AZ-104 Microsoft Azure Administrator Exam

Manage Microsoft Entra users and groups

Create users and groups

Creating user accounts and groups in Microsoft Entra ID starts with understanding the different tools available. You can add users manually in the Azure portal, use PowerShell cmdlets like New-AzureADUser, or employ the Azure CLI for scripting. Bulk import is possible by uploading a CSV file, which accelerates provisioning when you have many accounts to create.
Groups help you assign permissions and policies at scale. Use security groups for access control and Microsoft 365 groups for collaboration across apps like Teams and SharePoint. You can define naming conventions to keep group names clear and consistent.
Dynamic membership rules let you include users automatically based on attributes such as department or job title. This approach reduces manual upkeep and ensures that new staff receive the right permissions from day one. Best practices include reviewing those rules regularly and documenting any changes to avoid unintended access.

Manage user and group properties

After creating users and groups, you need to edit their properties to keep your directory accurate. Key attributes include display name, user principal name (UPN), and object ID, all of which appear in the portal and are used by applications. You can also update custom attributes, such as employee ID or office location, to support reporting and automation.
Directory roles grant elevated privileges to users. Assign the User Administrator or Group Administrator roles only when necessary and follow the principle of least privilege. If you need more control, create custom roles that include only the permissions required for specific tasks.
Group properties, such as group type and membership, affect how resources are secured. Assigned groups require you to add or remove members manually, while dynamic groups use rules based on user attributes. Remember to audit changes regularly and enable alerts for unexpected modifications to group membership.

Manage licenses in Microsoft Entra ID

Managing licenses in Entra ID ensures users have access to the features they need without overspending. Licenses are packaged into SKUs—such as Azure AD Premium P1, Premium P2, or Office 365 plans—and you assign them to users or groups. Each SKU may include features like Conditional Access, risk-based identity protection, or self-service features.
Group-based licensing automates the assignment process. To implement it, follow these steps:

• Create or select a security group.
• Assign the desired license SKU to that group.
• Monitor group membership to ensure the right users are included.
  This method scales elegantly when adding new hires or changing departmental roles.
  To optimize costs, track usage with built-in reports and revoke licenses from inactive or departed users. Underline the importance of cost management by reviewing license assignments monthly.

Manage external users

Microsoft Entra ID supports B2B collaboration by inviting external users, known as guest users, into your directory. You can send invitations directly from the portal or automate invites via PowerShell and APIs. Guests authenticate with their own credentials, and you control their access through group memberships or direct assignments.
Once invited, you can manage guest properties and revoke access when it’s no longer needed. Use access reviews to periodically validate that external collaborators still require permissions. Conditional Access policies also apply to guests, allowing you to enforce multi-factor authentication or block sign-ins from risky locations.
Good housekeeping involves tracking guest activity, disabling stale accounts, and cleaning up expired invitations. By doing this, you maintain a secure environment and reduce the risk of unauthorized access. Document your lifecycle policies and set up alerts to identify inactive guest accounts.

Configure self-service password reset

Self-service password reset (SSPR) empowers users to reset their passwords without contacting IT, reducing support costs and downtime. To set it up, navigate to the Azure portal’s Password reset settings under Microsoft Entra ID and enable the feature for selected groups or all users. You can require registration of methods such as mobile phone, alternate email, or security questions.
Define the number of required authentication methods to strike a balance between usability and security. For example, you might require two methods if users register an email and a phone. Configure notifications to alert administrators and users whenever a password is changed.
Customize the SSPR experience by adding your organization’s branding and providing help desk contact information. Monitor SSPR usage through audit logs and reports to identify trends or potential abuse. Finally, enforce a regular review of authentication methods to ensure they remain secure and up to date.

Conclusion

In this section, we covered how to create and manage users and groups in Microsoft Entra ID, including manual and bulk provisioning methods. You learned to update key properties, assign directory roles, and maintain accurate group membership through dynamic rules. Managing licenses via SKUs and group-based licensing helps control costs while ensuring users have the right capabilities. We explored B2B collaboration with external users, highlighting invitation workflows and lifecycle management. Finally, configuring self-service password reset reduces help desk load and improves user experience. Together, these practices form a solid foundation for maintaining a secure, scalable Azure identity environment.