{"id":15,"date":"2026-07-10T15:05:25","date_gmt":"2026-07-10T15:05:25","guid":{"rendered":"https:\/\/azureproguide.com\/blog\/?p=15"},"modified":"2026-07-10T15:05:26","modified_gmt":"2026-07-10T15:05:26","slug":"microsoft-entra-id-a-practitioners-guide-to-users-groups-and-rbac","status":"publish","type":"post","link":"https:\/\/azureproguide.com\/blog\/microsoft-entra-id-a-practitioners-guide-to-users-groups-and-rbac\/","title":{"rendered":"Microsoft Entra ID: A Practitioner&#8217;s Guide to Users, Groups, and RBAC"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Every decision Azure makes about who can do what starts in one place: Microsoft Entra ID. Before you deploy a single virtual machine or storage account, it&#8217;s worth understanding this layer properly \u2014 because every access decision your environment makes will flow through it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This article covers the three things you need working knowledge of before anything else in Azure makes sense: users, groups, and role-based access control (RBAC). It&#8217;s written from real deployment experience across GIC, GCC, and traditional enterprise environments \u2014 not paraphrased from documentation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tenants, Subscriptions, and Management Groups<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Three terms worth anchoring before going further:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tenant<\/strong> \u2014 your organisation&#8217;s dedicated instance of Entra ID. When your company signs up for Azure, Microsoft creates a tenant with a unique ID, typically mapped to a domain like <code>yourcompany.onmicrosoft.com<\/code>.<\/li>\n\n\n\n<li><strong>Subscription<\/strong> \u2014 a billing and resource boundary. Every Azure resource \u2014 VMs, storage accounts, databases \u2014 lives inside a subscription, and a subscription trusts exactly one Entra ID tenant for authentication.<\/li>\n\n\n\n<li><strong>Management group<\/strong> \u2014 a container above subscriptions that lets you apply governance policies and access controls across many subscriptions at once. Larger organisations use these to avoid repeating the same configuration across dozens of subscriptions.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The hierarchy flows: management group \u2192 subscription \u2192 resource group \u2192 individual resource. This matters a great deal once you start assigning access, which is where we&#8217;re headed.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Real-world context:<\/strong> Hybrid identity is extremely common across GICs, GCCs, and shared-services setups. On-premises user accounts sync to Entra ID on a schedule via Entra Connect. Engineers sign in once with their corporate credentials and get seamless access to both on-premises systems and Azure resources \u2014 no separate cloud password, no duplicate accounts to manage.<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/azureproguide.com\/blog\/wp-content\/uploads\/2026\/07\/hero-entra-id-1024x538.png\" alt=\"Entra ID\" class=\"wp-image-18\" srcset=\"https:\/\/azureproguide.com\/blog\/wp-content\/uploads\/2026\/07\/hero-entra-id-1024x538.png 1024w, https:\/\/azureproguide.com\/blog\/wp-content\/uploads\/2026\/07\/hero-entra-id-300x158.png 300w, https:\/\/azureproguide.com\/blog\/wp-content\/uploads\/2026\/07\/hero-entra-id-768x403.png 768w, https:\/\/azureproguide.com\/blog\/wp-content\/uploads\/2026\/07\/hero-entra-id.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Managing Users<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Entra ID has two kinds of user accounts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Member users<\/strong> \u2014 full members of your organisation&#8217;s tenant, created directly in Entra ID or synced from on-premises Active Directory via Entra Connect.<\/li>\n\n\n\n<li><strong>Guest users<\/strong> \u2014 external identities invited through Azure B2B (business-to-business) collaboration. They authenticate with their own email \u2014 a Gmail address, or another company&#8217;s Microsoft account \u2014 and appear in your directory with <code>#EXT#<\/code> in their User Principal Name, for example <code>priya_contoso.com#EXT#@yourcompany.onmicrosoft.com<\/code>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For one or two users, the Entra admin centre (entra.microsoft.com) is fine. For anything larger, scripting is the practical choice:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Create a single user via Azure CLI\naz ad user create \\\n  -<span class=\"ruby\">-display-name <span class=\"hljs-string\">\"Priya Sharma\"<\/span> \\\n<\/span>  -<span class=\"ruby\">-user-principal-name priya@yourdomain.com \\\n<\/span>  -<span class=\"ruby\">-password <span class=\"hljs-string\">\"TempPass@2026!\"<\/span> \\\n<\/span>  -<span class=\"ruby\">-force-change-password-<span class=\"hljs-keyword\">next<\/span>-sign-<span class=\"hljs-keyword\">in<\/span> <span class=\"hljs-literal\">true<\/span><\/span>\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">A few things worth knowing about guest users specifically:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They&#8217;re assigned the Guest User role by default, which has restricted read access to the directory.<\/li>\n\n\n\n<li>You can restrict guests from enumerating other users and groups via External collaboration settings.<\/li>\n\n\n\n<li>Guest users typically count against your licence quota at a set ratio relative to paid Entra ID P1\/P2 licences \u2014 check current terms before planning at scale, as licensing details change.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Managing Groups<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Groups are how you control access at scale. Rather than assigning permissions to individual users one at a time, you assign them to a group and manage membership centrally \u2014 the assignment doesn&#8217;t change even as people join or leave the team.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are two membership types worth knowing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Assigned membership<\/strong> \u2014 you manually add and remove members. Simple, predictable, but doesn&#8217;t scale well past a certain team size.<\/li>\n\n\n\n<li><strong>Dynamic membership<\/strong> \u2014 Entra ID evaluates a rule against user attributes (department, job title, location) and automatically adds or removes members as those attributes change. This is where groups become genuinely powerful for larger organisations.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">A dynamic rule looks like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(<span class=\"hljs-name\">user.department<\/span> -eq <span class=\"hljs-string\">\"Engineering\"<\/span>)\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">One practical detail that catches people out: dynamic group membership isn&#8217;t instant. After you save a rule, it can take anywhere from a few minutes to a few hours for all matching users to be evaluated and added, depending on directory size. Plan for this during onboarding workflows \u2014 don&#8217;t assume a new hire has access the moment their department field is set.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Dynamic membership requires an Entra ID P1 licence (included in Microsoft 365 E3 and above, or purchasable as a standalone add-on) \u2014 on the free tier you can still create groups, they just need to be managed manually.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Controlling Access with Azure RBAC<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Creating users and groups is only half the story. The other half is deciding what those users and groups can actually do with your Azure resources \u2014 that&#8217;s Azure Role-Based Access Control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RBAC answers a simple question: <strong>who can do what, on which resource?<\/strong> Every access decision in Azure goes through it. An RBAC assignment has three parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security principal<\/strong> \u2014 the <em>who<\/em>. A user, a group, a service principal (an application identity), or a managed identity.<\/li>\n\n\n\n<li><strong>Role definition<\/strong> \u2014 the <em>what<\/em>. A named collection of permitted actions. The built-in <strong>Virtual Machine Contributor<\/strong> role, for example, allows creating and managing VMs but not managing the virtual network they sit on.<\/li>\n\n\n\n<li><strong>Scope<\/strong> \u2014 the <em>where<\/em>. The specific resource, resource group, subscription, or management group the assignment applies to.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">The scope hierarchy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Assignments at a higher level are inherited by everything below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Management <span class=\"hljs-keyword\">Group<\/span>          <span class=\"hljs-title\">\u2190 broadest<\/span> scope\n  \u2514\u2500\u2500 Subscription\n        \u2514\u2500\u2500 Resource <span class=\"hljs-keyword\">Group<\/span>\n              <span class=\"hljs-title\">\u2514\u2500\u2500 Individual<\/span> Resource   \u2190 narrowest scope\n\n<span class=\"hljs-comment\"># An assignment at Subscription level applies to all<\/span>\n<span class=\"hljs-comment\"># resource groups and resources within that subscription.<\/span>\n\n<span class=\"hljs-comment\"># An assignment at Resource Group level applies only to<\/span>\n<span class=\"hljs-comment\"># resources within that group.<\/span>\n\n<span class=\"hljs-comment\"># Deny assignments always win over allow assignments.<\/span>\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The practical implication: <strong>assign access at the lowest scope that makes sense.<\/strong> If an engineer only needs to manage resources in one resource group, assign their role there \u2014 not at the subscription level. Least privilege isn&#8217;t just a security principle; it&#8217;s also far easier to audit and revoke later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A pattern worth adopting early: assign roles to <strong>groups<\/strong>, not individual users. When someone joins or leaves a team, you change one group membership instead of hunting down every resource they had direct access to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Self-Service Password Reset (SSPR)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The last piece worth setting up early: letting users reset their own passwords without opening a helpdesk ticket. SSPR reduces support load, resolves faster for the user, and costs nothing beyond a P1 licence if you want on-premises writeback.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Configuration lives in the Entra admin centre under <strong>Password reset<\/strong>. You choose how many verification methods are required (commonly two) and which methods are allowed \u2014 Microsoft Authenticator, email, phone, or security questions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Try It Yourself<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A short hands-on sequence to make the above concrete:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Create two member users<\/strong> in the Entra admin centre, with different <code>department<\/code> attribute values \u2014 one Engineering, one Finance.<\/li>\n\n\n\n<li><strong>Create a dynamic security group<\/strong> called <code>sg-engineering<\/code> with the rule <code>(user.department -eq \"Engineering\")<\/code>. Wait a few minutes, then confirm only the Engineering user appears as a member.<\/li>\n\n\n\n<li><strong>Create a resource group<\/strong> called <code>rg-lab<\/code> and assign the Finance user the <strong>Reader<\/strong> role on it. Sign in as that user and confirm they can see the resource group but can&#8217;t create anything inside it.<\/li>\n\n\n\n<li><strong>Enable SSPR<\/strong> for the <code>sg-engineering<\/code> group, requiring two verification methods (Authenticator + email). Sign in as the Engineering user, register both methods, then test a reset at <code>aka.ms\/sspr<\/code>.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Entra ID is the identity layer underneath everything on Azure. Three things to take away:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Users and groups<\/strong> \u2014 member users for your organisation, guest users for external collaborators, and groups \u2014 particularly dynamic groups \u2014 to manage access at scale without manual overhead.<\/li>\n\n\n\n<li><strong>RBAC<\/strong> \u2014 who can do what, on which resource. Assign at the narrowest scope that makes sense, favour built-in roles where they fit, and assign to groups rather than individuals.<\/li>\n\n\n\n<li><strong>SSPR<\/strong> \u2014 let users help themselves. Lower helpdesk load, faster resolution, minimal cost.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The next article in this series goes deeper on RBAC itself \u2014 custom role design, management group scope strategy, managed identities, and Privileged Identity Management (PIM) for just-in-time access instead of standing role assignments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every decision Azure makes about who can do what starts in one place: Microsoft Entra ID. Before you deploy a single virtual machine or storage account, it&#8217;s worth understanding this layer properly \u2014 because every access decision your environment makes will flow through it. This article covers the three things you need working knowledge of &#8230; <a title=\"Microsoft Entra ID: A Practitioner&#8217;s Guide to Users, Groups, and RBAC\" class=\"read-more\" href=\"https:\/\/azureproguide.com\/blog\/microsoft-entra-id-a-practitioners-guide-to-users-groups-and-rbac\/\" aria-label=\"Read more about Microsoft Entra ID: A Practitioner&#8217;s Guide to Users, Groups, and RBAC\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/posts\/15","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/comments?post=15"}],"version-history":[{"count":3,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/posts\/15\/revisions"}],"predecessor-version":[{"id":19,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/posts\/15\/revisions\/19"}],"wp:attachment":[{"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/media?parent=15"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/categories?post=15"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azureproguide.com\/blog\/wp-json\/wp\/v2\/tags?post=15"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}