Now that you understand what Microsoft Entra ID is, it’s time to build on that foundation and learn about Users and Groups.
What are users?
At its core, a user in Microsoft Entra ID is a digital identity, a record that represents a person who needs to access your organization’s resources.
You can think of it as an account. It holds information like the person’s name, email address, and a password, and it’s what someone uses to sign in and prove who they are.
Every person in your organization that needs to access something, such as logging into an application or retrieving a file, needs a user account. Without one, Entra ID has no way of knowing who they are or what they are allowed to do.
Types of users
Long before the cloud existed, organizations managed their employees’ identities using Active Directory Domain Services (AD DS), which is a directory service Microsoft introduced in 1999.
AD DS lived entirely on-premises, running on servers inside your company’s own building. Every employee had an account in it, and it controlled who could log into company computers, access file servers, printers, internal applications, and so on. For decades, that was the standard.
However, with time, applications have started moving to the cloud, and Microsoft Entra ID was built to manage identities as a cloud service. This created a big problem for millions of organizations that had been using AD DS for years. All of their users were on-premises, they couldn’t just make the switch to Entra ID overnight.
To solve this problem, Microsoft built a synching mechanism between the on-premises AD DS and Entra ID in the cloud, it’s a tool called Microsoft Entra Connect. Using this tool, organizations have a gradual path to the cloud instead of having to throw away their existing infrastructure and on-premises identities.
Because of this situation, two types of users exist inside of Entra ID: cloud-only users, and synced users.
A cloud-only user is a user which has been created directly in Entra ID, using the Azure portal for example.
A synced user is a user which has been created on-premises inside AD DS, and through Microsoft Entra Connect it was synced to Entra ID.
What are groups?
Now that you know what a user is, here’s a practical problem: Your team just created a new Azure subscription for a major project, and 20 engineers need access to it so they can do their work.
One option to solve this situation would be to open the Azure Portal, find each engineer’s account one by one, and grant them access individually. However, that’s over 20 manual operations, and the moment three new engineers join the project next week, you’re back at it again.
That’s why groups exist in Entra ID.
A group is a container that holds a list of users. It allows you to manage access to the group instead of each person individually. With a single action, you can give access to hundreds of people.
Without a way to group engineers together, you would need to search each engineer by name, and manually assign each one access to the new application.
Group Types
There are two types of groups in Entra ID, and they are used for different purposes.
The two types of groups are Security Groups and Microsoft 365 Groups.
A security group is used for access management. It’s used to grant access to applications, distribute Entra ID Licenses, and assign Azure RBAC roles.
A Microsoft 365 group has all the capabilities of a security group, with additional functionalities on top meant for collaboration. A Microsoft 365 group can be given access to a shared mailbox in Microsoft Exchange, or it can be given access to a document library in SharePoint.
For example, if I would create a Microsoft 365 group called “Engineering”, Entra ID automatically creates a new email for that group called “engineering@zerotoarchitect.com”.
I can also link users to this new MS 365 Group, and they would be able to access a shared mailbox to read emails sent to engineering@zerotoarchitect.com.
Another example is that on Microsoft Teams, I can create a new team with everyone from engineering@zerotoarchitect.com, I can also create a meeting with everyone in that group by simply inviting engineering@zerotoarchitect.com to that meeting.
If an exam question asks you which type of group you need to assign Azure RBAC roles for members to inherit, the answer is security group if there is no need for the collaboration features.
Group Membership Types
Now that you are aware of users and groups, let's talk about how users end up inside a group.
There are two main ways a user can be part of a group: assigned and dynamic.
An assigned membership means that you manually assign users to the group. You can do so for example through the Azure Portal. Removing members from the group is also manual.
For example, you add Alice into the security group “Engineers”.
A dynamic membership means that you define a rule based on which all matching users are added to the group.
For example, this rule adds every user whose department is “HR” into a security group:
user.department -eq "HR"And here is another example of a rule that matches all employees from Sweden and whose job title is Accountant:
(user.usageLocation -eq "SE") -and (user.jobTitle -eq "Accountant")In this example, “SE” stands for Sweden.
In order to use Dynamic Groups, each matched user needs to have an Entra ID P1 or higher active license active.
If an exam question asks you how a group can be automatically populated based on user attributes, the answer is by using a dynamic group membership with a defined rule.
Nested Groups
A great feature to know about Groups is that they can be nested. This is useful when you want to create a hierarchy inside your organization.
For example, you can have a group with “All Engineers” and two subgroups “Australia Engineers” and “Canada Engineers”.
In order to nest groups, you need to add one group as a member of another group. For example, adding “Australia Engineers” as a member of “All Engineers”.
Besides organization and hierarchy, nested groups are also useful to manage access at scale. All permissions of the parent group are inherited by all nested groups. For example, by adding the “Australia Engineers” to the “All Engineers” group, it will receive access to all things the “All Engineers” group had access to.
However, there is an important point to remember regarding group inheritance: Entra ID licenses are not inherited. This means that if you assign a group based license to “All Employees”, they are not automatically accessible to those in “Canada Engineers”.
A common exam trap question asks you why users don’t have access to their licenses, even though the licenses have been assigned to a parent group. The most likely cause is that the target users are inside a nested group, and they will not be able to access those licenses. Answer with “Licenses assigned to a group are not inherited through nested groups”.
What to remember for your exam
Microsoft Entra Connect is used to sync users from on-premises to the cloud
There are two types of users in Entra ID: synced users (coming from on-premises) and cloud-only users.
There are two types of groups in Entra ID: security groups and MS 365 groups
Security groups are used to grant roles to Azure resources
MS 365 groups are used to grant users access to collaborative resources such as SharePoint or MS Teams
There are two types of group membership types: assigned and dynamic
Dynamic group memberships allow you to define rules by which users are automatically assigned to the group
Licenses are not inherited from parent groups
