L2. User Management: Bulk Operations and Dynamic Groups
Video generating
Check back soon for the video lesson on User Management: Bulk Operations and Dynamic Groups
Master user lifecycle management for the SC-300: creating users individually and in bulk via CSV, configuring dynamic membership rules for groups, and understanding the difference between assigned and dynamic groups in Entra ID.
Creating and Managing Users
Entra ID supports several methods for creating user accounts:
- Entra admin center: Manual creation, one user at a time
- Bulk operations: CSV upload for creating, inviting, or deleting multiple users
- PowerShell:
New-MgUsercmdlet via Microsoft Graph PowerShell SDK - Microsoft Graph API: Programmatic user management via REST endpoints
When creating a user, the required properties are: display name, user principal name (UPN), and an initial password. The UPN domain suffix must be a verified domain in your tenant.
Bulk Operations
Bulk operations use CSV templates downloaded from the Entra admin center. Three primary bulk operations:
| Operation | CSV Columns Required | Notes |
|---|---|---|
| Bulk create | Name, UPN, Password, Block sign-in | Creates cloud-only users |
| Bulk invite | Email, Redirect URL | Creates B2B guest users |
| Bulk delete | UPN | Permanently removes accounts |
Group Types
Entra ID has two categories of groups, each with distinct assignment types: Security groups: Used for access management (assigning permissions to resources). Microsoft 365 groups: Used for collaboration (shared mailbox, SharePoint site, Teams channel).
Assignment Types
Each group can use one of three membership assignment types:
- Assigned: Members are manually added and removed by an administrator
- Dynamic User: Membership is automatically calculated based on user attribute rules
- Dynamic Device: Membership is automatically calculated based on device attribute rules (security groups only)
Dynamic Membership Rules
Dynamic groups evaluate user or device properties against rules you define. Common attributes used in rules:
user.department -eq "Engineering"
user.jobTitle -contains "Manager"
user.accountEnabled -eq true
user.companyName -eq "Contoso"You can combine multiple conditions with -and and -or operators:
(user.department -eq "Sales") -and (user.country -eq "US")Group Nesting and Limits
Security groups can be nested (group within a group). Microsoft 365 groups cannot be nested. Dynamic groups cannot contain other groups as members: they only evaluate individual user or device attributes. Exam tip: When a question asks about automatically adding users from a specific department to a group, the answer is always a dynamic user group with an attribute rule, never a nested group or manual assignment.
Deleted Users and Restoration
When you delete a user, the account moves to a soft-deleted state for 30 days. During this window, the user can be restored with all properties intact. After 30 days, the deletion becomes permanent and the user object cannot be recovered.
- ✓Bulk CSV operations create cloud-only accounts: synced accounts come through Entra Connect only
- ✓Dynamic group membership requires Entra ID P1 or P2 licensing
- ✓Dynamic groups evaluate user/device attributes with rules: they cannot contain nested groups
- ✓Microsoft 365 groups cannot be nested; only security groups support nesting
- ✓Deleted users are soft-deleted for 30 days and can be restored; after 30 days deletion is permanent
1. Which license is required to create dynamic membership groups in Entra ID?
2. What is the retention period for soft-deleted users in Entra ID?
3. A company needs to automatically add all users from the Sales department to a security group. What should you configure?