Technical Lab: Create users and groups
Questionsβ
Question 1 β Multiple Choiceβ
An administrator needs to create 300 user accounts in Microsoft Entra ID from a file exported from the HR system. The file is available in CSV format. What is the most appropriate approach to perform this operation at scale?
A. Create each user manually through the Azure portal, filling in the required fields one by one.
B. Use the bulk import feature in the Microsoft Entra ID portal, with a CSV file formatted according to the template required by Microsoft.
C. Create a PowerShell script that uses the Az.Accounts module to iterate over the CSV and create the users.
D. Use Microsoft Entra Connect to synchronize users from an on-premises Active Directory, even if the organization doesn't have an on-premises AD.
Question 2 β Technical Scenarioβ
A development team uses the following command to create a group in Microsoft Entra ID:
az ad group create \
--display-name "DevTeam" \
--mail-nickname "devteam"
After creation, the administrator tries to add a dynamic membership rule to the group, but the option is unavailable in the portal. What is the most likely cause?
A. The az ad group create command is not supported for groups with dynamic membership.
B. The group was created with the Assigned membership type by default, and it's not possible to change this type after creation.
C. Groups created via Azure CLI cannot be managed through the Azure portal.
D. The dynamic rule requires the group to be of type Microsoft 365, but the command created a Security group.
Question 3 β True or Falseβ
A guest user created in Microsoft Entra ID through the Microsoft Entra External ID collaboration feature has, by default, the same directory read permissions as a member user of the organization.
Question 4 β Technical Scenarioβ
An organization wants all users in the Finance department to be automatically added to the GRP-Financas group based on the department attribute filled in each user's profile. The administrator configures the group as dynamic and defines the following rule:
user.department -eq "Financas"
After a week, several users from the department report that they are not in the group. The administrator verifies that these users' profiles have the department field filled as Financas in the portal. What is the most likely cause of the problem?
A. Dynamic groups only process new users; existing users in the directory at the time of rule creation are not evaluated.
B. The department attribute is not supported in dynamic membership rules in Microsoft Entra ID.
C. The value of the department attribute in the affected profiles contains capitalization differences, extra spaces, or was filled by synchronization with a value different from what's expected in the rule.
D. The Microsoft Entra ID Free license is sufficient for dynamic groups, but there's a limit of 50 members per group in this tier.
Question 5 β Multiple Choiceβ
When creating a new user in Microsoft Entra ID through the Azure portal, the administrator must mandatorily define the UPN (User Principal Name). Which of the statements below correctly describes a real restriction associated with the UPN?
A. The UPN must be identical to the user's primary email address and cannot be changed after creation.
B. The UPN suffix must correspond to a verified domain in the Microsoft Entra ID tenant or the default onmicrosoft.com domain.
C. The UPN cannot contain the @ character and must be composed only of the user's prefix.
D. Users with UPN based on the onmicrosoft.com domain cannot authenticate in applications integrated with Microsoft Entra ID.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Microsoft Entra ID natively offers the bulk import feature directly in the portal, with support for CSV files formatted according to Microsoft's official template. This is the recommended approach for scale creation without depending on additional infrastructure.
Alternative C is plausible, but the correct module for managing Entra ID users via PowerShell is Microsoft.Graph or AzureAD, not Az.Accounts, which handles authentication in the CLI. Choosing this alternative would indicate confusion between Azure modules.
Alternative D is technically incorrect because Microsoft Entra Connect presupposes the existence of an on-premises Active Directory for hybrid synchronization. Using it in a purely cloud environment doesn't make architectural sense.
Answer Key β Question 2β
Answer: B
When a group is created without specifying the membership type, it is created as Assigned by default. Microsoft Entra ID does not allow changing a group's membership type after its creation: an assigned group cannot be converted to dynamic, and vice versa. The correct solution is to delete the group and recreate it with the dynamic membership type from the beginning.
Alternative A is wrong because the dynamic membership type doesn't depend on the creation method (CLI, portal, or API), but rather on the correct parameter provided during creation.
Alternative D is a plausible distractor, but the group type (Security or Microsoft 365) and membership type (Assigned or Dynamic) are independent properties. Both group types support dynamic membership.
Answer Key β Question 3β
Answer: False
Guest users have restricted directory permissions by default compared to member users. Specifically, guests cannot enumerate the complete list of users, groups, or other directory objects in the same way as members. This behavior is a deliberate security measure to limit exposure of internal information to external identities.
This is a critical point in collaboration scenarios: a guest can access resources they were explicitly authorized for, but doesn't have broad visibility over the tenant, unlike a regular member.
Answer Key β Question 4β
Answer: C
Dynamic membership rules perform exact string comparison, including capitalization and spaces. If the attribute value in the profile was synchronized from an on-premises Active Directory with different spelling (for example, financas in lowercase, Finanças with cedilla, or Financas with trailing space), the rule user.department -eq "Financas" will not match and the user will not be included in the group.
Alternative A is wrong: dynamic groups continuously evaluate all users in the directory, not just those created after the rule.
Alternative D contains a false premise: dynamic groups require Microsoft Entra ID P1 or higher license, and there's no 50-member limit for dynamic groups in this tier.
Answer Key β Question 5β
Answer: B
The UPN suffix (the part after the @) must be a verified domain registered in the tenant or the default onmicrosoft.com domain. This ensures that Microsoft Entra ID can correctly associate the user with the tenant during authentication. Attempting to create a user with an unverified domain suffix results in an error.
Alternative A is wrong in two parts: the UPN doesn't need to be identical to the primary email, and it can be changed after creation, although this may impact active sessions and integrations.
Alternative D is wrong because the onmicrosoft.com domain is fully functional for authentication in applications integrated with Microsoft Entra ID. It is, in fact, the default domain in new tenants before verifying a custom domain.