User Creation, Configuration, and Management – SC-300 Exam Guide
Why Is User Creation, Configuration, and Management Important?
User identities are the foundation of any identity and access management strategy in Microsoft Entra ID (formerly Azure Active Directory). Every security policy, conditional access rule, and access assignment depends on properly created and configured user objects. Misconfigurations at the user level can lead to unauthorized access, compliance violations, and security breaches. For the SC-300 (Microsoft Identity and Access Administrator) exam, this topic is critical because it underpins virtually every other domain — from authentication methods to governance and monitoring.
What Is User Creation, Configuration, and Management?
This topic covers the full lifecycle of user identities in Microsoft Entra ID, including:
• Creating users – Adding cloud-only users directly in Microsoft Entra ID, inviting guest (B2B) users, and understanding how on-premises users are synchronized via Microsoft Entra Connect.
• Configuring user properties – Setting attributes such as display name, job title, department, usage location, and manager. Usage location is especially important because it determines which Microsoft 365 services and licenses can be assigned.
• Managing users – Editing profiles, resetting passwords, blocking/unblocking sign-ins, managing licenses, assigning roles, deleting users, and restoring deleted users from the recycle bin (within the 30-day soft-delete window).
• Bulk operations – Using CSV-based bulk create, bulk invite, bulk delete, and bulk download operations from the Microsoft Entra admin center or PowerShell/Microsoft Graph API.
• User types – Understanding the difference between Member users and Guest users, and how user type affects default permissions.
How Does It Work?
1. Creating a Cloud User:
Navigate to the Microsoft Entra admin center → Users → New user → Create new user. You must provide a User principal name (UPN), display name, and an initial password. Optional properties include job title, department, usage location, and more. The user can sign in immediately with the temporary password and will be prompted to change it at first sign-in (unless configured otherwise).
2. Inviting a Guest User:
Navigate to Users → New user → Invite external user. You provide the guest's email address and optionally a personal message. The guest receives a redemption link via email. Guest users have a UserType of Guest, which gives them restricted default permissions compared to members.
3. Configuring User Properties:
After a user is created, administrators can update properties such as:
- Usage location – Required before assigning licenses (e.g., setting it to "US" or "GB").
- Authentication contact info – Phone number and alternate email for self-service password reset (SSPR) and multi-factor authentication (MFA).
- Manager – Important for approval workflows in access reviews and entitlement management.
- Company name, department, job title – Used for dynamic group membership rules.
4. Managing the User Lifecycle:
- Block sign-in: Immediately prevents the user from authenticating without deleting the account. Existing sessions may persist until tokens expire or are revoked.
- Revoke sessions: Forces all refresh tokens to be invalidated, requiring re-authentication.
- Delete user: Moves the user to a soft-deleted state. The user can be restored within 30 days. After 30 days, the deletion is permanent.
- Restore user: Recovers a soft-deleted user with all previous group memberships and role assignments intact.
5. Bulk Operations:
For large-scale management, use CSV templates from the Entra admin center or automate via Microsoft Graph API or PowerShell (using the Microsoft.Graph module or the older AzureAD/MSOnline modules). Bulk create requires columns such as UPN, display name, initial password, and block sign-in status.
6. Programmatic Management:
Microsoft Graph API endpoint POST https://graph.microsoft.com/v1.0/users is used to create users programmatically. The PATCH method updates user properties, and DELETE soft-deletes the user. PowerShell cmdlets like New-MgUser, Update-MgUser, and Remove-MgUser map to these API calls.
Key Concepts to Remember:
• User Principal Name (UPN) must be unique within the tenant and follows the format username@domain.com.
• Usage location must be set before a license can be assigned. This is one of the most commonly tested facts.
• Guest vs. Member: Guest users have limited default permissions (cannot enumerate directory by default unless external collaboration settings allow it). Member users have broader read access.
• Soft delete retention is 30 days — after which the account is permanently removed.
• Dynamic groups can automatically add or remove users based on attributes like department, jobTitle, or userType.
• Administrative units can scope administrative permissions so that a helpdesk admin can only manage users in a specific department or region.
• Custom security attributes can be assigned to users for fine-grained attribute-based access control (ABAC).
Exam Tips: Answering Questions on User Creation, Configuration, and Management
1. Know the prerequisites for license assignment: If a question asks why a license cannot be assigned, the answer is almost always that the usage location has not been set.
2. Understand the 30-day soft-delete window: Questions about recovering deleted users will test whether you know the recovery period and what is restored (group memberships, role assignments).
3. Distinguish between blocking sign-in and deleting: Blocking sign-in keeps the user object intact but prevents authentication. Deleting moves the user to the recycle bin. Questions may present scenarios where you need to choose the appropriate action.
4. Guest user behavior: Expect questions about what guest users can and cannot do by default. Remember that external collaboration settings in Microsoft Entra ID control guest permissions (most restrictive, limited, or same as members).
5. Bulk operations: Know that the Entra admin center supports CSV-based bulk operations and that PowerShell/Graph API can also be used. If asked about the most efficient way to create hundreds of users, bulk create via CSV or scripting is the answer.
6. Revoking access immediately: If a scenario requires immediate prevention of access, remember that blocking sign-in alone may not terminate active sessions. You may also need to revoke all refresh tokens (Revoke-MgUserSignInSession) and consider Continuous Access Evaluation (CAE) for near-real-time token revocation.
7. PowerShell and Graph API: Be familiar with cmdlets like New-MgUser, Update-MgUser, Remove-MgUser, and Restore-MgDirectoryDeletedItem. The exam may present code snippets and ask you to identify the correct command.
8. Administrative Units: If a question involves delegating user management for a specific subset of users (e.g., only users in the marketing department), the answer involves administrative units with scoped role assignments.
9. Read the scenario carefully: Many questions include distractors. Pay attention to whether the question asks about a cloud-only user vs. a synced user. Synced users must be managed at the source (on-premises AD), and certain attributes cannot be changed in the cloud.
10. Default user permissions: Know that by default, all members can read basic directory information, register applications, and create security groups. These defaults can be restricted in User Settings. Guest users have more restricted defaults.
By mastering user creation, configuration, and management, you build the foundation for understanding every other SC-300 topic — from conditional access policies that target specific users, to governance workflows that depend on user attributes, to monitoring sign-in logs that track user activity.
