Export (0) Print
Expand All

Create or edit users

Published: April 16, 2012

Updated: June 16, 2014

Applies To: Azure, Windows Intune

noteNote
This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

You have to create an account for every user who will access a Microsoft cloud service. You can also change user accounts or delete them when they’re no longer needed. By default, users do not have administrator permissions, but you can optionally assign them.

noteNote
If your company has established email coexistence, you must create and edit all user accounts in your local Active Directory directory service. For more information, see Directory synchronization roadmap.

To create a single user account, follow these steps.

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click Add User.

  3. On the Tell us about this user page, select the Type of User drop-down menu, and then select either:

    1. New user in your organization – Indicates that you want a new user account to be created and managed within your directory.

    2. User with an existing Microsoft account – Indicates that you want to add an existing Microsoft account to your directory in order to collaborate on Azure resources with a co-administrator who accesses Azure with a Microsoft account.

    3. User in another Azure AD directory – Indicates that you want to add a user account to your directory that is sourced from another Azure AD directory. You need to be a member of the other directory to select a user in it.

  4. Depending on the option you selected, type either a user name, or Microsoft account name that this user will sign in with.

  5. On the User profile page, provide a user’s first and last name, a user friendly name, and a user role from the Roles drop-down menu. For more information about user and administrator roles, see Assigning administrator roles. Specify whether to Enable Multi-Factor Authentication.

  6. On the Get temporary password page, click Create.

More information The following steps can be completed using either the Office 365 account portal, the Windows Intune account portal or the Microsoft Azure AD portal, depending on which services your organization has subscribed to. In this way, portals act as front-end interfaces that pull in directory data associated with your organizations Azure AD tenant. For more information about using portals to manage your tenant, see Administering your Azure AD directory.

  1. Depending on which portal you are using, in the left pane, click either Users or Users and Groups.

  2. Depending on which portal you are using, click either New, and then click User or click the Add New icon.

  3. On the Details page, complete the user information. Click the arrow next to Additional details to add optional user information, and then click Next.

  4. On the Settings page, if you want the user to have an administrator role, select Yes, and select an administrator role from the list. For important details about administrator accounts, see Assigning administrator roles.

    noteNote
    • If you did not purchase the cloud service from Microsoft, you will not be able to make billing changes, and the billing administrator role is not available to you.

    • If you are an administrator for a partner company, additional settings are available to you for assigning administrative privileges.

  5. Under Set user location, select the user’s work location, and then click Next.

  6. On the Assign licenses page, select the licenses that you want to assign to the user, and then click Next.

    noteNote
    If you have no licenses available, you can purchase more licenses, remove licenses from existing users, or delete user accounts that have assigned licenses.

  7. On the Send results in email page, select Send email to send the user name and temporary password (the cloud service creates the password automatically) for the newly created user to yourself and the recipients of your choice by email. Type email addresses separated by semicolons (;), and then click Create. You can enter a maximum of five email addresses.

  8. On the Results page, the new user name and temporary password are displayed. When you’re finished reviewing the results, click Finish.

If your organization uses more than one domain, you should know about the following issues when you create a user account:

  • You can create user accounts with the same user principal name (UPN) across domains if you first create, for example, geoffgrisso@contoso.onmicrosoft.com followed by geoffgrisso@contoso.com.

  • You cannot create geoffgrisso@contoso.com followed by geoffgrisso@contoso.onmicrosoft.com.

noteNote
Please note that some changes may take time to apply across multiple services.

CautionCaution
If the user that you are trying to edit is synchronized with your Active Directory service, an error message appears, and you will be unable to edit the user using this procedure. To edit the user, use your local Active Directory management tools.

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click on the display name of the user you want to edit.

  3. Complete your changes, and then click Save.

More information The following steps can be completed using either the Office 365 account portal, the Windows Intune account portal or the Microsoft Azure AD portal, depending on which services your organization has subscribed to. In this way, portals act as front-end interfaces that pull in directory data associated with your organizations Azure AD tenant. For more information about using portals to manage your tenant, see Administering your Azure AD directory.

  1. Depending on which portal you are using, in the left pane, click either Users or Users and Groups.

  2. Depending on which portal you are using, select the check box next to the user that you want to edit, and then click either Edit or the Edit icon.

  3. Click the Details, Settings, Licenses, or More tabs, depending on the changes that you want to make. Complete your changes, and then click Save.

CautionCaution
If the users that you want to edit are synchronized with your Active Directory service, you will not be able to complete this procedure; the changes will not be applied on the Results page. To edit multiple users, use your local Active Directory management tools.

  1. Depending on which portal you are using, in the left pane, click either Users or Users and Groups.

  2. Depending on which portal you are using, select the check box next to the users that you want to edit, and then click either Edit or the Edit icon.

  3. On the Details page, edit the information as needed, and then click Next.

  4. On the Settings page, edit the information as needed, and then click Next.

  5. On the Assign licenses page, do one of the following, and then click Submit.

    • If you’re not making any changes to the existing license assignments, click Retain current license assignments.

    • To replace existing license assignments, click Replace existing license assignments and then select one or more licenses from the list.

    • To add licenses to the existing license assignments, click Add to existing license assignments, and then select one or more licenses from the list.

      noteNote
      If you have no more licenses available, you can purchase more licenses, recover the use of service licenses by removing licenses from existing users, or delete user accounts that have assigned licenses.

  6. On the Results page, review your results. When you’re finished reviewing the results, click Finish.

noteNote
Please note that some changes may take time to apply across multiple services.

In Azure AD you can also add users to a new Windows Azure AD from an existing directory. In other words, you can create external users. This helps you collaborate in another directory with users who already exist in your production directory. This is useful for collaborating in a test environment with users who need to manage directory resources such as applications, without requiring those users to sign in with new accounts and credentials.

When you create a directory, your user account is included in that new directory, and you're assigned to the global administrator role. This enables you to manage the directory you created without signing in as a different user of that directory.

As an administrator of a directory, now you can also add users from another directory of which you're a member. This is useful, for example, where there are users in your production directory who will need to collaborate on an application that is under development or testing in a non-production environment.

ImportantImportant
A user can be a member of up to 20 directories.

To create an external user, use the procedure above - To create a user from the Azure Management Portal – and in step 3, make sure to select the User in another Azure AD directory option.

When you add a user from one directory into a new directory, that user is an external user in the new directory. Initially, the display name and user name are copied from the user's "home directory" and stamped onto the external user in the other directory. From then on, those and other properties of the external user object are entirely independent: if you make a change to the user in the home directory, such as changing the user's name, adding a job title, etc. those changes are not propagated to the external user account in the other directory.

The only linkage between the two objects is that the user always authenticates against the home directory. That's why you don't see an option to reset the password or enable multi factor authentication for an external user account: currently the authentication policy of the home directory is the only one that's evaluated when the user signs in.

If a user is deleted in their home directory, the external user still exists in the other directory. However, the user can't access resources in the other directory since the user can't authenticate to that directory.

A user who is an administrator of multiple directories can manage each of those directories in the Azure management portal. However, other applications such as Office 365 do not currently provide experiences to assign and access services as an external user in another directory. Going forward, we will provide guidance to developers how their apps can work with users who are members of multiple directories.

There are currently limitations in that an administrator can only grant consent to a multi-tenant application in their home directory, and can only be provisioned for SaaS apps and SSO via the Access Panel in their home directory. Microsoft account users have the same limitations in that they cannot currently grant consent to a multi-tenant application, or use the Access Panel.

See Also

Concepts

User management

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft