Technical Lab: Manage User and Group Properties
Questionsβ
Question 1 β Multiple Choiceβ
An administrator needs to ensure that new members added to a Microsoft Entra ID group automatically receive Microsoft 365 licenses without manual intervention for each new employee. The group already exists and has manually assigned members.
What is the correct approach to meet this requirement?
A) Convert the group to Assigned type and enable license inheritance option in the group properties.
B) Create a new group with Membership type set to Dynamic User and configure a membership rule based on user attributes.
C) Keep the existing group as Assigned and configure a conditional access policy linked to the group to automatically provision licenses.
D) Change the Membership type of the existing group from Assigned to Dynamic User directly in the properties, without needing to recreate the group.
Question 2 β Technical Scenarioβ
An administrator runs the following command to create a user in Microsoft Entra ID:
az ad user create \
--display-name "Ana Lima" \
--user-principal-name ana.lima@contoso.com \
--password "Temp@1234" \
--force-change-password-next-sign-in true
After creation, the administrator attempts to assign the user to a dynamic security group whose rule is:
user.department -eq "Financeiro"
The user doesn't appear in the group after 30 minutes. What is the most likely cause?
A) The az ad user create command doesn't support the --force-change-password-next-sign-in parameter, which generated a user in an invalid state.
B) Dynamic groups in Microsoft Entra ID don't support users created via CLI; only users created through the portal are eligible.
C) The user's department attribute wasn't defined during creation, so the dynamic membership rule finds no match.
D) Dynamic group processing requires the user to perform at least one login before being evaluated by membership rules.
Question 3 β True or Falseβ
A Microsoft 365 type group in Microsoft Entra ID can be configured with Membership type set to Dynamic User, allowing member association to be automatically managed by attribute rules.
Question 4 β Technical Scenarioβ
A company uses Microsoft Entra ID and has guest users from external partners. The administrator needs to prevent these guest users from enumerating group members and other directory users, without removing the access they already have to shared resources.
Which configuration should be adjusted to meet this requirement?
A) Remove guest users from all groups and add them individually to resources, eliminating the need for directory visibility.
B) Modify the External collaboration settings in Microsoft Entra ID to restrict guest user permissions in the directory.
C) Apply a Microsoft Entra Conditional Access policy that blocks directory read requests for users with guest role.
D) Convert guest accounts to members with Member user type, then restrict access by group.
Question 5 β Multiple Choiceβ
An administrator needs to delegate the ability to reset passwords for non-administrator users to the technical support team, without granting broader permissions than necessary over the directory.
Which built-in Microsoft Entra ID role meets this requirement with the least privilege level?
A) User Administrator, as it allows managing all aspects of non-administrator users, including password reset.
B) Helpdesk Administrator, as it's the most restricted role that exclusively includes password reset capability.
C) Password Administrator, as it allows resetting passwords for non-administrator users and users with the Password Administrator role.
D) Authentication Administrator, as it allows resetting authentication methods and passwords for non-administrator users without inheriting user management permissions.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Groups with Membership type set to Dynamic User automatically manage membership based on attribute rules, eliminating the need for manual addition. This is the only approach that meets the automation requirement.
Alternative D is the main distractor: in Microsoft Entra ID, it's not possible to change the Membership type of an existing group. Converting from Assigned to Dynamic (or vice versa) requires creating a new group. Attempting this change in the portal will result in an error. Keeping the existing group as Assigned and trying to use conditional access (C) to provision licenses represents a conceptual mistake, as Conditional Access controls access, not license provisioning. Option A describes a non-existent "license inheritance" feature via group type.
Answer Key β Question 2β
Answer: C
The dynamic membership rule evaluates the current value of the department attribute in the user profile. Since the az ad user create command didn't include the --department parameter, this attribute remains null in the user profile, and the condition user.department -eq "Financeiro" is not satisfied.
Alternative D is a common distractor because dynamic group processing does have latency, but doesn't depend on prior user login. The evaluation occurs based on directory object attributes, not authentication history. Alternative B is incorrect: CLI and portal create equivalent objects in the directory, with no eligibility distinction. Alternative A describes a valid and supported parameter.
Answer Key β Question 3β
Answer: True
Microsoft 365 type groups do support Membership type Dynamic User. This combination is valid and widely used to automatically provision access to collaborative resources (SharePoint, Teams, Exchange) based on user attributes. The common misconception is associating dynamic groups exclusively with security groups. In practice, both security groups and Microsoft 365 groups can be configured as dynamic. The relevant distinction is that groups assigned to directory roles (role-assignable groups) cannot be dynamic.
Answer Key β Question 4β
Answer: B
The External collaboration settings in Microsoft Entra ID directly control the level of access that guest users have to the directory, including the ability to enumerate users and groups. It's possible to restrict this access without removing guests from shared resources.
Alternative C represents a frequent misconception: Microsoft Entra Conditional Access controls access conditions to applications and services but doesn't have granularity to block directory read operations in isolation. Alternative D would introduce unnecessary risks by elevating the user type, expanding privileges instead of restricting them. Alternative A partially addresses the symptom but not the actual requirement, which is to maintain resource access while restricting directory visibility.
Answer Key β Question 5β
Answer: C
Password Administrator is the least privileged role that specifically meets the password reset requirement. It allows resetting passwords for users without administrative roles and other users with the same role, without granting access to create, delete, or manage user attributes.
Helpdesk Administrator (B) is a plausible distractor but has broader scope than Password Administrator: it includes support ticket management and the ability to force session renewal, in addition to password reset. Authentication Administrator (D) allows resetting authentication methods but also includes capabilities beyond simple password reset. User Administrator (A) has too broad a scope, violating the principle of least privilege by allowing creation, deletion, and modification of non-administrator users.