Lab 01 – Microsoft Entra ID: Users, Groups & Administrative Units

⏱️ Total Estimated Time: 50 minutes

Real-Life Scenario

Company: Contoso Ltd

Contoso is a mid-sized company with 100 employees across three departments:

Sales: 30 employees
Finance: 20 employees
IT: 10 employees

The Challenge:

The IT department is overwhelmed with password reset requests. Instead of IT handling ALL password resets company-wide, you need to:

Empower department heads to reset passwords for their own team members (delegation)
Restrict their power so Sales lead can ONLY manage Sales users, Finance lead can ONLY manage Finance users
Use Groups to identify who they are (Sales lead, Finance lead, IT staff)
Use Admin Units to limit where they can use their power (Sales department only, Finance department only)

❗

Core Learning Objective

This lab teaches the most important identity concept: Groups = WHO (identity) and Admin Units = WHERE (scope). Without Admin Units, any admin role is unrestricted and dangerous.

Objectives

Create users representing real departments (Sales, Finance, IT)
Organize users into groups by department
Understand Groups = WHO (identify role) vs Admin Units = WHERE (limit scope)
Create administrative units scoped to each department
Delegate User Administrator role with admin unit scope
Verify that scoped admins can manage only their own department

Prerequisites

An Entra ID tenant with Global Administrator or User Administrator role
Signed in at portal.azure.com

Part 1 – Create Users (Represent Real Employees)

⏱️ 12 minutes

ℹ️

What You're Doing

You'll create 8 user accounts: 3 Sales employees, 3 Finance employees, plus 2 department managers (Sales and Finance leads). These represent real employees in your organization.

Create Sales Department Users

👥

Task: Add 3 Sales Employees

1 Navigate to Microsoft Entra ID > Users > New user > Create new user

2 Create the first Sales user with these details:

Display name: Sarah Chen

Username: sarah.chen@<yourtenant>.onmicrosoft.com

Department: Sales

3 Configure user settings:

Click Auto-generate password and save the temporary password

✅ Check Require password change on first sign-in

Set Usage location to your country (required for licensing)

Set Department field to "Sales" (critical for dynamic grouping later)

4 Click Create

5 Repeat for two more Sales employees:

Tom Wilson | tom.wilson@<yourtenant>.onmicrosoft.com | Department: Sales

Lisa Brown | lisa.brown@<yourtenant>.onmicrosoft.com | Department: Sales

After Creating Sales Users

All 3 Sales users appear in the user list
Each has Department set to "Sales"
Password change required on first sign-in is checked

Create Finance Department Users

👥

Task: Add 3 Finance Employees

Follow the same process as Sales users, but with these Finance team members:

1 Bob Johnson | bob.johnson@<yourtenant>.onmicrosoft.com | Department: Finance

2 Emma Davis | emma.davis@<yourtenant>.onmicrosoft.com | Department: Finance

3 Mike Lopez | mike.lopez@<yourtenant>.onmicrosoft.com | Department: Finance

📝

Remember

Set the Department field to "Finance" for each user. This will enable automatic group membership through dynamic rules in Part 3.

Create Department Administrators

🔐

Task: Add 2 Department Managers

Create admin users who will manage their respective departments:

1 Create Sales Manager:

Display name: James Park (Sales Manager)

Username: james.park@<yourtenant>.onmicrosoft.com

Department: Sales

2 Create Finance Manager:

Display name: Rachel Green (Finance Manager)

Username: rachel.green@<yourtenant>.onmicrosoft.com

Department: Finance

⚠️

Department Heads ARE Department Members

James and Rachel should have their Department set to their respective departments. They will later be assigned admin roles scoped to their department's admin unit.

Part 1 Validation

Verify All Users Created

Go to Microsoft Entra ID > Users

Verify all 8 users appear in the list

Confirm each user has correct Department set (Sales or Finance)

Check that password change on first sign-in is required for all users

Part 2 – Create Groups by Department (Identify WHO)

⏱️ 10 minutes

❗

Groups Answer: "WHO is this person?"

Groups tell you someone's role or department. They answer identity questions. Admin Units (Part 4) will answer "WHERE can they use power?"

You'll create 4 groups for department organization:

grp-sales → "These people are in Sales" (Sales team members)
grp-sales-admins → "These people are Sales managers" (Sales team leads)
grp-finance → "These people are in Finance"
grp-finance-admins → "These people are Finance managers"

Create the Sales Department Group

👥

Task: Create grp-sales

1 Navigate to Entra ID > Groups > New group

2 Configure group settings:

Group type: Security

Group name: grp-sales

Membership type: Assigned

3 Add Members: Select Sarah Chen, Tom Wilson, Lisa Brown

4 Click Create to finish

Create the Sales Admins Group (Managers)

🔑

Task: Create grp-sales-admins

1 Go to Entra ID > Groups > New group

2 Configure group settings:

Group type: Security

Group name: grp-sales-admins

Membership type: Assigned

3 Add Members: Select James Park only (the Sales Manager)

4 Click Create

📝

Admin Groups Are Separate

The "admins" group is separate from the department group. James is in grp-sales-admins (answering WHO), and later in Part 4 he'll be scoped to au-sales (answering WHERE).

Create the Finance Department Group

👥

Task: Create grp-finance

Follow the same pattern as Sales, with Finance members:

1 Group type: Security

2 Group name: grp-finance

3 Membership type: Assigned

4 Members: Bob Johnson, Emma Davis, Mike Lopez

Create the Finance Admins Group

🔑

Task: Create grp-finance-admins

Mirror the sales-admins group pattern:

1 Group type: Security

2 Group name: grp-finance-admins

3 Membership type: Assigned

4 Members: Rachel Green (Finance Manager)

Part 2 Validation

Verify All Groups Created

grp-sales exists with 3 members (Sarah, Tom, Lisa)

grp-sales-admins exists with 1 member (James)

grp-finance exists with 3 members (Bob, Emma, Mike)

grp-finance-admins exists with 1 member (Rachel)

All groups have Membership type: Assigned

Part 3 – Optional: Dynamic Groups (Auto-manage Membership)

⏱️ 5 minutes (optional)

ℹ️

What Are Dynamic Groups?

Instead of manually adding/removing users, let rules handle it. When someone's department changes, they're automatically added or removed from groups. No admin intervention needed.

⚠️

Requires Entra ID P1/P2 Licensing

Dynamic groups require Entra ID P1 or P2 licensing. If your tenant doesn't have it, you can skip this part and understand the concept for exam purposes.

Create a Dynamic Group Example

⚙️

Task: Create Dynamic Employee Group (If Available)

1 Go to Entra ID > Groups > New group

2 Configure group:

Membership type: Dynamic User (not "Assigned")

Group name: grp-all-employees-dynamic

3 Add a dynamic rule under "Dynamic user members":

(user.accountEnabled -eq true)

This rule adds all enabled users automatically

4 Click Create

📝

Real-World Example

With a rule like (user.department -eq "Sales"), when Contoso hires a new Sales person and sets their department to "Sales", they're automatically added to the group. No manual work needed.

If Dynamic Groups Aren't Available

❗

Skip to Part 4

If you see "Membership type: Dynamic User" is not available, your tenant doesn't have P1/P2 licensing. Understand the concept (rules auto-manage membership) and move to Part 4 to continue the lab.

Part 4 – Administrative Units: Limit WHERE Admins Can Use Their Power

⏱️ 15 minutes

❗

CRITICAL CONCEPT: Groups vs Admin Units

Groups answer "WHO is this person?" (James is in grp-sales-admins = Sales manager)
Admin Units answer "WHERE can they use power?" (James can only manage au-sales = Sales users)

Without Admin Units, James would have unrestricted power to reset ANY password—dangerous!

You'll create two admin units (one per department) and then assign scoped admin roles to your department managers.

Create Admin Unit for Sales Department

🏢

Task: Create au-sales Admin Unit

1 Navigate to Entra ID > Roles & administrators > Administrative units

2 Click + New administrative unit

3 Fill in the details:

Name: au-sales

Description: Sales department scope — for Sales manager delegation

4 Click Create

Add Sales Users to the Admin Unit

👥

Task: Populate au-sales Members

1 Open au-sales admin unit

2 Go to Members > + Add members

3 Select the Sales team members: Sarah Chen, Tom Wilson, Lisa Brown

4 Click Add

⚠️

Important: James Is NOT a Member

Do NOT add James Park to au-sales members. He's the admin being delegated power. Only add the employees he will manage (Sarah, Tom, Lisa).

Create Admin Unit for Finance Department

🏢

Task: Create au-finance Admin Unit

Follow the same pattern as Sales:

1 Go to Administrative units > + New administrative unit

2 Name: au-finance

3 Description: Finance department scope — for Finance manager delegation

4 Click Create

Add Finance Users to the Finance Admin Unit

👥

Task: Populate au-finance Members

1 Open au-finance

2 Go to Members > + Add members

3 Select Finance team members: Bob Johnson, Emma Davis, Mike Lopez

4 Click Add

Assign Scoped Admin Role to Sales Manager (THE KEY PART)

🔐

Task: Delegate User Administrator to James (Scoped to au-sales)

This is where Groups and Admin Units work together:

1 In au-sales, go to Roles and administrators tab

2 Click + Add assignments

3 Search for and select User Administrator role

4 Under Assign to, select James Park (Sales Manager)

5 Click Assign

Result: James Park's Scoped Powers

✅ Can reset passwords for Sarah, Tom, Lisa (Sales users)
✅ Can unlock accounts for Sales users
✅ Can change properties for Sales users
❌ Cannot reset Finance passwords
❌ Cannot see Finance users in his scope
❌ Cannot manage IT or other departments

Assign Scoped Admin Role to Finance Manager

🔐

Task: Delegate User Administrator to Rachel (Scoped to au-finance)

Mirror the process for Sales:

1 In au-finance, go to Roles and administrators tab

2 Click + Add assignments

3 Select User Administrator role

4 Assign to Rachel Green (Finance Manager)

5 Click Assign

📝

Delegation Complete

Rachel now has the same User Administrator power as James, but scoped only to Finance. This is true delegation with boundaries.

Part 4 Validation (The Proof It Works)

Verify Admin Units and Delegated Roles

Go to Entra ID > Roles & administrators > Administrative units

au-sales exists with 3 members (Sarah, Tom, Lisa)

au-finance exists with 3 members (Bob, Emma, Mike)

In au-sales Roles, James Park has "User Administrator" role

In au-finance Roles, Rachel Green has "User Administrator" role

(OPTIONAL) Sign in as James Park, go to Users, and verify he only sees Sales users

Part 5 – Self-Service Password Reset (SSPR)

⏱️ 8 minutes

ℹ️

Why SSPR?

Now that scoped admins are in place, employees can reset their own passwords without IT involvement. This reduces ticket volume and empowers users.

🔑

Task: Enable Self-Service Password Reset

1 Navigate to Entra ID > Password reset

2 Set Self-service password reset enabled to Selected

3 Choose who can use SSPR:

Option A: All (everyone can reset their own passwords)

Option B: Selected > choose grp-sales and grp-finance (limit to department groups)

4 Review Authentication methods available to users (email, mobile app, security questions)

5 Click Save

Result

Employees can reset passwords on their own (fewer support tickets)
IT workload decreases
Scoped admins (James, Rachel) handle only escalated cases

Part 5 Validation

Verify SSPR is Working

SSPR is set to Selected or All

At least one authentication method is enabled

(OPTIONAL) Test by signing in as Sarah Chen and resetting her password

Full Lab Validation Checklist

Complete Verification

Users: All 8 users exist (Entra ID > Users)

Groups: 4 groups created with correct membership (Entra ID > Groups)

Admin Units: au-sales and au-finance exist (Roles & administrators > Administrative units)

Delegated Roles: James and Rachel have User Administrator scoped to their units

SSPR Enabled: Self-service password reset is configured

Cleanup (If Needed)

📝

Lab Cleanup Instructions

If you need to clean up resources after completing the lab, follow these steps in order:

🗑️

Task: Delete Lab Resources

1 Delete Users: Go to Entra ID > Users > select all 8 users > Delete

This removes: Sarah Chen, Tom Wilson, Lisa Brown, Bob Johnson, Emma Davis, Mike Lopez, James Park, Rachel Green

2 Delete Groups: Go to Entra ID > Groups > select all 4 groups > Delete

Delete: grp-sales, grp-sales-admins, grp-finance, grp-finance-admins

3 Delete Admin Units: Go to Entra ID > Roles & administrators > Administrative units > select both units > Delete

Delete: au-sales and au-finance

Cleanup Complete

All test users removed
All test groups removed
All admin units removed
Tenant restored to initial state

Key Takeaways from This Lab

Key Concepts Summary

❗

The Core Distinction: Groups vs Admin Units

Groups answer "WHO?" (identity/role) · Admin Units answer "WHERE?" (scope of power)

Aspect	Groups	Admin Units
Question Answered	WHO is this person?	WHERE can they use power?
Purpose	Identify role/department	Limit scope of delegation
Example	`grp-sales-admins` "James is a Sales manager"	`au-sales` "James manages only Sales"
Without it	No identity/role tracking	Admins have unrestricted, dangerous power
With it	Clear role identification	Admin power is bounded and safe

Exam Tips & Best Practices

📚

Remember These Key Distinctions

1 Groups = WHO (identity) — Identify what role/department someone belongs to

2 Admin Units = WHERE (scope) — Limit what resources an admin role can manage

3 Assigned vs Dynamic Groups:

Assigned: Manually add/remove members (good for small, stable teams)

Dynamic: Rules auto-add/remove based on attributes (scales to large orgs)

4 Admin Units ≠ RBAC: Admin Units scope admin roles · RBAC (Lab 02) scopes resource access

5 Users can be in multiple groups AND multiple admin units at the same time

6 CRITICAL: Without Admin Units, any admin role is tenant-wide and unrestricted (security risk)

ℹ️

Real-World Relevance

Large organizations (banks, healthcare, government) ALWAYS use Admin Units to delegate admin work safely. You won't find a tenant without them. This is essential identity architecture.