory. The service is identical; only the name changed. The exam objectives may still refer to Azure AD, but both terms are used interchangeably.
Mistake
You can add a guest user to a dynamic security group with a rule based on department.
Correct
By default, dynamic group rules do not evaluate guest users. However, you can include guests by using a rule like (user.userType -eq 'Guest') combined with other attributes. The exam tests that guests are not automatically included.
Mistake
Dynamic group membership updates are instantaneous.
Correct
Dynamic group evaluation is an asynchronous process that can take up to 30 minutes after an attribute change. The exam often tests this delay with a scenario requiring immediate access.
Mistake
You can delete a synced user from the Azure portal permanently.
Correct
Synced users are sourced from on-premises AD DS. Deleting them in the portal is temporary; they will be re-created on the next sync cycle. You must delete the user on-premises to remove them permanently.
Mistake
All users in a tenant can create groups by default.
Correct
Default user permissions allow users to create up to 250 groups. This can be restricted by an admin via user settings. The exam may ask about defaults.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Entra ID is simply the new name for Azure Active Directory. The service, features, and APIs remain the same. The rename occurred in 2023. On the AZ-104 exam, you may see both terms. Treat them as identical.
Dynamic group membership evaluation can take up to 30 minutes. This is because the evaluation is an asynchronous background process. For exam questions, remember that changes are not immediate.
You can delete a synced user from the Azure portal, but it will be re-created on the next sync cycle from on-premises AD DS. To permanently remove a synced user, delete the user object from on-premises Active Directory.
By default, dynamic group rules do not include guest users. To include them, you must modify the rule to explicitly include guests, for example: (user.userType -eq 'Guest') and other conditions. Note that guest users cannot be added to dynamic device groups.
Dynamic groups require an Entra ID P1 or P2 license for each user who is a member of a dynamic group. The tenant must have at least one P1 license. Free tier does not support dynamic groups.
Yes, deleted users are moved to the recycle bin and can be restored within 30 days. After 30 days, they are permanently deleted and cannot be recovered. The same applies to groups.
The default password policy requires passwords to be 8-16 characters long and contain at least three of the following: lowercase letters, uppercase letters, digits, and symbols. The policy can be customized via custom banned passwords or password protection settings.
You've just covered Microsoft Entra ID Users and Groups — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?