User Types
Microsoft Entra IDAzure's cloud-based identity and access management service, formerly Azure Active Directory, that provides authentication and authorization for Microsoft cloud services. supports two fundamental user types, controlled by the UserType attribute. A Member userAn internal user with an account authoritative to your tenant — typically an employee whose identity is managed within your organization. A Guest userAn external identity invited via B2B collaboration; guest users have restricted default permissions and cannot enumerate all users or groups in the directory by default.
Users created directly inside your tenant are cloud-only users. Users synchronized from an on-premises Active Directory via Microsoft Entra ConnectThe tool that synchronizes on-premises Active Directory objects to Microsoft Entra ID; for synced users, the source of authority remains on-premises and most attributes cannot be edited in the cloud. are synced (hybrid) users.
External users are invited using the B2B collaborationAzure's business-to-business identity feature that allows external users to authenticate using their home organization or social/OTP identity while accessing your tenant's resources. flow. The UserType property can be switched between Member and Guest after creation; changing an external Guest to Member grants them elevated default permissions and may require additional licenses.
Group Types
| Group Type | Members | Mail-Enabled | Can be Dynamic | Primary Use |
|---|---|---|---|---|
| Security | Users, devices, service principals, groups | No | Yes | Access to resources, Conditional Access |
| Microsoft 365 | Users only | Yes | Yes | Collaboration (Teams, SharePoint, Planner) |
| Distribution | Users | Yes | No | Email distribution lists only |
| Mail-enabled Security | Users | Yes | No | Access + email notifications |
Membership Types
Assigned groupsGroups where an admin or owner manually adds and removes members — no premium license required. require an admin or owner to manually add and remove members.
Dynamic User groupsGroups that use attribute-based rules (e.g., user.department -eq "Finance") to automatically add or remove members when attributes change — requires Microsoft Entra ID P1 or P2 licensing. cannot have manually assigned members.
Managing Licenses
Licenses are assigned to users individually or via group-based licensingThe recommended approach at scale where a license assigned to a group is automatically applied to every member — managed at Microsoft Entra ID → Licenses → All products.
External Users (B2B)
To invite an external user: Microsoft Entra ID → Users → + Invite external user. External guests can be added to groups and assigned Azure RBAC roles. Guest user default permissions are more restricted than member users — they cannot read all directory objects by default.
Self-Service Password Reset (SSPR)
SSPRSelf-Service Password Reset — allows users to reset or unlock their accounts without contacting the help desk. Can be enabled for None, Selected (one group), or All users in the tenant. configuration requires at least the Authentication Policy Administrator role.
Licensing requirements for SSPR:
- Cloud-only password reset/change: included in Microsoft 365 Business Standard and above, or any Entra ID P1/P2 SKU.
- On-premises password writeback (hybrid): requires Microsoft Entra ID P1 or P2 (or Microsoft 365 Business Premium).
Group Type Deep Dive
Only Security groups can contain users, devices, service principals, and nested groups. Microsoft 365 groups support users only — this distinction is heavily tested.
SSPR Authentication Methods
Administrators configure the number of authentication methods required to reset (one or two) and which methods are available:
- Mobile phone
- Authenticator app
- Security questions
- Office phone
Nested Groups and SSPR Scope
SSPR supports targeting one group at a time in the Microsoft Entra admin center. Use nested groups to encompass a larger set of users within that single group.
Exam Trap
You can target only one group at a time for SSPR in the admin center. To expand coverage, use nested groups — not multiple group selections.
Must Memorize
Dynamic group membership (attribute-based rules) always requires Microsoft Entra ID P1 or P2. Assigned groups have no premium license requirement.
Synced vs. Cloud-Only Users
| Attribute | Cloud-only | Synced (Hybrid) |
|---|---|---|
| Source of authority | Entra ID | On-premises AD |
| Editable in cloud? | Yes | Most attributes — No |
| Password managed in cloud? | Yes | Depends (writeback required) |
For synced users, most attributes must be changed on-premises; changes made directly in the cloud are overwritten on the next sync cycle.
Create a New Cloud User
- Azure portal → Microsoft Entra ID → Users → + New user → Create user
- Enter User principal name (e.g.,
alice@contoso.com) and Display name - Auto-generate or manually set a temporary password
- Optionally assign the user to groups and roles in the Assignments tab
- Click Review + create → Create
Invite an External (Guest) User
- Azure portal → Microsoft Entra ID → Users → + New user → Invite external user
- Enter the external email address and an optional personal message
- Click Review + invite → Invite
Create a Security Group with Dynamic Membership
- Azure portal → Microsoft Entra ID → Groups → + New group
- Set Group type to Security, enter a name
- Set Membership type to Dynamic User
- Click Add dynamic query and build the rule (e.g.,
user.department -eq "Finance") - Click Save → Create
Configure SSPR
- Azure portal → Microsoft Entra ID → Password reset → Properties
- Set Self service password reset enabled to Selected or All
- If Selected: click No groups selected and choose your SSPR test group → Select
- Click Save
- Go to Authentication methods to configure number of methods required and available methods
- Go to Registration to enforce registration at next sign-in
Assign Licenses via Group
- Azure portal → Microsoft Entra ID → Licenses → All products
- Click the license product → Licensed groups → + Assign
- Select the target group → choose the service plan options → Assign
AZ-104 Exam Focus
Exam Trap
"You can enable SSPR for multiple groups simultaneously via the admin center." → You can only target one group at a time. Use nested groups to encompass a larger set of users within that single group.
Exam Trap
"Contributor role members can manage SSPR settings." → SSPR configuration requires the Authentication Policy Administrator (or Global Administrator) role. The Azure Contributor role is an RBAC role scoped to resources, not Entra ID settings.
Exam Trap
"Guest users have the same default permissions as member users." → Guest users have restricted permissions by default. They cannot enumerate all users, groups, or other directory objects unless explicitly granted.
Exam Trap
"Dynamic groups work with any Entra ID license." → Dynamic membership requires Microsoft Entra ID P1 or P2 (or Microsoft 365 E3/E5). Assigned groups have no premium license requirement.
Exam Trap
"A Microsoft 365 group can contain devices and service principals." → Microsoft 365 groups support users only. Only Security groups can contain users, devices, service principals, and nested groups.
Exam Trap
"Synced users can have their attributes edited freely in Entra ID." → For synced users, the authoritative source is on-premises AD. Most attributes must be changed on-premises; changes made directly in the cloud are overwritten on the next sync cycle.
Exam Tip
When a scenario mentions needing to manage a large set of users automatically based on their department or job title, the answer is always dynamic group with an attribute-based rule — and always requires P1 or P2.
Question — click to flip
Q: What UserType is assigned by default when a user is invited via B2B collaboration?
Question — click to flip
Q: Which group type supports containing devices, service principals, and nested groups?
Question — click to flip
Q: What license is required to use dynamic membership rules in an Entra security group?
Question — click to flip
Q: Where must you change attributes for a synced (hybrid) user whose job title is wrong in Entra ID?
Question — click to flip
Q: How many groups can be targeted by SSPR at one time in the admin center?
Question — click to flip
Q: What role is required to configure SSPR?