Manage Microsoft Entra Users, Groups, and SSPR for AZ-104
Learn the user, group, licensing, guest-access, and self-service password reset decisions that matter for AZ-104.
AZ-104 expects you to handle common identity administration tasks without turning every request into a manual one-off. That means understanding how users, groups, licenses, guest users, and self-service password reset fit together as an operating model, not as isolated features.
What the exam is checking
The official study guide calls out creating users and groups, managing their properties, managing licenses, handling external users, and configuring self-service password reset. The exam angle is practical: which identity object should exist, who should manage it, and which setting reduces routine admin work without weakening control.
First-pass mental model
Users represent identities. Groups help you scale administration. Licenses and access assignments usually become easier to manage when they follow group membership instead of individual exceptions. Guest users solve collaboration needs, but they still need boundaries around what they can see and do. SSPR reduces ticket load, but only if registration and authentication methods are configured in a way your organization can actually support.
Where candidates get trapped
The common misses are choosing the wrong group type, forgetting that external users are still identities you must govern, and treating SSPR as a checkbox instead of a workflow. Another frequent mistake is assuming licensing and role assignment are the same problem. They are not. A license unlocks capability. RBAC governs Azure actions.
Lab moves worth practicing
- create a user and place it in a security group
- invite one guest user and inspect the resulting account state
- assign or review licenses in Microsoft Entra ID
- enable SSPR and verify which users are in scope
Fast chooser
| Need | Strongest first choice | Why |
|---|---|---|
| Reuse access or licensing across many people | Security group | Scales better than user-by-user assignments |
| Invite a partner into a controlled collaboration path | Guest user | Keeps identity external while still governable |
| Reduce routine password-reset tickets | SSPR | Shifts low-risk admin work to the user when configured correctly |
| Handle a one-off exception forever | Avoid this if possible | AZ-104 generally rewards repeatable administration over special cases |
Group-based operating model
| Admin problem | Stronger pattern | Weaker pattern |
|---|---|---|
| Assign the same license set to many users | Group-based licensing | Manual per-user licensing |
| Grant repeated access to the same Azure resources | Add users to the right group and govern from there | Rebuild individual assignments every time |
| Support external collaboration | Invite and govern guest users deliberately | Create shared internal accounts |
The exam logic is consistent here: if the task repeats, Microsoft usually prefers the operating model that reduces repetitive manual administration.
User and group properties are part of the objective, not trivia
The official study guide does not only say “create users and groups.” It also says manage user and group properties. That usually means reading a scenario and knowing which identity attribute or membership boundary matters operationally.
- user properties affect how the identity is administered and recognized
- group membership affects how access and licensing scale
- external users are still identities you must review and govern, not temporary exceptions you stop thinking about
If the exam scenario sounds administrative rather than architectural, ask which property or membership change is being requested before you jump to roles or resource permissions.
Quiz
After this page, move into Azure RBAC and Scope. That is where identity administration turns into actual Azure authorization.