Users, Groups & Licensing

Users, groups, and licenses — the foundation

Simple explanation

Think of your M365 tenant as a theme park.

Users are the visitors — each person has a unique ticket (account). Licenses are the wristbands that unlock different rides — a basic wristband gets you the free rides (Exchange, Teams), a premium wristband adds the VIP experiences (Copilot, advanced compliance).

Groups are tour groups — instead of giving each visitor their wristband individually, you say “everyone in the Marketing tour group gets the premium wristband.” When a new person joins the tour, they automatically get the wristband too.

And admin roles are like staff badges — the park manager can do everything, but the ride operator can only manage their specific ride.

Group types in Microsoft 365

Group types in Microsoft 365
Feature	Purpose	Best For
Microsoft 365 Group	Collaboration + shared resources	Teams, projects, departments
Security group	Access control + license assignment	Permissions, CA policies, license groups
Mail-enabled security group	Security + email distribution	Groups that need both permissions AND email
Distribution group	Email distribution only	Email lists (all-staff@, marketing@)

Exam tip: When the question says “assign Copilot licenses to a department” → use a security group or M365 Group with group-based licensing. When it says “send email to all staff” → use a distribution group. Know the difference.

How licensing works

License hierarchy

Microsoft 365 E5 (the plan)
├── Exchange Online (email)
├── SharePoint Online (files)
├── Teams (collaboration)
├── Microsoft Entra ID P2 (premium identity)
├── Microsoft Purview (compliance)
├── Microsoft Defender (security)
└── ...plus 20+ more services

Each plan includes specific service plans (individual features). Admins can toggle individual service plans on/off per user if needed.

Microsoft 365 Copilot — an add-on license

Copilot is NOT included in E3/E5 — it’s a separate add-on license (Microsoft 365 Copilot) that requires a qualifying base plan (M365 Business Standard/Premium, E3, or E5).

Scenario: Maya licenses Northwave

Northwave’s 500 employees:

Role	Count	License	Copilot?
Knowledge workers	200	M365 E5	✅ Copilot add-on (monthly)
Field engineers	50	M365 E3	✅ Copilot add-on (pay-as-you-go)
Frontline staff	200	M365 F3	❌ No Copilot
Executives	10	M365 E5	✅ Copilot add-on (monthly)
Contractors	40	M365 E3	❌ No Copilot

Maya uses security groups for each category → assigns licenses at the group level → new hires automatically get the right license.

Admin roles — RBAC

The exam tests whether you know: don’t give everyone Global Admin.

Common Microsoft 365 admin roles
Feature	What They Can Do	Use Case
Global Administrator	Everything — full control over the entire tenant	Only 2-3 people (break-glass accounts)
User Administrator	Create/manage users, reset passwords, manage groups	Helpdesk, IT support
License Administrator	Assign and manage licenses	IT ops, procurement
Exchange Administrator	Manage Exchange Online settings	Email admin
SharePoint Administrator	Manage SharePoint sites and settings	Site admin
Teams Administrator	Manage Teams settings, policies, channels	Teams admin
Security Administrator	Manage security policies, Defender settings	Security team
Compliance Administrator	Manage Purview compliance features	Compliance officer
Billing Administrator	Manage billing, subscriptions, invoices	Finance/procurement

Least privilege — the golden rule

Never give more access than needed. This is tested in every security-related exam question.

Bad: Everyone in IT is a Global Admin Good: Maya = User Admin + License Admin. Jordan (CISO) = Security Admin. Priya = Compliance Admin. Only the CTO has Global Admin (and a break-glass account).

Why it matters: A compromised Global Admin account can wipe the entire tenant. A compromised User Admin can only reset passwords. Limit the blast radius.

Where to assign: M365 admin center → Users → Active users → Manage roles. Or Microsoft Entra admin center → Roles and administrators.

🎬 Video walkthrough

Flashcards

Question

What's the difference between a Microsoft 365 Group and a security group?

Click or press Enter to reveal answer

Answer

M365 Group = collaboration (includes a shared mailbox, SharePoint site, Planner, and more). Security group = access control (used for permissions, conditional access, and license assignment). Security groups don't create shared resources.

Click to flip back

Question

Is Microsoft 365 Copilot included in M365 E3 or E5?

Click or press Enter to reveal answer

Answer

No — Copilot is a separate add-on license that requires a qualifying base plan (Business Standard/Premium, E3, or E5). You must purchase and assign it separately.

Click to flip back

Question

Why should you avoid making everyone a Global Administrator?

Click or press Enter to reveal answer

Answer

Least privilege principle — Global Admins have full control over the entire tenant. A compromised Global Admin account could wipe everything. Give specific roles (User Admin, License Admin, etc.) to limit the blast radius.

Click to flip back

Knowledge Check

Northwave needs to assign Microsoft 365 E5 licenses to all 200 knowledge workers. New hires should automatically get the license. What's the best approach?

Knowledge Check

Maya needs to manage Exchange Online settings but should NOT have access to SharePoint or Teams admin functions. Which role should she be assigned?

Next up: Zero Trust — the security philosophy that Microsoft 365 is built on, and why it matters for every admin decision.