Lab 01: Solution - Portal Walkthrough
Only refer to this after attempting the tasks yourself!
Task 1: Create User Accounts
Creating User A (Alex Johnson)
Sign in to portal.azure.com
Search for "Entra ID" or "Azure Active Directory" in the top search bar
Click Users in the left navigation
Click + New user → Create new user
Basics tab:
- User principal name:
alexjohnson(domain auto-fills) - Mail nickname: Leave as auto-generated or set to
alexjohnson - Display name:
Alex Johnson - Password: Select Auto-generate password
- Check Show password and copy it somewhere safe
- Account enabled: Yes (checked)
- User principal name:
Properties tab:
- First name:
Alex - Last name:
Johnson - Job title:
Project Manager - Department:
Operations - Usage location:
United States - Mobile phone:
+1-555-0101
- First name:
Click Review + create → Create
Creating User B (Maria Garcia)
Repeat the process with:
- User principal name:
mariagarcia - Display name:
Maria Garcia - Job title:
Developer - Department:
Engineering - Usage location:
United States
Creating User C (James Wilson)
Repeat the process with:
- User principal name:
jameswilson - Display name:
James Wilson - Job title:
Security Analyst - Department:
Security - Usage location:
United Kingdom - Company name:
Contoso Security(in Properties → Job Information section)
Task 2: Create Security Groups
Creating SG-ProjectAlpha-Members
In Entra ID, click Groups in left navigation
Click + New group
Configure:
- Group type: Security
- Group name:
SG-ProjectAlpha-Members - Group description:
All members of Project Alpha - Membership type: Assigned
- Owners: (optional - skip for now)
- Members: Click No members selected
- Search for and select: Alex Johnson, Maria Garcia, James Wilson
- Click Select
Click Create
Creating SG-ProjectAlpha-Admins
Repeat with:
- Group name:
SG-ProjectAlpha-Admins - Description:
Administrators for Project Alpha - Members: Alex Johnson only
Creating SG-Engineering-All
Repeat with:
- Group name:
SG-Engineering-All - Description:
All Engineering department staff - Members: Maria Garcia only
Task 3: Create Microsoft 365 Group
Click Groups → + New group
Configure:
- Group type: Microsoft 365
- Group name:
M365-ProjectAlpha-Team - Group email address:
projectalpha(domain auto-fills) - Group description:
Project Alpha collaboration group - Membership type: Assigned
- Owners: Click No owners selected
- Search and select: Alex Johnson
- Click Select
- Members: Click No members selected
- Search and select: Alex Johnson, Maria Garcia, James Wilson
- Click Select
Click Create
Note: Microsoft 365 groups can take a few minutes to fully provision.
Task 4: Configure User Properties in Bulk
Since we only have 3 users, we'll update each individually:
For Alex Johnson:
- Go to Users → Click Alex Johnson
- Click Properties in the left menu
- Click Edit properties
- Scroll to Job information section:
- Employee ID:
100001 - Employee type:
Employee
- Employee ID:
- Scroll to Manager & directs section:
- Sponsor: Search for and select your admin account
- Click Save
Repeat for Maria and James:
- Maria: Employee ID =
100002 - James: Employee ID =
100003
Task 5: Manage Group Ownership
Add Owner to SG-ProjectAlpha-Members:
- Go to Groups → Click SG-ProjectAlpha-Members
- Click Owners in the left menu
- Click + Add owners
- Search for Alex Johnson
- Select and click Select
Configure M365 Group Settings:
- Go to Groups → Click M365-ProjectAlpha-Team
- Click Properties in the left menu
- Scroll down to find email settings:
- Allow external senders...: Ensure this is No / unchecked
- Send copies of group conversations...: Ensure this is Yes / checked
- Click Save if changes were made
Note: Some M365 group settings may need to be configured in Microsoft 365 Admin Center or Exchange Admin Center.
Task 6: Self-Service Group Settings
Go to Entra ID → Groups
Click General under Settings in left navigation
Configure each setting:
- Owners can manage group membership requests in My Groups: Yes
- Restrict user ability to access groups features in My Groups: No
- Users can create security groups...: No
- Users can create Microsoft 365 groups...: Yes
Click Save
Security Impact Notes:
- Allowing M365 group creation but not security groups = users can collaborate but can't create groups used for RBAC
- Restricting My Groups access limits user self-service capabilities
Task 7: Block/Unblock User Sign-in
Block User C:
- Go to Users → Click James Wilson
- Click Properties in left menu
- Click Edit properties
- Find Account status section
- Check Block sign in
- Click Save
Alternative quick method:
- From user overview page, click Block sign in button at top
- Confirm the action
Verify Blocked Status:
- The user list will show a blocked icon
- User profile shows "Block sign in: Yes"
Unblock User C:
- Return to James Wilson's profile
- Edit properties or click Unblock sign in
- Uncheck block sign in
- Save
Task 8: Delete and Restore User
Delete User:
- Go to Users → Find James Wilson
- Select the checkbox next to his name
- Click Delete in the toolbar
- Confirm deletion
Or from user profile:
- Click on James Wilson
- Click Delete button at top
- Confirm
Find Deleted User:
- Go to Users → Click Deleted users tab
- James Wilson should appear here
- Note the Deleted on date
- Permanent deletion occurs 30 days after this date
Restore User:
- In Deleted users, select James Wilson
- Click Restore user in toolbar
- Confirm restoration
Verify Restoration:
- Go back to Users (All users tab)
- James Wilson should appear
- Click on him and verify:
- Job title is still "Security Analyst"
- Department is still "Security"
- Check group memberships (Groups tab) - should still be in SG-ProjectAlpha-Members
Common Mistakes to Avoid
- Forgetting Usage Location - Users cannot be assigned licenses without this
- Wrong Group Type - Security groups cannot have email; M365 groups always have email
- Membership Type Confusion - "Assigned" = manual, "Dynamic" = rule-based (requires P1)
- Assuming Delete = Gone - 30-day soft delete period exists
- Blocking vs Deleting - Blocking is temporary and reversible; deletion removes the account