Managing Users & Groups

Users and groups — the building blocks

User management essentials

Creating users

Two paths to create a user:

1. Entra admin center → Users → New user → fill in properties
2. PowerShell → New-MgUser command (for automation)

Key user properties:

Property	Required?	Example
User principal name (UPN)	Yes	jake@coastlinecreative.co.nz
Display name	Yes	Jake Torres
Password	Yes (initial)	Auto-generated or manually set
Job title	No	IT Administrator
Department	No	Technology
Usage location	Yes (for licensing)	NZ, US, AU
Account enabled	Yes	True / False

💡 Exam tip: usage location is mandatory for licensing

You cannot assign a licence to a user without a usage location set. This catches many admins off-guard — they create users, try to assign M365 licences, and get an error.

Why? Microsoft needs to know the user’s country for legal and service availability reasons (some features aren’t available in all regions).

User types

Type	Source	Managed Where	Example
Cloud user	Created in Entra ID	Entra admin center	New hire at cloud-only org
Synced user	Created in on-prem AD	On-prem AD (changes sync up)	Employee at hybrid org
Guest user	Invited via B2B	External (home tenant)	Contractor from another company

Group types — security vs M365

Feature	Security Group	Microsoft 365 Group
Primary purpose	Control access to resources	Collaboration (mailbox, SharePoint, Teams)
Members	Users, devices, service principals, other groups	Users only
Shared mailbox
SharePoint site
Teams team		Can be Teams-enabled
Can assign licences
Can scope CA policies
Dynamic membership
Nesting (groups in groups)

Membership types

Type	How Members Are Added	Best For
Assigned	Manually add/remove members	Small, stable groups
Dynamic user	Automatic based on user attribute rules	Department-based groups (e.g., all Finance users)
Dynamic device	Automatic based on device attributes	Device management groups (e.g., all Windows 11 devices)

Dynamic membership rule example: user.department -eq "Finance" -and user.country -eq "NZ"

This automatically adds all NZ-based Finance users to the group. When someone transfers out of Finance, they’re automatically removed.

Custom security attributes

Custom security attributes are business-specific metadata you attach to users and applications. They’re like custom columns you add to a spreadsheet.

Why they matter:

• Tag users with business-relevant data (project codes, clearance levels, cost centres)
• Use attributes in Conditional Access policies or entitlement management
• Data is stored securely — only users with the Attribute Assignment Administrator role can read/write them

Structure:

• Attribute set = a category (e.g., “HR” or “Security”)
• Attribute definition = a specific attribute within the set (e.g., “ClearanceLevel”)
• Attribute value = the value assigned to a user (e.g., “Top Secret”)

ℹ️ Scenario: Priya tags clinical staff at Meridian Health

Priya creates a custom security attribute set called “Clinical” with attributes:

• ClearanceLevel: “Standard”, “Elevated”, “Critical”
• Ward: “Emergency”, “Paediatrics”, “Surgery”, etc.

She then creates a Conditional Access policy: IF user’s ClearanceLevel is NOT “Critical” → THEN block access to the patient records app from unmanaged devices.

Why not use groups? Groups are binary (you’re in or out). Custom attributes are multi-valued and more flexible — a user can have ClearanceLevel=Elevated AND Ward=Emergency simultaneously, enabling fine-grained access control.

Bulk operations — don’t click 500 times

When you need to create, invite, or delete many users at once, use bulk operations.

Entra admin center approach:

1. Download the CSV template from Users → Bulk operations
2. Fill in user details (one row per user)
3. Upload the CSV → Entra processes it

PowerShell approach (more powerful):

# Bulk create users from CSV
$users = Import-Csv -Path "NewHires.csv"
foreach ($user in $users) {
    New-MgUser -DisplayName $user.Name `
               -UserPrincipalName $user.UPN `
               -PasswordProfile @{ Password = $user.TempPassword } `
               -UsageLocation $user.Location `
               -AccountEnabled
}

💡 Exam tip: bulk operation types

The Entra admin center supports these bulk operations via CSV:

• Bulk create — create new users
• Bulk invite — invite external/guest users
• Bulk delete — delete users
• Download users — export user list

PowerShell (Microsoft Graph PowerShell SDK) is more flexible — you can bulk-update properties, assign licences, add to groups, and chain operations together.

🎬 Video walkthrough

Flashcards

Question

What is the difference between a security group and a Microsoft 365 group?

Click or press Enter to reveal answer

Answer

Security groups control access to resources (apps, policies). M365 groups create collaboration spaces — a shared mailbox, SharePoint site, and optionally a Teams team. Both support dynamic membership and licence assignment.

Click to flip back

Question

What are custom security attributes in Entra ID?

Click or press Enter to reveal answer

Answer

Business-specific metadata (like clearance levels or project codes) attached to users and applications. Organised into attribute sets and definitions. Can be used in Conditional Access policies and entitlement management. Require Attribute Assignment Administrator role to manage.

Click to flip back

Question

Why must you set a usage location before assigning a licence?

Click or press Enter to reveal answer

Answer

Microsoft requires a usage location (country) to determine service availability and comply with regional legal requirements. Without it, licence assignment fails.

Click to flip back

Question

What is dynamic group membership?

Click or press Enter to reveal answer

Answer

Members are automatically added or removed based on attribute rules (e.g., department = Finance AND country = NZ). When a user's attributes change, their group memberships update automatically.

Click to flip back

Knowledge Check

Knowledge Check

Jake needs to create 30 new user accounts for a batch of freelancers joining Coastline Creative next month. He wants to do this quickly without clicking through the Entra admin center 30 times. What's the most efficient approach?

AUse the bulk create feature in the Entra admin center with a CSV fileBAsk each freelancer to create their own account via self-service sign-upCCreate a PowerShell script but only run it after getting Global Admin approvalDCreate each user manually — there's no bulk option in Entra ID

Check Answer

Knowledge Check

Priya wants to automatically group all Meridian Health employees in the Surgery department into a security group for targeted Conditional Access policies. Which membership type should she use?

AAssigned membership — manually add each Surgery employeeBMicrosoft 365 group with manual membershipCDynamic user membership with rule: user.department -eq 'Surgery'DDynamic device membership based on device names

Check Answer

Knowledge Check

Anika's client wants to use custom security attributes to tag users with a 'ProjectCode' and then use that attribute in Conditional Access policies. What must they do first?

AUpgrade to Microsoft Entra ID Free tierBCreate a new custom Entra role called 'Project Manager'CInstall the Microsoft Graph PowerShell module on every user's deviceDCreate an attribute set and define the 'ProjectCode' attribute within it

Check Answer

---

Next up: Device Registration & Licensing — manage how devices join your tenant and assign the right licences to the right people.