According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).
In the scenario, Litware wants to:
“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”
This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq "E5"). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.
Per Microsoft documentation:
“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”
Now, analyzing the other options:
B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.
C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.
D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.
Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.
✅ Correct Answer: A. A Dynamic User security group
