AZ-104 Objective 1.1: Manage Microsoft Entra Users and Groups

September 14, 2025•25 min read•Microsoft Azure Administrator

AZ-104 Exam Focus: This objective covers the fundamental aspects of managing Microsoft Entra ID (formerly Azure Active Directory) users and groups. Understanding user and group management, licensing, external user collaboration, and self-service password reset is crucial for Azure administrators. Master these concepts for both exam success and real-world Azure administration tasks.

Understanding Microsoft Entra ID

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It serves as the foundation for managing users, groups, and access to Azure resources and Microsoft 365 services. As an Azure administrator, you need to understand how to effectively manage identities to ensure proper access control and security. Once you've mastered user and group management, you'll want to learn about managing access to Azure resources with RBAC to control what these users can do in your Azure environment.

Key Concepts:

Tenant: A dedicated instance of Microsoft Entra ID for your organization
Directory: The container for all users, groups, and applications
Identity: A digital representation of a person, application, or device
Authentication: The process of verifying an identity
Authorization: The process of determining what an authenticated identity can access

Create Users and Groups

Creating Users in Microsoft Entra ID

User creation is a fundamental task in Microsoft Entra ID management. You can create users through multiple methods:

Method 1: Azure Portal (GUI Method)

Step-by-Step Process:

Navigate to Microsoft Entra ID: Go to Azure Portal → Microsoft Entra ID
Access Users: Click on "Users" in the left navigation pane
Create New User: Click "New user" → "Create new user"
Fill User Details:
- User principal name (UPN): username@domain.com
- Name: First and last name
- Display name: How the user appears in the directory
- Password: Set initial password or auto-generate
- Usage location: Required for license assignment
Assign Roles: Optionally assign directory roles
Create User: Click "Create" to complete the process

Method 2: PowerShell (Command Line Method)

PowerShell Commands:

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Create a new user
$PasswordProfile = @{
    Password = "TempPassword123!"
    ForceChangePasswordNextSignIn = $true
}

$UserParams = @{
    DisplayName = "John Doe"
    UserPrincipalName = "john.doe@contoso.com"
    MailNickname = "johndoe"
    PasswordProfile = $PasswordProfile
    AccountEnabled = $true
    UsageLocation = "US"
}

New-MgUser @UserParams

Method 3: Microsoft Graph API (Programmatic Method)

REST API Example:

POST https://graph.microsoft.com/v1.0/users
Content-Type: application/json

{
  "accountEnabled": true,
  "displayName": "John Doe",
  "mailNickname": "johndoe",
  "userPrincipalName": "john.doe@contoso.com",
  "passwordProfile": {
    "forceChangePasswordNextSignIn": true,
    "password": "TempPassword123!"
  },
  "usageLocation": "US"
}

Creating Groups in Microsoft Entra ID

Groups are essential for managing access to resources and simplifying user management through role-based access control (RBAC).

Types of Groups

Security Groups:

Purpose: Used for access control and permissions
Membership: Can contain users, devices, and other groups
Use Cases: Resource access, application permissions, conditional access

Microsoft 365 Groups:

Purpose: Collaboration-focused groups with shared resources
Resources: Include shared mailbox, calendar, SharePoint site, Teams workspace
Use Cases: Team collaboration, project management, department communication

Distribution Groups:

Purpose: Email distribution lists
Membership: Can contain users, contacts, and other groups
Use Cases: Email notifications, announcements, mailing lists

Creating Groups via Azure Portal

Step-by-Step Process:

Navigate to Groups: Go to Microsoft Entra ID → Groups
Create New Group: Click "New group"
Select Group Type: Choose Security, Microsoft 365, or Distribution
Configure Group Settings:
- Group name: Descriptive name for the group
- Group description: Purpose and scope of the group
- Membership type: Assigned, Dynamic User, or Dynamic Device
Add Members: Add initial members (if using assigned membership)
Create Group: Click "Create" to complete

Dynamic Groups

⚠️ Important Considerations:

Dynamic groups require Azure AD Premium P1 or P2 licenses
Membership is calculated automatically based on rules
Changes can take up to 24 hours to reflect
Complex rules may impact performance

Dynamic Group Rule Examples:

# Users in specific department
(user.department -eq "Sales")

# Users with specific job title
(user.jobTitle -eq "Manager")

# Users in specific location
(user.usageLocation -eq "US")

# Complex rule combining multiple conditions
(user.department -eq "IT" -and user.jobTitle -contains "Engineer")

# Device-based dynamic group
(device.deviceOSType -eq "Windows")

Manage User and Group Properties

User Property Management

Managing user properties is crucial for maintaining accurate directory information and enabling proper access control.

Core User Properties

Identity Information:

User Principal Name (UPN): Primary login identifier
Display Name: How user appears in directory
First/Last Name: Personal identification
Email Addresses: Primary and proxy addresses
Object ID: Unique identifier in directory

Contact Information:

Business Phone: Work contact number
Mobile Phone: Personal contact number
Office Location: Physical work location
Street Address: Mailing address

Organizational Information:

Department: Organizational unit
Job Title: Position within organization
Manager: Reporting relationship
Company: Organization name
Usage Location: Required for license compliance

Bulk User Management

PowerShell Bulk Operations:

# Update multiple users' department
$Users = Get-MgUser -Filter "department eq 'OldDepartment'"
foreach ($User in $Users) {
    Update-MgUser -UserId $User.Id -Department "NewDepartment"
}

# Bulk assign users to group
$UserIds = @("user1@contoso.com", "user2@contoso.com", "user3@contoso.com")
$GroupId = "group-id-here"
foreach ($UserId in $UserIds) {
    New-MgGroupMember -GroupId $GroupId -DirectoryObjectId $UserId
}

Group Property Management

Managing group properties ensures proper organization and access control within your directory.

Group Configuration Options

Basic Properties:

Group Name: Display name of the group
Description: Purpose and scope description
Group Type: Security, Microsoft 365, or Distribution
Email Address: Group email (for Microsoft 365 groups)

Membership Settings:

Membership Type: Assigned, Dynamic User, or Dynamic Device
Owners: Users who can manage the group
Members: Users, groups, or devices in the group
Dynamic Rules: Automatic membership criteria

Access Settings:

Guest Access: Allow external users to join
Member Access: Who can add/remove members
Owner Access: Who can manage group settings
Privacy Settings: Public, Private, or Hidden

Manage Licenses in Microsoft Entra ID

Understanding Microsoft 365 Licensing

License management is critical for ensuring users have access to the services they need while maintaining compliance and cost control.

License Types and Tiers

Microsoft 365 Business Plans:

Business Basic: Web-based Office apps, Exchange, Teams
Business Standard: Desktop Office apps, Exchange, Teams, SharePoint
Business Premium: All Standard features + Advanced security

Microsoft 365 Enterprise Plans:

E3: Full productivity suite with security features
E5: Advanced security, analytics, and compliance
F3 (Frontline): Designed for frontline workers

Azure AD Premium:

P1: Advanced identity protection, conditional access
P2: Identity governance, privileged identity management

License Assignment Methods

Individual License Assignment

Azure Portal Method:

Navigate to User: Go to Microsoft Entra ID → Users → Select user
Access Licenses: Click "Licenses" in the left navigation
Assign Licenses: Click "Assignments" → "Add assignments"
Select Products: Choose the license products to assign
Configure Options: Enable/disable specific service plans
Save Changes: Click "Save" to apply license assignment

Group-Based License Assignment

💡 Best Practice:

Group-based licensing is the recommended approach for managing licenses at scale. It provides centralized management, automatic assignment for new users, and easier license tracking.

Group-Based Licensing Setup:

Create License Group: Create a security group for license assignment
Assign Licenses to Group: Go to Microsoft Entra ID → Groups → Select group → Licenses
Configure Service Plans: Enable/disable specific services within the license
Add Users to Group: Users automatically receive licenses when added to the group
Monitor Assignment: Use license reports to track assignments and usage

PowerShell License Management

License Assignment Commands:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Get available license SKUs
Get-MgSubscribedSku

# Assign license to user
$User = Get-MgUser -UserId "user@contoso.com"
$LicenseSku = Get-MgSubscribedSku | Where-Object {$_.SkuPartNumber -eq "ENTERPRISEPACK"}
$LicenseAssignment = @{
    AddLicenses = @(
        @{
            SkuId = $LicenseSku.SkuId
        }
    )
    RemoveLicenses = @()
}
Set-MgUserLicense -UserId $User.Id -BodyParameter $LicenseAssignment

# Assign license to group
$Group = Get-MgGroup -GroupId "group-id"
$LicenseAssignment = @{
    AddLicenses = @(
        @{
            SkuId = $LicenseSku.SkuId
        }
    )
    RemoveLicenses = @()
}
Set-MgGroupLicense -GroupId $Group.Id -BodyParameter $LicenseAssignment

License Compliance and Reporting

Key Reports and Monitoring:

License Usage Report: Track assigned vs. used licenses
Unused Licenses: Identify licenses that can be reclaimed
License Conflicts: Resolve service plan conflicts
Expiring Licenses: Monitor license renewal dates
Cost Analysis: Optimize license spending

Manage External Users

Understanding External User Collaboration

External user management enables secure collaboration with partners, vendors, and customers while maintaining control over your organization's resources.

Types of External Users

Guest Users (B2B Collaboration):

Definition: Users from external organizations invited to collaborate
Authentication: Use their own organization's credentials
Access: Limited to resources explicitly shared with them
Management: Managed in your tenant but authenticated by their home tenant

External Identities:

Social Identities: Google, Facebook, LinkedIn accounts
Email One-Time Passcode: Passwordless authentication via email
Self-Service Sign-Up: Users can register themselves for specific applications

Inviting External Users

Azure Portal Invitation Process

Step-by-Step Invitation:

Navigate to Users: Go to Microsoft Entra ID → Users
Invite External User: Click "New user" → "Invite external user"
Enter Email Address: Provide the external user's email address
Personal Message: Optional custom message for the invitation
Configure Access: Assign roles or groups if needed
Send Invitation: Click "Invite" to send the invitation email

PowerShell External User Management

Invitation Commands:

# Invite external user
$Invitation = @{
    InvitedUserEmailAddress = "external@partner.com"
    InviteRedirectUrl = "https://myapps.microsoft.com"
    SendInvitationMessage = $true
}
New-MgInvitation -BodyParameter $Invitation

# Get all guest users
Get-MgUser -Filter "userType eq 'Guest'"

# Update guest user properties
Update-MgUser -UserId "guest-user-id" -DisplayName "Updated Name"

# Remove guest user
Remove-MgUser -UserId "guest-user-id"

External User Access Control

Conditional Access for External Users

Security Policies:

Multi-Factor Authentication: Require MFA for external users
Device Compliance: Require compliant devices for access
Location Restrictions: Limit access based on geographic location
Session Controls: Implement sign-in frequency and session timeouts
Risk-Based Policies: Block high-risk sign-ins

Guest User Lifecycle Management

Automated Management:

Access Reviews: Regular review of external user access
Expiration Policies: Automatic removal of inactive guest users
Approval Workflows: Require approval for guest invitations
Access Packages: Self-service access request and approval
Audit Logging: Track all external user activities

Configure Self-Service Password Reset (SSPR)

Understanding Self-Service Password Reset

SSPR enables users to reset their passwords without administrator intervention, reducing help desk calls and improving user experience while maintaining security.

SSPR Authentication Methods

Available Methods:

Mobile Phone: SMS or voice call verification
Office Phone: Voice call to registered office number
Email Address: Email verification code
Security Questions: Pre-configured questions and answers
Microsoft Authenticator App: Push notification or code
Alternative Email: Secondary email address

Configuring SSPR

Azure Portal Configuration

Step-by-Step Setup:

Navigate to SSPR: Go to Microsoft Entra ID → Password reset
Configure Properties:
- Self-service password reset enabled: Select "All" or specific groups
- Authentication methods: Choose required methods (minimum 2)
- Number of methods required: Set to 1 or 2
- Number of days before users must re-confirm: Set re-registration period
Configure Registration:
- Require users to register when signing in: Enable for better adoption
- Number of days before users are asked to re-confirm: Set reminder period
Configure Notifications:
- Notify users on password resets: Enable security notifications
- Notify all admins when other admins reset their password: Enable admin notifications
Save Configuration: Click "Save" to apply settings

PowerShell SSPR Configuration

Configuration Commands:

# Connect to Azure AD
Connect-AzureAD

# Get current SSPR policy
Get-AzureADSSPRPolicy

# Configure SSPR settings
$SSPRPolicy = @{
    SelfServicePasswordResetEnabled = $true
    NumberOfAuthenticationMethodsRequired = 2
    NumberOfDaysBeforeUsersAreAskedToReconfirm = 180
    RequireUsersToRegisterWhenSigningIn = $true
    NotifyUsersOnPasswordResets = $true
    NotifyAllAdminsWhenOtherAdminsResetTheirPassword = $true
}

Set-AzureADSSPRPolicy @SSPRPolicy

# Configure authentication methods
$AuthMethods = @{
    AuthenticationMethods = @("mobilePhone", "email", "securityQuestions")
}

Set-AzureADSSPRPolicy @AuthMethods

SSPR Security Considerations

Security Best Practices

⚠️ Security Recommendations:

Require at least 2 authentication methods for password reset
Use strong authentication methods (Microsoft Authenticator preferred)
Implement conditional access policies for SSPR
Monitor SSPR usage through audit logs
Regularly review and update security questions
Consider excluding high-privilege accounts from SSPR

Conditional Access for SSPR

Recommended Policies:

Trusted Locations: Allow SSPR from trusted network locations
Device Compliance: Require compliant devices for password reset
Risk-Based Access: Block high-risk password reset attempts
Time-Based Restrictions: Limit SSPR to business hours
Geographic Restrictions: Block SSPR from suspicious locations

SSPR User Experience

User Registration Process

Registration Steps:

Access Registration: Users visit aka.ms/ssprsetup or are prompted during sign-in
Choose Methods: Select and configure authentication methods
Verify Methods: Test each method to ensure it works
Complete Registration: Save configuration for future use
Regular Re-confirmation: Update methods as required by policy

Password Reset Process

Reset Steps:

Access Reset Page: Users visit aka.ms/sspr or click "Can't access your account?"
Enter Username: Provide user principal name or email
Complete CAPTCHA: Verify human interaction
Verify Identity: Use registered authentication methods
Create New Password: Set new password meeting complexity requirements
Sign In: Use new password to access resources

Advanced User and Group Management Scenarios

Scenario 1: Bulk User Import

Situation: Need to import 500 new employees from HR system into Microsoft Entra ID.

Solution: Use PowerShell with CSV import, configure dynamic groups for automatic license assignment, and set up SSPR for new users.

Scenario 2: External Partner Collaboration

Situation: Partner organization needs access to specific SharePoint sites and Teams workspaces.

Solution: Create Microsoft 365 groups, invite external users as guests, configure conditional access policies, and set up access reviews.

Scenario 3: License Optimization

Situation: Organization has unused Microsoft 365 E5 licenses and wants to optimize costs.

Solution: Analyze license usage reports, implement group-based licensing, remove unused licenses, and establish license monitoring processes.

Monitoring and Reporting

Key Reports for User and Group Management

Essential Reports:

Sign-in Reports: Track user authentication activities
Audit Logs: Monitor administrative actions and changes
License Usage Reports: Track license assignments and usage
Guest User Reports: Monitor external user activities
SSPR Reports: Track password reset activities and success rates
Group Membership Reports: Monitor group changes and membership

PowerShell Monitoring Commands

Monitoring Scripts:

# Get user sign-in activities
Get-MgAuditLogSignIn -Top 100

# Get license usage
Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits, PrepaidUnits

# Get guest users
Get-MgUser -Filter "userType eq 'Guest'" | Select-Object DisplayName, UserPrincipalName, CreatedDateTime

# Get group membership changes
Get-MgAuditLogDirectoryAudit -Filter "category eq 'GroupManagement'"

# Get SSPR activities
Get-MgAuditLogSignIn -Filter "status/errorCode eq 0 and authenticationDetails/any(a:a/authenticationMethod eq 'password')"

Best Practices and Recommendations

User Management Best Practices

✅ Recommended Practices:

Use Group-Based Management: Leverage groups for permissions and licenses
Implement Naming Conventions: Consistent UPN and display name formats
Regular Access Reviews: Periodic review of user access and group memberships
Automated Provisioning: Use identity governance for user lifecycle management
Strong Authentication: Enforce MFA and conditional access policies
Audit Everything: Enable comprehensive audit logging

Security Considerations

Security Measures:

Privileged Access Management: Protect administrative accounts
Conditional Access: Implement risk-based access policies
Identity Protection: Monitor for risky sign-ins and users
External User Controls: Limit and monitor guest user access
License Security: Regular review of license assignments
SSPR Security: Strong authentication methods and monitoring

Exam Preparation Tips

Key Concepts to Remember

User Creation Methods: Portal, PowerShell, Graph API, and bulk import
Group Types: Security, Microsoft 365, and Distribution groups
Dynamic Groups: Rule-based automatic membership
License Management: Individual and group-based assignment
External Users: B2B collaboration and guest user management
SSPR Configuration: Authentication methods and security policies

Practice Questions

Sample Exam Questions:

What is the minimum number of authentication methods required for SSPR?
Which PowerShell cmdlet is used to create a new user in Microsoft Entra ID?
What license is required for dynamic group membership?
How can you bulk assign licenses to multiple users?
What are the three types of groups available in Microsoft Entra ID?
Which authentication method is recommended for SSPR security?
How do you invite an external user for B2B collaboration?
What is the difference between a security group and a Microsoft 365 group?

AZ-104 Success Tip: Microsoft Entra ID user and group management is fundamental to Azure administration. Focus on understanding the different methods for creating and managing users, the various group types and their use cases, license management strategies, external user collaboration, and SSPR configuration. Practice with the Azure portal, PowerShell, and Microsoft Graph API to gain hands-on experience with these concepts.