A company is deploying Microsoft 365 and wants to ensure that users in the finance department have access to only the apps they need. You need to recommend a licensing strategy that minimizes administrative overhead while enforcing access restrictions. What should you do?
This automates license assignment and removal when users change departments.
Why this answer
Option B is correct because using a dynamic Azure AD group based on the department attribute automates membership updates as users change departments, and group-based licensing assigns the appropriate licenses to all members without manual intervention. This minimizes administrative overhead by eliminating the need to manually add or remove users from the group or assign licenses individually, while enforcing access restrictions by ensuring only finance users receive the licensed apps.
Exam trap
The trap here is that candidates often choose Option A (security group with explicit membership) because they think it provides more control, but they overlook the administrative overhead of manual membership management and the fact that group-based licensing works with any Azure AD group type, including security groups, as long as the group is used for license assignment.
How to eliminate wrong answers
Option A is wrong because a security group with explicit membership requires manual updates when users join or leave the finance department, increasing administrative overhead and risking stale memberships. Option C is wrong because assigning licenses one by one in the Microsoft 365 admin center is highly manual and does not scale, nor does it enforce dynamic access restrictions based on department changes. Option D is wrong because using PowerShell to assign licenses based on department attribute requires scripting, scheduled runs, and error handling, which adds complexity and overhead compared to the built-in dynamic group and group-based licensing feature.