Technical Lab: Manage licenses in Microsoft Entra ID
Questionsβ
Question 1 β Multiple Choiceβ
An organization has 500 users in Microsoft Entra ID. The administrator needs to assign Microsoft 365 E3 licenses to all of them in a scalable way, ensuring that new users added to a specific group automatically receive the license.
Which approach meets this requirement?
A. Assign licenses individually to each user through the Microsoft Entra ID portal, repeating the process whenever a new user is created.
B. Create a security group in Microsoft Entra ID, enable group-based license assignment and associate the product to the group.
C. Create a Microsoft 365 group and assign the license directly to the group through the Exchange admin center.
D. Use a Microsoft Entra Conditional Access policy to automatically apply the license when the user logs in for the first time.
Question 2 β Technical Scenarioβ
An administrator configured group-based license assignment. After adding 200 users to the group, they notice that some users appear with error status in license assignment. Upon investigation, they find the following message in the portal:
License assignment error: MutuallyExclusiveViolation
What is the most likely cause of this behavior?
A. The affected users already have a license for the same product assigned directly, creating version conflicts.
B. The group exceeded the maximum member limit allowed for group-based license assignment.
C. The affected users already have another assigned license that contains a service plan incompatible with the product being assigned by the group.
D. The tenant reached the total limit of purchased licenses and there are no available seats for the remaining users.
Question 3 β True or Falseβ
When a license is assigned to a user through a group in Microsoft Entra ID, removing the user from the group immediately removes access to services covered by that license, without a grace period or data retention for the subscription duration.
True or False?
Question 4 β Technical Scenarioβ
A company purchased Microsoft Entra ID P2 licenses to enable Microsoft Entra Privileged Identity Management (PIM). The administrator assigned the licenses to the correct group, but when trying to activate an eligible role in PIM, certain users receive a message that the feature is not available for their accounts.
After checking, the administrator confirms that these users are in the licensed group. What is the most likely configuration error?
A. Microsoft Entra PIM requires the license to be assigned directly to the user, not through a group.
B. The users don't have a Microsoft Entra ID role assigned, which blocks activation regardless of licensing.
C. The Microsoft Entra ID P2 license hasn't yet propagated to the affected users, as the group synchronization process can take up to 24 hours.
D. The tenant needs at least one Microsoft Entra ID P2 license assigned to the global administrator account for PIM to work for other users.
Question 5 β Multiple Choiceβ
An administrator needs to identify which users in the tenant have assigned licenses but have never used any of the enabled services in the last 90 days, with the goal of recovering idle seats.
Which Microsoft Entra ID feature provides this information natively?
A. Microsoft Entra ID audit reports, filtering "license assigned" type events without subsequent login events.
B. License usage dashboard available in Microsoft Entra ID > Licenses > All products, with user activity filter.
C. Access and usage reports available in Microsoft Entra ID, such as the inactive users report combined with license assignment details.
D. PowerShell script with the Microsoft Graph module to cross-reference Get-MgUser data with signInActivity properties and assigned licenses.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Group-based license assignment is the native Microsoft Entra ID mechanism for scaling license distribution. By associating a product to a group, any user added to the group automatically receives the license, and any user removed loses it, without manual intervention.
The main conceptual error in the distractors is confusing the assignment channel:
- Alternative A describes direct assignment, which is functional but not scalable and doesn't meet the automation requirement.
- Alternative C confuses Microsoft 365 groups with group-based licensing functionality, which is managed in Microsoft Entra ID, not in Exchange.
- Alternative D represents a serious conceptual mistake: Microsoft Entra Conditional Access controls conditional access to resources, not license assignment. Applying a conditional access policy does not provision or assign licenses.
Answer Key β Question 2β
Answer: C
The MutuallyExclusiveViolation error indicates that the user already has an active license containing a mutually exclusive service plan in relation to the plan being assigned by the group. Certain service plans within Microsoft 365 and Entra products cannot coexist on the same user.
The other distractors represent real errors, but with different messages:
- Alternative A would describe a duplication scenario, which is generally allowed (the user simply keeps both) and doesn't generate this specific error.
- Alternative B is false: there is no documented member limit for groups in group-based license assignment.
- Alternative D would generate the
CountViolationerror, notMutuallyExclusiveViolation. Knowing how to distinguish assignment error types is essential for correct diagnosis.
Answer Key β Question 3β
Answer: True
When a user is removed from a licensed group, Microsoft Entra ID removes the license immediately after processing the group association change. Access to services covered by that license ceases as soon as the removal is propagated, without an automatic grace period.
This behavior is operationally relevant: administrators should be cautious when removing users from licensed groups in offboarding scenarios or team restructuring, as the access impact is immediate. Data retention (such as emails in Exchange Online) follows the service's own policies, but active service access is interrupted with license removal.
Answer Key β Question 4β
Answer: A
Microsoft Entra Privileged Identity Management (PIM) requires that the Microsoft Entra ID P2 license be assigned directly to the user, not through group-based assignment. This is a documented exception to the group licensing model.
This distinction is often overlooked in environments that have widely adopted group-based licensing. The administrator can check the affected users, assign the P2 license directly, and maintain group assignment for other products simultaneously.
- Alternative B describes a PIM configuration requirement, not licensing, and wouldn't be the isolated cause of the described problem.
- Alternative C is imprecise: group propagation can take minutes, not necessarily 24 hours, and wouldn't be the structural cause of the problem.
- Alternative D is false: PIM doesn't require a P2 license on the global administrator account to work for other users.
Answer Key β Question 5β
Answer: D
Microsoft Entra ID doesn't have a native consolidated dashboard that directly cross-references service usage inactivity with license assignment in a ready-to-use format. The most accurate and viable approach is to use Microsoft Graph via PowerShell, cross-referencing the signInActivity property (which records the last interactive and non-interactive login) with per-user assigned license data.
- Alternative B is the most plausible distractor: there is a license dashboard in Microsoft Entra ID > Licenses, but it displays used versus available seat counts, not inactivity per individual user.
- Alternative C describes reports that partially exist, but the native inactive users report doesn't directly cross-reference with license data without additional configuration.
- Alternative A is technically incorrect: audit logs record license assignment events, but they're not the appropriate mechanism for identifying idle usage in a structured way.