While preparing for the AZ-104: Microsoft Azure Administrator exam, many candidates struggle with Azure Active Directory group types and governance. In the enterprise world, this decision often hinges on balancing secure access delegation and automated lifecycle management to reduce administrative overhead. Let’s drill into a simulated enterprise scenario.
The Scenario #
Tailspin Imports is a global trading company with a Microsoft 365 and Azure AD tenant named tailspinimports.com. The company routinely grants temporary access to collaborative resources for project teams consisting of employees from multiple departments. For an upcoming project, Tailspin needs to assign UserA, UserB, and UserC access rights to a SharePoint document library named ProjectDocs1. Compliance requires that the access group used to grant permissions must be automatically deleted after 180 days to prevent lingering access risks and reduce governance overhead.
Key Requirements #
Create an Azure AD group solution that provides temporary access to ProjectDocs1, automatically expiring after 180 days, minimizing manual intervention while respecting security best practices.
The Options #
- A) Use an Office 365 group with Assigned Membership
- B) Use a Security group with Assigned Membership
- C) Use an Office 365 group with Dynamic User Membership
- D) Use a Security group with Dynamic User Membership
- E) Use a Security group with Dynamic Device Membership
Correct Answer #
A) Use an Office 365 group with Assigned Membership
D) Use a Security group with Dynamic User Membership
The Architect’s Analysis #
Correct Answer #
Option A (Office 365 group with Assigned Membership) and Option D (Security group with Dynamic User Membership).
Step-by-Step Winning Logic #
Office 365 groups automatically support expiration policies configured at the tenant level, which means they can be set to delete automatically after a set period (180 days in this scenario). This feature aligns with Governance and Security pillars of Microsoft’s Well-Architected Framework by reducing the risk of orphaned privileges and ensuring operational excellence through automation.
Security groups with dynamic user membership simplify membership management since memberships are calculated based on user attributes, reducing manual administration. However, they do not natively enforce group expiration, so additional lifecycle policies (like Azure AD group expiration policies) must be configured. This approach balances automation with governance, especially in hybrid or larger enterprise environments.
The Traps (Distractor Analysis) #
- Why not B? Assigned membership security groups do not natively support automatic expiration, so manual cleanup is required—contradicting the 180-day auto-remove requirement.
- Why not C? Office 365 groups with dynamic membership do not support expiration policies natively at present, limiting their suitability for temporary access scenarios.
- Why not E? Device membership is irrelevant for user access to SharePoint and typically used for device-compliant policy enforcement, making it a poor fit here.
The Architect Blueprint #
- Mermaid Diagram illustrating the solution flow:
- Diagram Note: This shows two governance approaches — an assigned membership Office 365 group with auto-expiration, and a dynamic user membership security group granting access to the document library.
The Decision Matrix (Associate Level) #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Office 365 Group (Assigned) | Low | Included with M365 licenses | Natively supports expiration policy; easy to use | Membership managed manually |
| B) Security Group (Assigned) | Low | Included | Simple membership, but no expiration | No native expiration; manual cleanup |
| C) Office 365 Group (Dynamic User) | Medium | Included | Automates membership updates | No native expiration policy support |
| D) Security Group (Dynamic User) | Medium | Included | Automates membership updates | Requires additional policies for expiration |
| E) Security Group (Dynamic Device) | High | Included | Manages device-based access | Not applicable for user document access |
Notes: Azure AD group expiration policies require Azure AD Premium P1. Office 365 group lifecycles are easily managed via M365 admin center or PowerShell.
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick Office 365 groups with assigned membership and expiration policies when you see temporary collaborative access with expiration requirements.”
Real World #
“In enterprise deployments, hybrid scenarios frequently require combining dynamic membership for automation with expiration policies enforced via governance tooling (Azure AD Access Reviews or lifecycle policies) to maintain security posture without increasing administrative burden.”