Microsoft Azure / Entra ID User Management Guide

• Model type: hybrid
• Description: Microsoft Entra ID uses a role-based access control (RBAC) model with over 100 built-in directory roles, each with a fixed set of permissions. Custom roles can be created to combine specific permissions from a defined permission set. Privileged Identity Management (PIM) adds just-in-time and time-bound role activation on top of the base RBAC model. Administrative Units allow scoping of role assignments to subsets of users, groups, or devices.
• Custom roles: Yes
• Custom roles plan: Premium P1 or Premium P2
• Granularity: Permission-level granularity within defined permission namespaces (e.g., microsoft.directory/users/password/update). Custom roles are assembled from individual permissions. Administrative Units allow geographic or departmental scoping of built-in and custom roles.

1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) with at least User Administrator role.
2. Navigate to Identity > Users > All users.
3. Select 'New user' > 'Create new user'.
4. Enter the User principal name (UPN) in the format alias@domain.com.
5. Enter the Display name.
6. Set a password (auto-generate or manually specify). If manually set, user must change on first sign-in (optional toggle).
7. Optionally configure Properties (job title, department, usage location), Assignments (groups, roles), and Settings (block sign-in).
8. Select 'Review + create', then 'Create'.

Required fields: User principal name (UPN), Display name, Password (auto-generated or manually set)

Watch out for:

• Usage location must be set on the user before a license can be assigned; this is a hard requirement.
• UPN domain must be a verified domain in the tenant or the default onmicrosoft.com domain.
• Users created via the portal are cloud-only accounts; they do not sync to on-premises Active Directory.
• If the tenant uses hybrid identity (Entra Connect Sync or Cloud Sync), users should be created in on-premises AD and synced, not created directly in Entra ID, to avoid sync conflicts.
• New users are not assigned any licenses automatically; license assignment is a separate step.
• The 'Block sign-in' toggle is available at creation but easy to overlook.

• Can delete users: Yes
• Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.

1. Sign in to the Microsoft Entra admin center with at least User Administrator role.
2. Navigate to Identity > Users > All users.
3. Select the user to disable.
4. Select 'Edit properties' or use the 'Block sign-in' option directly from the user overview.
5. Under Settings, set 'Block sign-in' to 'Yes'.
6. Save changes. The user's existing sessions are not immediately revoked; use 'Revoke sessions' separately to invalidate active tokens.

Watch out for:

• Blocking sign-in does not revoke existing access tokens; tokens remain valid until expiration (up to 1 hour for access tokens, longer for refresh tokens). Use 'Revoke sessions' in addition to blocking sign-in for immediate effect.
• Deleted users in the recycle bin still consume a license until the license is explicitly removed.
• Global Administrators cannot be deleted by other Global Administrators without first removing the Global Administrator role.
• Hybrid-synced users (from on-premises AD) cannot be deleted from Entra ID directly; they must be deleted from on-premises AD and the deletion synced. Attempting to delete a synced user from Entra ID will fail or be overwritten on next sync.
• Deleting a user who owns an Azure subscription or resource group can cause management access issues for those resources.
• After permanent deletion, UPN reuse can still be delayed in some scenarios due to directory object caching; verify availability before planning a same-address rehire.

• Where to check usage: Microsoft Entra admin center > Billing > Licenses > All products (shows purchased quantity vs. assigned quantity per SKU). Also accessible via Microsoft 365 admin center > Billing > Licenses.
• How to identify unused seats: Navigate to Microsoft Entra admin center > Billing > Licenses > select a license SKU > Licensed users. Filter or export the list to identify users with licenses who have not signed in recently. Entra ID P2 includes 'Usage & insights' reports under Identity > Monitoring & health > Usage & insights, which show inactive users and app usage. The 'Sign-in logs' (retained 30 days for P1/P2, 7 days for Free) can be used to identify users with no recent sign-in activity.
• Billing notes: Licenses are assigned per user, either directly or via group-based licensing (P1 required for group-based licensing). Licenses must be assigned before premium features are available to a user. Overage is not automatically billed for most SKUs; purchasing additional licenses is required when the assigned count exceeds purchased count. Microsoft 365 and EMS bundle licenses include Entra ID P1 or P2 and count toward the same pool. Guest users (B2B) require a license for premium features applied to them; the 1:5 ratio (one paid user license covers up to 5 guest MAUs) was retired in 2023 for new tenants - external users are now billed under Microsoft Entra External ID pricing after the free 50,000 MAU threshold.

Automated SCIM provisioning to downstream SaaS apps requires Premium P1 ($6.00/user/month standalone) or P2 ($9.00/user/month standalone). P1 is also included in Microsoft 365 E3 and Microsoft 365 Business Premium; P2 is included in Microsoft 365 E5.

The Free tier covers basic authentication and B2B collaboration but excludes SCIM provisioning, group-based licensing, dynamic groups, and Conditional Access with device compliance.

Group-based licensing (P1 required) and dynamic groups reduce per-user manual overhead at scale. Without P1, license assignment and group membership must be managed per user, which compounds quickly in larger tenants. The Governance add-on ($7.00/user/month on top of P1 or P2) covers advanced lifecycle workflows and access reviews at scale.

The most consistent friction points reported by Entra ID administrators center on provisioning latency and token behavior. Provisioning sync cycles run approximately every 40 minutes by default; near-real-time deprovisioning requires manual on-demand triggering.

Blocking sign-in does not immediately revoke active access tokens - a separate session revocation step is required, and even then, access tokens remain valid until expiry (up to 1 hour).

Nested group membership is not supported for SCIM provisioning or group-based license assignment; only direct group members receive provisioned access or licenses. This is a structural limitation that affects every app provisioned through Entra.

Hybrid identity environments add another layer: users synced from on-premises Active Directory cannot be managed directly in Entra ID - all changes must originate in on-premises AD and sync through Entra Connect, adding latency to every lifecycle event.

License assignment failures due to missing usage location are a common bulk-onboarding issue. The field must be set on each user before any Microsoft 365 license can be assigned; omitting it causes silent failures in automated workflows.

Common complaints:

• Premium P1 or P2 license required for automated SCIM provisioning to downstream SaaS apps, which many organizations consider a basic feature.
• Nested group membership is not supported for SCIM provisioning or group-based license assignment; only direct group members receive provisioned access or licenses.
• Provisioning sync cycles run approximately every 40 minutes by default; near-real-time deprovisioning requires manual triggering or waiting for the next cycle.
• Blocking sign-in does not immediately revoke active tokens; separate session revocation is required, and even then token caching in apps can delay full lockout.
• Hybrid identity (on-premises AD sync) prevents direct user management in Entra ID; all changes must be made in on-premises AD and synced, which adds latency.
• License assignment requires usage location to be set on each user; bulk onboarding without this field set causes license assignment failures.
• Deleted users continue to consume licenses during the 30-day soft-delete period unless licenses are manually removed.
• Administrative Units require P1 and have limitations: they cannot be nested, and not all resource types can be scoped to an Administrative Unit.
• The Entra admin center UI is frequently reorganized, causing navigation paths documented in guides to become outdated quickly.
• Custom role creation requires P1 but the permission namespace documentation is complex and not all permissions are exposed in the UI; some require PowerShell or Graph API.

Manual Entra ID management is viable for small, stable tenants where user lifecycle events are infrequent and the team already operates within the Microsoft admin center. The interface is functional, and the User Administrator role provides sufficient scope for day-to-day operations without requiring Global Administrator access.

The calculus shifts in larger or faster-moving environments. Every app provisioned through Entra inherits the 40-minute sync delay, the nested group limitation, and the token expiry gap on offboarding - these are not configuration issues but platform behaviors.

Teams managing more than a few dozen users, or operating in hybrid AD environments, will encounter these constraints regularly.

Organizations already licensed at P1 or above should evaluate whether group-based licensing and dynamic groups are configured, as these reduce the per-user manual surface area significantly without additional cost.

Bottom line

Microsoft Entra ID is a capable, enterprise-grade identity platform with a broad feature set, but its manual management experience carries real operational costs at scale.

The 40-minute provisioning cycle, token persistence after sign-in block, nested group limitations, and hybrid AD constraints are not edge cases - they surface in routine offboarding and onboarding workflows.

Teams that invest in P1-level features (group-based licensing, dynamic groups, on-demand provisioning) can reduce manual overhead substantially, but the platform rewards automation over manual administration.

For organizations where every app's access state flows through Entra, the accuracy and timeliness of user records here has downstream consequences across the entire SaaS stack.