Question 171 of 975
Manage users, groups, licensing, and supporthardMultiple SelectObjective-mapped

Quick Answer

The answer is to assign a license to the group, add members to the security group, and verify the license assignment status. This is correct because group-based licensing in Azure AD automates license distribution by linking a product license directly to a security group; once the license is assigned to the group, any user added as a member automatically receives that license, eliminating the need for per-user manual assignments. On the Microsoft 365 Administrator MS-102 exam, this topic tests your understanding of identity management automation, often appearing in scenario-based questions where you must choose the correct sequence of steps. A common trap is forgetting that simply assigning a license to an empty group does nothing—members must be present for the license to take effect. To remember, think of the three-step chain: license to group, members to group, then verify—if any link is missing, the automation fails.

MS-102 Manage users, groups, licensing, and support Practice Question

This MS-102 practice question tests your understanding of manage users, groups, licensing, and support. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which THREE steps are required to enable group-based licensing?

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Add members to the group

Option B is correct because group-based licensing in Azure AD requires that you add members to the security group that will have the license assigned. Without members, the license assignment has no effect, as the license is applied to all users in the group. This step ensures that the intended users receive the license automatically based on group membership.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure Azure AD Connect

    Why it's wrong here

    Not required for cloud-only groups.

  • Add members to the group

    Why this is correct

    Members inherit license.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create a security group

    Why this is correct

    Group must exist to assign license.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Ensure group is mail-enabled

    Why it's wrong here

    Not required.

  • Assign a license to the group

    Why this is correct

    License is assigned to group.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think Azure AD Connect is required for any group-based operation, but group-based licensing is a cloud-native feature that does not require hybrid synchronization; the only prerequisites are an Azure AD tenant, a security group, and a valid license SKU.

Detailed technical explanation

How to think about this question

Group-based licensing uses Azure AD’s license assignment engine, which evaluates group membership and applies the specified license SKU to each member. The engine processes changes in near real-time, but for large groups (e.g., >20,000 members), it may take up to 24 hours to fully propagate. A subtle behavior is that if a user is a member of multiple groups with conflicting license assignments (e.g., different service plans), Azure AD will attempt to merge them but may fail if the plans are mutually exclusive, leaving the user in an error state.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related MS-102 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MS-102 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MS-102 question test?

Manage users, groups, licensing, and support — This question tests Manage users, groups, licensing, and support — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Add members to the group — Option B is correct because group-based licensing in Azure AD requires that you add members to the security group that will have the license assigned. Without members, the license assignment has no effect, as the license is applied to all users in the group. This step ensures that the intended users receive the license automatically based on group membership.

What should I do if I get this MS-102 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on MS-102

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A multinational company uses Microsoft 365 E5 licenses for all employees. Due to a recent cost optimization initiative, the IT department must remove Microsoft Entra ID Plan 2 and Microsoft Defender for Office 365 Plan 2 from a subset of users, while retaining the core Microsoft 365 E5 functionality (Exchange Online, SharePoint Online, Teams, and Microsoft 365 Apps). The company uses group-based licensing with dynamic groups. You need to recommend a licensing strategy that minimizes administrative effort and avoids service disruption. Which three of the following steps should you include in your strategy? (Choose three.)

medium
  • .Create a new Microsoft 365 E5 license SKU that excludes the add-on services and assign this custom SKU to the affected users via a dynamic group.
  • .Identify the GUIDs of the service plans to be disabled (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) and use the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter to remove specific service plans from existing licenses.
  • .Use a dynamic group to assign the standard Microsoft 365 E5 license but configure the group’s license assignment to disable the unwanted service plans by specifying the disabled service plan GUIDs in the license assignment configuration.
  • .Remove the Microsoft 365 E5 license from all users in the affected group and then assign a new, lower-cost license such as Microsoft 365 E3 to those users.
  • .Use Microsoft Entra ID Governance’s Access Reviews to automatically remove the unwanted service plans from the affected users’ licenses on a recurring basis.
  • .Use Microsoft Graph PowerShell to bulk-update the existing group-based licensing assignment for the affected dynamic group, specifying the service plans to disable in the -DisabledServicePlans parameter.

Why : The correct approach is to keep the existing Microsoft 365 E5 license but disable specific service plans (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) within the license assignment. This is done by identifying the service plan GUIDs and using either the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter, configuring the dynamic group’s license assignment to disable those service plans, or using Microsoft Graph PowerShell with the -DisabledServicePlans parameter. These methods minimize administrative effort by leveraging group-based licensing and avoid service disruption because the core E5 functionality remains intact.

Variation 2. A company is deploying Microsoft 365 and wants to ensure that users in the finance department have access to only the apps they need. You need to recommend a licensing strategy that minimizes administrative overhead while enforcing access restrictions. What should you do?

medium
  • A.Create a security group with explicit membership and assign licenses to the group.
  • B.Create a dynamic Azure AD group based on department attribute and assign licenses using group-based licensing.
  • C.Assign licenses to users one by one in the Microsoft 365 admin center.
  • D.Use PowerShell to assign licenses based on user department attribute.

Why B: Option B is correct because using a dynamic Azure AD group based on the department attribute automates membership updates as users change departments, and group-based licensing assigns the appropriate licenses to all members without manual intervention. This minimizes administrative overhead by eliminating the need to manually add or remove users from the group or assign licenses individually, while enforcing access restrictions by ensuring only finance users receive the licensed apps.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.