Export (0) Print
Expand All

Create or edit users

Published: April 16, 2012

Updated: June 16, 2014

Applies To: Azure, Windows Intune

noteNote
This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

You have to create an account for every user who will access a Microsoft cloud service. You can also change user accounts or delete them when they’re no longer needed. By default, users do not have administrator permissions, but you can optionally assign them.

noteNote
If your company has established email coexistence, you must create and edit all user accounts in your local Active Directory directory service. For more information, see Directory synchronization roadmap.

To create a single user account, follow these steps.

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click Add User.

  3. On the Tell us about this user page, select the Type of User drop-down menu, and then select either:

    1. New user in your organization – Indicates that you want a new user account to be created and managed within your directory.

    2. User with an existing Microsoft account – Indicates that you want to add an existing Microsoft account to your directory in order to collaborate on Azure resources with a co-administrator who accesses Azure with a Microsoft account.

    3. User in another Azure AD directory – Indicates that you want to add a user account to your directory that is sourced from another Azure AD directory. You need to be a member of the other directory to select a user in it.

  4. Depending on the option you selected, type either a user name, or Microsoft account name that this user will sign in with.

  5. On the User profile page, provide a user’s first and last name, a user friendly name, and a user role from the Roles drop-down menu. For more information about user and administrator roles, see Assigning administrator roles. Specify whether to Enable Multi-Factor Authentication.

  6. On the Get temporary password page, click Create.

More information The following steps can be completed using either the Office 365 account portal, the Windows Intune account portal or the Microsoft Azure AD portal, depending on which services your organization has subscribed to. In this way, portals act as front-end interfaces that pull in directory data associated with your organizations Azure AD tenant. For more information about using portals to manage your tenant, see Administering your Azure AD directory.

If your organization uses more than one domain, you should know about the following issues when you create a user account:

  • You can create user accounts with the same user principal name (UPN) across domains if you first create, for example, geoffgrisso@contoso.onmicrosoft.com followed by geoffgrisso@contoso.com.

  • You cannot create geoffgrisso@contoso.com followed by geoffgrisso@contoso.onmicrosoft.com.

noteNote
Please note that some changes may take time to apply across multiple services.

CautionCaution
If the user that you are trying to edit is synchronized with your Active Directory service, an error message appears, and you will be unable to edit the user using this procedure. To edit the user, use your local Active Directory management tools.

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click on the display name of the user you want to edit.

  3. Complete your changes, and then click Save.

More information The following steps can be completed using either the Office 365 account portal, the Windows Intune account portal or the Microsoft Azure AD portal, depending on which services your organization has subscribed to. In this way, portals act as front-end interfaces that pull in directory data associated with your organizations Azure AD tenant. For more information about using portals to manage your tenant, see Administering your Azure AD directory.

In Azure AD you can also add users to an Azure AD directory from another Azure AD directory or a user with a Microsoft Account. In other words, you can create external users. This enables those users to collaborate with users who already exist in your production directory. This is useful for collaborating in a test environment with users who need to manage directory resources such as applications, without requiring those users to sign in with new accounts and credentials.

When you create a directory, your user account is included in that new directory, and you're assigned to the global administrator role. This enables you to manage the directory you created without signing in as a different user of that directory.

ImportantImportant
A user can be a member of up to 20 directories.

To create an external user, use the procedure above - To create a user from the Azure Management Portal – and in step 3, make sure to select the appropriate type of external user you want to create. For example, the User in another Azure AD directory option.

A guest is a user in your directory that has a User Type set to "Guest". Regular users have a User Type of "Member" to indicate that they are a member of your directory. Guests are created when you share a resource with someone external to your directory, for example, when you add a Microsoft Account to your Azure subscription or share a document in SharePoint with an external user.

Guests have a limited set of rights in the directory. These rights limit the ability for Guests to discover information about other users in the directory while still being able to interact with the users and groups associated with the resources they are working on. For example, a Guest assigned to an Azure subscription will be able to see other users and groups associated with the Azure subscription. They can also locate other users in the directory who should be given access to the subscription provided they know the full email address of the user. A Guest is only able to see a limited set of properties of other users. These properties are limited to display name, email address, user principal name (UPN) and thumbnail photo.

When you add a user from one directory into a new directory, that user is an external user in the new directory. Initially, the display name and user name are copied from the user's "home directory" and stamped onto the external user in the other directory. From then on, those and other properties of the external user object are entirely independent: if you make a change to the user in the home directory, such as changing the user's name, adding a job title, etc. those changes are not propagated to the external user account in the other directory.

The only linkage between the two objects is that the user always authenticates against the home directory or with their Microsoft Account. That's why you don't see an option to reset the password or enable multi factor authentication for an external user account: currently the authentication policy of the home directory or Microsoft Account is the only one that's evaluated when the user signs in.

noteNote
You can still disable the external user in the directory and this will block access to your directory.

If a user is deleted in their home directory or they cancel their Microsoft Account, the external user still exists in the directory. However, the user can't access resources in the directory since the user can't authenticate to their home directory or Microsoft Account anymore.

A user who is an administrator of multiple directories can manage each of those directories in the Azure management portal. However, other applications such as Office 365 do not currently provide experiences to assign and access services as an external user in another directory. Going forward, we will provide guidance to developers how their apps can work with users who are members of multiple directories.

There are currently limitations in that an administrator can only grant consent to a multi-tenant application in their home directory, and can only be provisioned for SaaS apps and SSO via the Access Panel in their home directory. Microsoft account users have the same limitations in that they cannot currently grant consent to a multi-tenant application, or use the Access Panel.

You can use the Allow invitations, Allow guests to invite, and Limit guest access switches on the Configure tab to modify user access to your directory. Selecting YES for Allow invitations, allows non-administrator users to add guests to your directory. Selecting YES for Allow guests to invite, allows guests to add guests to your directory. Selecting YES for Limit guest access, limits guest access to directory data. Selecting NO for Limit guest access gives guests user-level access.

See Also

Concepts

User management

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft