2.2 Licenses, External Users, and SSPR

Licenses Are Not Permissions

A license enables a cloud service plan for a user, such as Microsoft 365 or Entra capabilities, but it is not an Azure RBAC assignment. A user can have a license and still be unable to manage a resource group. A user can also have Azure RBAC access without a particular productivity license. Keep these tracks separate.

For license assignment in the portal, use Microsoft Entra ID > Users > select user > Licenses or Microsoft Entra ID > Groups > select group > Licenses for group-based licensing. Before assigning many Microsoft cloud licenses, confirm the user's Usage location. This property identifies the country or region where the services are consumed and is a common prerequisite in Microsoft cloud licensing workflows.

Exam trap: group-based licensing is not the same as group-based Azure RBAC. One group may be used for both if governance allows it, but the effects are different. A license assignment affects service availability. A role assignment affects what Azure resources a principal can manage.

External Users And Guest Accounts

External collaboration in Microsoft Entra ID usually creates a guest user object in your tenant. The external person may authenticate with their home identity provider, but your tenant stores a representation of that user so you can place the guest in groups, assign application access, or assign Azure RBAC.

Portal path: Microsoft Entra ID > Users > New user > Invite external user. After the guest exists, assign access the same way you would for another principal: add to a security group or create an RBAC assignment at the correct scope.

Scenario: A vendor needs to view metrics on one production resource group. Invite the vendor as a guest, add the guest to a security group such as rg-prod-monitor-readers, then assign Monitoring Reader or Reader at that resource group depending on the need. Do not make the vendor a tenant administrator, and do not assign access at subscription scope if the task is limited to one resource group.

A common support issue is directory context. The guest may sign in successfully but be looking at their home tenant or a different directory in the Azure portal. Have the user switch directories from the portal account menu, then verify the guest object and RBAC assignment in your tenant.

Self-Service Password Reset

Self-service password reset lets users reset their own passwords after proving identity with approved authentication methods. The administrator chooses who is enabled, which methods are allowed, how many methods are required, and whether users must register. Portal path: Microsoft Entra ID > Password reset.

For cloud-only users, SSPR can reset the cloud password if configured. For synchronized hybrid users, the key question is whether the reset must write back to on-premises Active Directory. If yes, the environment needs the right synchronization and password writeback configuration. AZ-104 questions often include a hybrid detail to test this distinction.

Portal And CLI Decision Logic

Use the portal for invitation workflows, individual license fixes, SSPR policy configuration, and checking registration state. Use automation when onboarding many contractors, applying usage locations in bulk, or auditing license assignment failures. Azure CLI can query users and groups, but some licensing and SSPR administration is better handled through Microsoft Graph PowerShell or the Entra admin center.

Helpful orientation commands:

az ad user show --id vendor_alex_contoso.com#EXT#@fabrikam.onmicrosoft.com
az ad group member add --group rg-prod-monitor-readers --member-id <guest-object-id>
az role assignment create --assignee <guest-object-id> --role Reader --scope /subscriptions/<sub-id>/resourceGroups/rg-prod

Notice the order. Create or invite the identity, place it in the right group if using group-based access, then assign the role at the required scope. If the user cannot sign in, troubleshoot identity and redemption. If the user can sign in but cannot view the resource, troubleshoot RBAC and directory context.

Governance Scenarios And Traps

Scenario: A company wants every employee in the Sales department to receive the same cloud service license and Reader access to a reporting resource group. You can use a dynamic security group based on department, assign the license to that group, and assign Reader to that group at the resource group. However, document the dual use. If later the group is changed for licensing reasons, resource access may change too.

Scenario: A newly hired cloud-only user cannot receive a license. The question includes that usage location is blank. The best answer is to set usage location before assigning the license. Assigning Owner on a subscription does not fix a licensing prerequisite.

Scenario: SSPR is enabled for a selected group, but a user outside the group cannot reset a password. The fix is to add the user to the selected group or change the SSPR scope. Resetting the user's Azure RBAC roles is irrelevant.

Scenario: A guest user needs to manage only tags on resources in one resource group. The least-privilege answer is not subscription Contributor. Consider a role that allows the needed resource write operation at the resource group scope, and remember that some operations may require broad write permissions unless a custom role exists. If only built-in roles are offered, choose the least broad built-in role that meets the stated action.