Manage Microsoft Entra Users, Groups, and SSPR for AZ-104

AZ-104 expects you to handle common identity administration tasks without turning every request into a manual one-off. That means understanding how users, groups, licenses, guest users, and self-service password reset fit together as an operating model, not as isolated features.

What the exam is checking

The official study guide calls out creating users and groups, managing their properties, managing licenses, handling external users, and configuring self-service password reset. The exam angle is practical: which identity object should exist, who should manage it, and which setting reduces routine admin work without weakening control.

First-pass mental model

Users represent identities. Groups help you scale administration. Licenses and access assignments usually become easier to manage when they follow group membership instead of individual exceptions. Guest users solve collaboration needs, but they still need boundaries around what they can see and do. SSPR reduces ticket load, but only if registration and authentication methods are configured in a way your organization can actually support.

Where candidates get trapped

The common misses are choosing the wrong group type, forgetting that external users are still identities you must govern, and treating SSPR as a checkbox instead of a workflow. Another frequent mistake is assuming licensing and role assignment are the same problem. They are not. A license unlocks capability. RBAC governs Azure actions.

Lab moves worth practicing

• create a user and place it in a security group
• invite one guest user and inspect the resulting account state
• assign or review licenses in Microsoft Entra ID
• enable SSPR and verify which users are in scope

Fast chooser

Quiz

After this page, move into Azure RBAC and Scope. That is where identity administration turns into actual Azure authorization.