User & Group ManagementUser Accounts & Lifecycle

User Accounts & Lifecycle

25 mins

Understanding the Concept

Microsoft Entra ID supports multiple types of user accounts: cloud-only users created directly in Entra ID, synchronized users from on-premises AD via Entra Connect, and guest users (external identities) invited for collaboration.

User lifecycle management encompasses the entire journey of an identity: creation/provisioning, attribute management, access assignment, ongoing governance, and eventually deprovisioning/deletion. Automating this lifecycle reduces security risks and administrative burden.

User properties include display name, UPN (user principal name), job title, department, manager, and custom extension attributes. These properties drive dynamic group memberships, Conditional Access policies, and entitlement management.

Key Points

  • Cloud users: Created directly in Entra ID, managed in the cloud
  • Synced users: Mastered in on-prem AD, synchronized via Entra Connect
  • Guest users: External identities invited for B2B collaboration
  • UPN format: user@domain.com - the primary sign-in identifier
  • Soft delete: Deleted users are recoverable for 30 days

User Lifecycle Stages

Step 1

Provision

Create user account (manual, bulk, API, or HR-driven)

Step 2

Configure

Set attributes, assign licenses, set MFA methods

Step 3

Assign Access

Add to groups, assign apps, entitlements

Step 4

Govern

Access reviews, attestation, re-certification

Step 5

Deprovision

Disable, remove access, delete account

Why This Matters in Real Organizations

Orphaned accounts and over-provisioned access are among the top identity security risks. Organizations with poor lifecycle management often discover hundreds of active accounts belonging to former employees, each representing a potential breach vector.

Common Mistakes to Avoid

Not implementing automated deprovisioning when employees leave
Using shared accounts instead of individual user accounts
Neglecting to review and update user attributes regularly
Forgetting about the 30-day soft delete window for recovery

Interview Tips

  • Explain the three user types and when to use each
  • Discuss automated provisioning from HR systems
  • Mention lifecycle workflows for joiner/mover/leaver scenarios

Exam Tips (SC-300)

  • Know the user types and their source of authority
  • Understand bulk user operations (CSV import)
  • Know the soft delete retention period (30 days)

Course Complete!

You've finished all lessons

Previous|Next|HHome