Configure user and group accounts

Question 1

Cloud identity

Answer 1

A user account with a cloud identity is defined only in Microsoft Entra ID. This type of user account includes administrator accounts and users who are managed as part of your organization. A cloud identity can be for user accounts defined in your Microsoft Entra organization, and also for user accounts defined in an external Microsoft Entra instance. When a cloud identity is removed from the primary directory, the user account is deleted.

Question 2

Directory-synchronized identity

Answer 2

User accounts that have a directory-synchronized identity are defined in an on-premises Active Directory. A synchronization activity occurs via Microsoft Entra Connect to bring these user accounts in to Azure. The source for these accounts is Windows Server Active Directory.

Question 3

Guest user

Answer 3

Guest user accounts are defined outside Azure. Examples include user accounts from other cloud providers, and Microsoft accounts like an Xbox LIVE account. The source for guest user accounts is Invited user. Guest user accounts are useful when external vendors or contractors need access to your Azure resources.

Question 4

Consider where users are defined.

Answer 4

Determine where your users are defined. Are all your users defined within your Microsoft Entra organization, or are some users defined in external Microsoft Entra instances? Do you have users who are external to your organization? It’s common for businesses to support two or more account types in their infrastructure.

Question 5

Consider support for external contributors

Answer 5

Allow external contributors to access Azure resources in your organization by supporting the Guest user account type. When the external contributor no longer requires access, you can remove the user account and their access privileges.

Question 6

Consider a combination of user accounts.

Answer 6

Implement the user account types that enable your organization to satisfy their business requirements. Support directory-synchronized identity user accounts for users defined in Windows Server Active Directory. Support cloud identities for users defined in your internal Microsoft Entra structure or for user defined in an external Microsoft Entra instance.

Question 7

Things to know about cloud identity accounts

Answer 7

A new user account must have a display name and an associated user account name. An example display name is Aran Sawyer-Miller and the associated user account name could be asawmill@contoso.com.

Information and settings that describe a user are stored in the user account profile.

The profile can have other settings like a user’s job title, and their contact email address.

A user with Global administrator or User administrator privileges can preset profile data in user accounts, such as the main phone number for the company.

Non-admin users can set some of their own profile data, but they can’t change their display name or account name.

Question 8

Consider user profile data.

Answer 8

Allow users to set their profile information for their accounts, as needed. User profile data, including the user’s picture, job, and contact information is optional. You can also supply certain profile settings for each user based on your organization’s requirements.

Question 9

Consider restore options for deleted accounts.

Answer 9

Include restore scenarios in your account management plan. Restore operations for a deleted account are available up to 30 days after an account is removed. After 30 days, a deleted user account can’t be restored.

Question 10

Consider gathered account data.

Answer 10

Collect sign-in and audit log information for user accounts. Microsoft Entra ID lets you gather this data to help you analyze and improve your infrastructure.

Question 11

Things to know about bulk account operations

Answer 11

Only Global administrators or User administrators have privileges to create and delete user accounts in the Azure portal.

To complete bulk create or delete operations, the admin fills out a comma-separated values (CSV) template of the data for the user accounts.

Bulk operation templates can be downloaded from the Microsoft Entra admin center.

Bulk lists of user accounts can be downloaded.

Question 12

Consider naming conventions.

Answer 12

Establish or implement a naming convention for your user accounts. Apply conventions to user account names, display names, and user aliases for consistency across the organization. Conventions for names and aliases can simplify the bulk create process by reducing areas of uniqueness in the CSV file. A convention for user names could begin with the user’s last name followed by a period, and end with the user’s first name, as in Sawyer-Miller.Aran@contoso.com.

Question 13

Consider using initial passwords.

Answer 13

Implement a convention for the initial password of a newly created user. Design a system to notify new users about their passwords in a secure way. You might generate a random password and email it to the new user or their manager.

Question 14

Consider strategies for minimizing errors.

Answer 14

View and address any errors, by downloading the results file on the Bulk operation results page in the Azure portal. The results file contains the reason for each error. An error might be a user account that’s already been created or an account that’s duplicated. Generally, it’s easier to upload and troubleshoot smaller groups of user accounts.

Question 15

Security groups

Answer 15

are used to manage member and computer access to shared resources for a group of users. You can create a security group for a specific security policy and apply the same permissions to all members of a group.

Question 16

Microsoft 365 groups

Answer 16

provide collaboration opportunities. Group members have access to a shared mailbox, calendar, files, SharePoint site, and more.

Question 17

Things to know about creating group accounts

Answer 17

Use security groups to set permissions for all group members at the same time, rather than adding permissions to each member individually.

Add Microsoft 365 groups to enable group access for guest users outside your Microsoft Entra organization.

Security groups can be implemented only by a Microsoft Entra administrator.

Normal users and Microsoft Entra admins can both use Microsoft 365 groups.

Question 18

Assigned

Answer 18

Add specific users as members of a group, where each user can have unique permissions.

Question 19

Dynamic user

Answer 19

Use dynamic membership rules to automatically add and remove group members. When member attributes change, Azure reviews the dynamic group rules for the directory. If the member attributes meet the rule requirements, the member is added to the group. If the member attributes no longer meet the rule requirements, the member is removed.

Question 20

Dynamic device

Answer 20

(Security groups only) Apply dynamic group rules to automatically add and remove devices in security groups. When device attributes change, Azure reviews the dynamic group rules for the directory. If the device attributes meet the rule requirements, the device is added to the security group. If the device attributes no longer meet the rule requirements, the device is removed.

Question 21

Things to think about administrative units
Consider how a central admin role can use administrative units to support the Engineering department in our scenario:

Answer 21

Create a role that has administrative permissions for only Microsoft Entra users in the Engineering department administrative unit.

Create an administrative unit for the Engineering department.

Populate the administrative unit with only the Engineering department students, staff, and resources.

Add the Engineering department IT team to the role, along with its scope.

Question 22

Consider management tools

Answer 22

Review your options for managing AUs. You can use the Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph.

Question 23

Consider role requirements in the Azure portal

Answer 23

Plan your strategy for administrative units according to role privileges. In the Azure portal, only the Global Administrator or Privileged Role Administrator users can manage AUs.

Question 24

Consider scope of administrative units

Answer 24

Recognize that the scope of an administrative unit applies only to management permissions. Members and admins of an administrative unit can exercise their default user permissions to browse other users, groups, or resources outside of their administrative unit.