Manage Microsoft Entra users and groups
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Managing users and groups is one of the core responsibilities of an Azure Administrator. In the Microsoft cloud environment, Microsoft Entra ID (formerly Azure Active Directory) is the identity and access management service. It stores users, groups, devices, applications, roles, and access policies for all Azure and Microsoft 365 resources.
This section focuses specifically on how to create users and groups, what each option means, and what you must understand for the AZ-104 exam.
⭐ 1. Creating Users in Microsoft Entra ID
You can create users in three main ways:
✔ 1.1. Create Users Manually (Portal)
The most common method for beginners and the exam.
Steps:
- Sign in to the Azure portal.
- Go to Microsoft Entra ID.
- Select Users → All users → New user → Create user.
When creating a new user, understand the following fields:
Key Fields in User Creation
| Setting | Description |
|---|---|
| User principal name (UPN) | The login name (e.g., user@contoso.com). Must be unique. |
| Display name | The visible full name of the user. |
| Password | You can auto-generate or manually create a password. User must change password at first sign-in unless disabled. |
| Groups | You can add the user to multiple groups at creation time. |
| Roles | Assign Azure AD roles (e.g., User Administrator). This is not Azure RBAC (subscription roles). |
| Job info (Optional) | Department, job title—used for administration and automation. |
| Identity settings | You can choose to block the sign-in for newly created users. |
✔ 1.2. Important User Settings (Exam Focus)
| Setting | Exam Importance |
|---|---|
| Block sign-in | Prevents login but keeps the account; may be used for temporary employees. |
| Usage location | Required for enabling services like Microsoft 365 licenses. |
| Directory roles | Assign Entra ID roles such as Global Administrator, Security Administrator. |
✔ 1.3. Creating Users with PowerShell
AZ-104 expects you to know the basic command:
New-AzureADUser -DisplayName "John Test" -PasswordProfile $pass -UserPrincipalName "john@contoso.com" -AccountEnabled $true
Or with Microsoft Graph PowerShell:
New-MgUser -DisplayName "John Test" -UserPrincipalName "john@contoso.com" -PasswordProfile @{Password="Password123!"} -AccountEnabled $true
✔ 1.4. Creating Users with Azure CLI
az ad user create --display-name "John Test" --user-principal-name "john@contoso.com" --password "Password123!"
⭐ 2. Creating Groups in Microsoft Entra ID
Groups are used to manage access for multiple users at once.
There are two main types of groups:
2.1. Security Groups
Purpose:
Used to manage access to Azure resources, Microsoft 365 resources, applications, and policies.
Examples in an IT environment:
- A Security Group can grant access to an Azure Storage Account.
- A Security Group can apply conditional access policies to multiple users.
- A Security Group can assign roles using Azure RBAC.
Exam Tip:
Security groups cannot be used for email distribution unless mail-enabled.
2.2. Microsoft 365 Groups (M365 Groups)
Purpose:
Used to provide collaboration tools to a team.
When you create a Microsoft 365 group, you automatically get:
- Microsoft 365 shared mailbox
- SharePoint site
- Planner
- Teams integration
- Shared calendar
Exam Tip:
M365 Groups require a valid usage location and Microsoft 365 license.
⭐ 3. Group Membership Types
When creating a group, you must select the membership type:
✔ 3.1. Assigned
- Users are manually added by an admin.
- Most commonly used in Azure RBAC and conditional access policies.
✔ 3.2. Dynamic User
- Membership is based on rules.
- The system automatically includes users who match the rule.
Example:
Add all users whose department equals “IT”:
(user.department -eq "IT")
Used for:
- Automatically assigning licenses
- Grouping employees by department
- Applying policies based on job roles
✔ 3.3. Dynamic Device
- Automatically groups devices based on attributes.
- Example: all Windows 11 devices.
This is very useful in device management environments using Intune.
⭐ 4. Creating Groups via the Portal
Steps:
- Go to Microsoft Entra ID.
- Select Groups → New Group.
- Configure:
| Setting | Description |
|---|---|
| Group type | Security or Microsoft 365 |
| Group name | Must be unique |
| Group description | Helps admins identify the group purpose |
| Membership type | Assigned, Dynamic User, or Dynamic Device |
| Owners | Users who can manage the group |
| Members | Initial users in the group |
⭐ 5. Group Creation via PowerShell
Using AzureAD:
New-AzureADGroup -DisplayName "HR Team" -MailEnabled $false -SecurityEnabled $true -MailNickname "HRTeam"
Using Microsoft Graph:
New-MgGroup -DisplayName "HR Team" -SecurityEnabled -MailEnabled:$false -MailNickname "HRTeam" -GroupTypes @()
For dynamic groups, you must include the rule:
New-MgGroup -DisplayName "IT Users" -MailEnabled:$false -SecurityEnabled `
-GroupTypes "DynamicMembership" `
-MembershipRule "(user.department -eq ""IT"")"
⭐ 6. Group Creation via Azure CLI
az ad group create --display-name "HR Team" --mail-nickname "HRTeam"
⭐ 7. Understanding Group Ownership (Exam Key Area)
Every group must have at least one owner (except if restricted by policy).
Owners can:
- Add or remove members
- Modify group settings
- Manage group lifecycle
- Approve access requests (if self-service is enabled)
Owners do not have the ability to manage Azure resources unless given Azure RBAC roles.
⭐ 8. Azure RBAC vs Entra Roles (Critical Exam Point)
| Azure RBAC | Microsoft Entra Roles |
|---|---|
| Controls access to Azure resources (VMs, storage, networking) | Controls access to Entra features (user management, group management, identity settings) |
| Example role: Reader, Contributor, Owner | Example role: User Administrator, Global Administrator |
| Can be assigned to security groups | Cannot be assigned to Microsoft 365 groups |
| Used at subscription, resource group, or resource level | Used at directory level |
Many exam questions test your ability to distinguish between these two.
⭐ 9. Self-Service Group Management
Microsoft Entra allows users to create and manage groups (if enabled).
Admins can configure:
- Who is allowed to create groups
- Whether users can request membership
- Approval workflow topics
This is managed via:
Microsoft Entra ID → Groups → General → Self-service group management.
⭐ 10. Licensing Requirements (Important for Exams)
| Feature | License |
|---|---|
| Dynamic groups | Entra ID P1 |
| Group-based licensing | Entra ID P1 |
| Privileged Identity roles | Entra ID P2 |
⭐ 11. Common IT Use Cases (Relevant for Exam)
✔ Organizing users by department
Dynamic groups auto-assign users to IT, HR, Finance, etc.
✔ Assigning access to resources
Security groups assigned to:
- Storage accounts
- Databases
- VM access
- Applications (Enterprise Apps)
✔ Applying Conditional Access
Groups can be included or excluded from policies.
✔ Automation with PowerShell and Microsoft Graph
Used in large enterprises to quickly onboard users.
⭐ 12. What You Must Remember for the AZ-104 Exam
✔ Security Groups = For access control
✔ Microsoft 365 Groups = For collaboration
✔ Dynamic Groups = Based on rules
✔ Need Entra ID P1 for dynamic membership
✔ Usage location must be set before license assignment
✔ Group owners manage members
✔ Azure RBAC ≠ Entra ID roles
✔ PowerShell and CLI commands appear in questions
✔ Know how to create users and groups from the portal
✅ Conclusion
Creating users and groups in Microsoft Entra ID is a core skill for Azure Administrators. The exam expects you to understand:
- How to create users
- How to create security and Microsoft 365 groups
- How membership works
- How dynamic rules function
- The difference between Azure RBAC and Entra roles
- How to automate user/group management
This knowledge is essential for managing identities and controlling access within Azure.
