Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.1.1. Create Users and Groups

šŸ’” First Principle: Centralizing identity management in Microsoft Entra ID (formerly Azure Active Directory) simplifies access control and enhances security by providing a unified platform for creating and managing user and group identities.

Scenario: You need to onboard 20 new employees and grant them access to various Azure resources. You also need to grant temporary access to a partner company for a specific project.

What It Is:
  • Microsoft Entra ID (formerly Azure Active Directory): Microsoft's cloud-based identity and access management service, which helps your employees sign in and access resources.
  • Users: Individual identities within Entra ID, representing people or applications that need access.
  • Groups: Collections of users or other groups, used to simplify permission management by assigning roles to the group rather than individual users.

Creating Users: To add a user, specify:

  • User Principal Name (UPN): Unique sign-in (e.g., user@domain.com).
  • Display Name: Name shown in the directory.
  • Password Options: Set an initial password; require reset at first sign-in for security.
User Types:
  • Member Users: Internal staff with full access to organizational resources.
  • Guest Users: External collaborators (partners, vendors) with restricted access, typically invited via email.

Creating Groups: Groups allow you to manage permissions for multiple users efficiently. When creating a group, define:

  • Group Type:
  • Membership Type:
    • Assigned: Admins manually add/remove members.
    • Dynamic User/Device: Membership based on user/device attributes defined by a query.
Practical Implementation: Creating a User with Azure CLI
# Create a new user in Entra ID
az ad user create --display-name "John Doe" --password "P@ssw0rd12345" --user-principal-name "john.doe@yourtenant.onmicrosoft.com"
Visual: Entra ID Users and Groups for Access Control
Loading diagram...

āš ļø Common Pitfall: Using Member user accounts for external collaborators. This grants them a higher level of default permissions than necessary. Always use Guest accounts for external users to enforce least privilege.

Key Trade-Offs:
  • Manual (Assigned) vs. Automated (Dynamic) Group Membership: Assigned groups offer direct control but require manual effort. Dynamic groups automate membership based on attributes (like department), reducing administrative overhead but requiring careful query design.

Reflection Question: How does centralizing user and group management in Entra ID fundamentally reduce administrative effort and strengthen security by enforcing consistent access policies compared to managing individual permissions?