 Manage Microsoft Entra users and groups
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Manage User and Group Properties in Microsoft Entra
Microsoft Entra is Microsoft’s identity and access management platform. In the AZ-104 exam, managing users and groups is an important skill because it helps control access to resources in Azure and Microsoft 365.
The focus here is on managing the properties of users and groups.
1. User Properties
A user in Microsoft Entra represents an account that can sign in to access resources. Users have several properties that you can configure and manage:
Key User Properties
| Property | Description | Importance in IT environment |
|---|---|---|
| Name | Full name of the user | Helps identify users in the directory |
| Username / User principal name (UPN) | The login name (e.g., john.doe@company.com) | Required to log in to Azure and Microsoft 365 |
| Email address of the user | Needed for communication, licensing, and notifications | |
| Job title, department, company | Organizational information | Used for reporting, policies, and access control |
| Office location / physical office | Helps identify where the user is located | Useful for multi-location organizations |
| Phone numbers | Contact number | Useful for MFA (Multi-Factor Authentication) and notifications |
| Password and authentication methods | User’s password and sign-in security options | Critical for securing access to Azure and Microsoft 365 |
| Account status (enabled/disabled) | Whether the user can sign in | Disabling accounts helps prevent unauthorized access when someone leaves the company |
| Groups membership | Which groups the user belongs to | Determines what resources the user can access |
Managing User Properties
You can manage user properties in Microsoft Entra through:
- Azure Portal:
- Go to Microsoft Entra → Users → select a user → Profile.
- Edit properties like name, job title, department, and more.
- PowerShell:
- Useful for bulk updates.
- Example: Update a user’s department:
Set-AzureADUser -ObjectId "john.doe@company.com" -Department "IT"
- Microsoft Graph API:
- For automated solutions and custom apps to manage users programmatically.
Exam Tip: You should know how to view and edit user properties in the Azure Portal, and understand the difference between user attributes and account status.
2. Group Properties
A group is a collection of users that simplifies managing access to resources. Instead of assigning permissions individually, you assign them to a group.
Key Group Properties
| Property | Description | Importance in IT environment |
|---|---|---|
| Group name | The display name of the group | Identifies the group in Azure and Microsoft 365 |
| Group type | Security or Microsoft 365 group | Security groups control access; Microsoft 365 groups provide collaboration features like Teams, SharePoint |
| Membership type | Assigned, Dynamic User, Dynamic Device | Controls how users are added to the group: manually or automatically based on rules |
| Owners | Users who can manage the group | Important for delegating group management without giving admin rights |
| Members | Users in the group | Determines access to resources |
| Description | Explains purpose of the group | Helps IT admins understand its use |
| Email alias (for Microsoft 365 groups) | Provides an email address for group communication | Useful for collaborative communication |
Managing Group Properties
- Azure Portal:
- Navigate to Microsoft Entra → Groups → select a group → Settings.
- Update properties like group name, description, owners, and membership type.
- PowerShell:
- Example: Add a member to a group:
Add-AzureADGroupMember -ObjectId <GroupObjectId> -RefObjectId <UserObjectId>
- Example: Add a member to a group:
- Dynamic Groups:
- Membership can be automatically managed based on rules.
- Example: Automatically include all users in the IT department:
(user.department -eq "IT")
Exam Tip: Understand assigned vs dynamic groups, and security vs Microsoft 365 groups. You may be asked to choose the correct group type for a scenario.
3. Best Practices for User and Group Properties
- Keep user profiles accurate: Up-to-date job title, department, and contact info helps with reporting and conditional access.
- Use groups for access control: Assign resources and roles to groups instead of individuals.
- Use dynamic groups for automation: Automatically manage group memberships to reduce manual work.
- Limit group owners: Only assign trusted users to manage groups.
- Disable inactive accounts: Reduces security risks when a user leaves the organization.
4. How This Appears on the Exam
You should be able to:
- Identify different user properties and understand what can be edited.
- Understand different group properties, types, and membership options.
- Know how to update user and group properties using the Azure Portal (mainly) and optionally PowerShell.
- Recognize scenarios for using assigned vs dynamic groups, and security vs Microsoft 365 groups.
✅ Quick Summary Table
| Concept | Key Points |
|---|---|
| User properties | Name, UPN, email, job title, department, password, account status, group memberships |
| Group properties | Name, type (security/M365), membership (assigned/dynamic), owners, members, email alias |
| Management | Azure Portal, PowerShell, Graph API |
| Exam focus | Viewing/editing properties, group types, dynamic vs assigned membership, security vs M365 groups |
