User Accounts & Lifecycle
Understanding the Concept
Microsoft Entra ID supports multiple types of user accounts: cloud-only users created directly in Entra ID, synchronized users from on-premises AD via Entra Connect, and guest users (external identities) invited for collaboration.
User lifecycle management encompasses the entire journey of an identity: creation/provisioning, attribute management, access assignment, ongoing governance, and eventually deprovisioning/deletion. Automating this lifecycle reduces security risks and administrative burden.
User properties include display name, UPN (user principal name), job title, department, manager, and custom extension attributes. These properties drive dynamic group memberships, Conditional Access policies, and entitlement management.
Key Points
- Cloud users: Created directly in Entra ID, managed in the cloud
- Synced users: Mastered in on-prem AD, synchronized via Entra Connect
- Guest users: External identities invited for B2B collaboration
- UPN format: user@domain.com - the primary sign-in identifier
- Soft delete: Deleted users are recoverable for 30 days
User Lifecycle Stages
Provision
Create user account (manual, bulk, API, or HR-driven)
Configure
Set attributes, assign licenses, set MFA methods
Assign Access
Add to groups, assign apps, entitlements
Govern
Access reviews, attestation, re-certification
Deprovision
Disable, remove access, delete account
Why This Matters in Real Organizations
Orphaned accounts and over-provisioned access are among the top identity security risks. Organizations with poor lifecycle management often discover hundreds of active accounts belonging to former employees, each representing a potential breach vector.
Common Mistakes to Avoid
Interview Tips
- Explain the three user types and when to use each
- Discuss automated provisioning from HR systems
- Mention lifecycle workflows for joiner/mover/leaver scenarios
Exam Tips (SC-300)
- Know the user types and their source of authority
- Understand bulk user operations (CSV import)
- Know the soft delete retention period (30 days)
Course Complete!
You've finished all lessons