Export (0) Print
Expand All

User Account Management

Office 365
 

Applies to: Office 365

Topic Last Modified: 2014-09-18

Microsoft Office 365 supports the following methods for creating, managing, and authenticating users.

NoteNote:
This topic does not include information about security features that allow or prohibit access to individual Office 365 resources (for example, role based access control in Microsoft Exchange Online or configuring security in Microsoft SharePoint Online). For details pertaining to these features, see the Exchange Online Service Description and the SharePoint Online Service Description.

Office 365 has two systems that can be used for user identities:

  • Organizational account (cloud identity)   Users receive Azure Active Directory cloud credentials—separate from other desktop or corporate credentials—for signing into Office 365 and other Microsoft cloud services. This is the default identity, and is recommended in order to minimize deployment complexity. Passwords for organizational accounts use the Azure Active Directory password policy.

  • Federated account (federated identity)   For all subscriptions in organizations with on-premises Active Directory that use single sign-on (SSO), users can sign into Office 365 services by using their Active Directory credentials. The corporate Active Directory stores and controls the password policy. For information about SSO, see Single sign-on roadmap.

The type of identity affects the user experience and user account management options, as well as hardware and software requirements and other deployment considerations.

When you create a new user, the user’s sign-in name and email address are assigned to the default domain as set in the Office 365 admin center. By default, the Office 365 subscription uses the <company name>.onmicrosoft.com domain that was created with the Office 365 account. You can add one or more custom domains to Office 365 rather than retaining the onmicrosoft.com domain, and can assign users to sign in with any of the validated domains. Each user’s assigned domain is the email address that will appear on sent and received email messages.

You can host up to 900 registered Internet domains in Office 365, each represented by a different namespace.

For organizations using single sign-on, all users on a domain must use the same identity system: either cloud identity or federated identity. For example, you could have one group of users that only needs a cloud identity because they don’t access on-premises systems, and another group of users who use Office 365 and on-premises systems. You would use add two domains to Office 365, such as contractors.contoso.com and staff.contoso.com, and only set up SSO for one of them. An entire domain can be converted from cloud identity to federated identity, or from federated identity to cloud identity.

For more information about domains in Office 365, see the Domains service description.

With the exception of internet sites for anonymous access created with SharePoint Online, users must be authenticated when accessing Office 365 services.

  • Cloud identity authentication   Users with cloud identities are authenticated using traditional challenge/response. The web browser is redirected to the Office 365 sign-in service, where you type the user name and password for your organizational account. The sign-in service authenticates your credentials and generates a service token, which the web browser posts to the requested service and logs you in.

  • Federated identity authentication   Users with federated identities are authenticated using Active Directory Federation Services (AD FS) 2.0 or other Security Token Services. The web browser is redirected to the Office 365 sign-in service, where you type your corporate ID in the form a user principal name (UPN; for example, isabel@contoso.com). The sign-in service determines that you are part of a federated domain and offers to redirect you to the on-premises Federation Server for authentication. If you are logged on to the desktop (domain joined), you are authenticated (using Kerberos or NTLMv2) and the on-premises Security Token Service generates a logon token, which the web browser posts to the Office 365 sign-in service. Using the logon token, the sign-in service generates a service token that the web browser posts to the requested service and logs you in. For a list of available Security Token Services available, see Single sign-on roadmap.

Office 365 uses forms-based authentication, and authentication traffic over the network is always encrypted with TLS/SSL using port 443. Authentication traffic uses a negligible percentage of bandwidth for Office 365 services.

With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication can the user sign in. Office 365 administrators can enroll users for multi-factor authentication in the Office 365 admin center. Learn more about Multi-Factor Authentication for Office 365.

For rich clients such as Microsoft Office desktop applications, authentication can occur in two ways:

  • Microsoft Online Services Sign-In Assistant   The Sign-in assistant, which is installed by Office 365 desktop setup, contains a client service that obtains a service token from the Office 365 sign-in service and returns it to the rich client.

    • If you have a cloud identity, you receive a prompt for credentials, which the client service sends to the Office 365 sign-in service for authentication (using WS-Trust).

    • If you have a federated identity, the client service first contacts the AD FS 2.0 server to authenticate the credentials (using Kerberos or NTLMv2) and obtain a logon token that is sent to the Office 365 sign-in service (using WS-Federation and WS-Trust).

  • Basic/proxy authentication over SSL   The Outlook client passes basic authentication credentials over SSL to Exchange Online. Exchange Online proxies the authentication request to the Office 365 identity platform, and then to on-premises Active Directory Federation Server (for SSO).

To ensure proper discovery and authentication of Office 365 services, administrators must apply a set of components and updates to each workstation that uses rich clients (such as Microsoft Office 2010) and connects to Office 365. Office 365 desktop setup is an automated tool to configure workstations with the required updates. For more information, see Use my current Office desktop apps with Office 365.

The sign-in experience changes depending on the type of Office 365 identity in use:

 

Cloud Identity Federated Identity

Outlook 2013

Sign in each session 1

Sign in each session 2

Outlook 2010 or Office 2007 on Windows 7

Sign in each session 1

Sign in each session 2

Outlook 2010 or Office Outlook 2007 on Windows Vista

Sign in each session 1

Sign in each session 2

Microsoft Exchange ActiveSync

Sign in each session 1

Sign in each session 2

POP, IMAP, Microsoft Outlook for Mac 2011

Sign in each session 1

Sign in each session 2

Web Experiences: Office 365 portal / Outlook Web App/ SharePoint Online / Office Online

Sign in each browser session4

Sign in each session 3

Office 2010 or Office 2007 using SharePoint Online

Sign in each SharePoint Online session 4

Sign in each SharePoint Online session3

Lync Online

Sign in each session 1

No prompt

Outlook for Mac 2011

Sign in each session 1

Sign in each session 2

NoteNote:
1 When first prompted, you can save your password for future use. You will not receive another prompt until you change the password.
2 You enter your corporate credentials. You can save your password and will not be prompted again until your password changes.
3 All apps require you to enter your username or click to sign in. You are not prompted for your password if your computer is joined to the domain. If you click Keep me signed in you will not be prompted again until you sign out.
4 If you click Keep me signed in you will not be prompted again until you sign out.

Office 365 provides five ways to create user accounts.

You can manually create user accounts and assign licenses in the Office 365 portal. The type of license you assign determines which services the user can access. When you assign the license, a temporary logon password is generated. As part of creating a user account, you can enter user details, including job title, department, phone numbers, and other properties that appear in the Global Address List. You can then view the new user’s password and optionally mail it to their email address. For more information, see Create or edit users in Office 365.

The Bulk add users wizard in the Office 365 admin center helps you upload existing .csv files or edit a blank .csv template in a text editor (for example, Notepad). The wizard also includes a sample .csv file that provides a correctly formatted example containing sample user data. To import .csv files, you must assign licenses to new users. You can then view the new users’ passwords and optionally send them to users’ email addresses. For more information, see Add multiple users with a CSV file.

You can use the Azure Active Directory Sync tool to replicate Active Directory user accounts (and other Active Directory objects) in Office 365. Unlike manually created accounts, accounts created by the Directory Sync tool are fully populated with user account information from Active Directory (for example, department and phone number). The Directory Sync tool can be used with or without SSO. For more information, see Directory synchronization roadmap.

When using the Active Directory, the online account is a copy of the on-premises user account and can’t be edited in Office 365. Accounts created with the Directory Sync tool remain inactive until you activate them. As a result, Office 365 licenses are not consumed when user accounts are created by the tool. When you activate a user account from the Office 365 admin center (or by using Windows PowerShell), a service license is assigned and an initial password is generated.

You can use Azure Active Directory Module for Windows PowerShell cmdlets to accomplish many administrative tasks such as user management and domain management. For more information, see Use Windows PowerShell to manage Azure Active Directory.

In addition, Windows PowerShell modules are available for managing users in Exchange Online and SharePoint Online. For more information, see the Administration and Management and SharePoint Online IT Professional service descriptions.

Simple migration, also called cutover migration, migrates all on-premises mailboxes to prepare for moving the entire email organization (including contacts and distribution groups) to the cloud. Using simple migration, you can migrate a maximum of 1,000 mailboxes from on-premises Microsoft Exchange 2007 and later servers to the cloud. During the process, all user accounts and mailboxes are created automatically. Accounts must be licensed within 30 days to continue with uninterrupted use. For more information, see Migrate All Mailboxes to the Cloud with a Cutover Exchange Migration.

How you delete accounts depends on whether or not you are using directory synchronization:

  • If you are not using directory synchronization, accounts can be deleted by using the Office 365 Admin page or by using Windows PowerShell.

  • If you are using directory synchronization, you must delete users from the local Active Directory, rather than from Office 365.

When an account is deleted, it becomes inactive. For approximately 30 days after having deleted it, you can restore the account. For more information about deleting and restoring accounts, see Delete or restore users in Office 365.

The policies and procedures for password management depend on the identity system.

Cloud identity password management:

When using cloud identities, passwords are automatically generated when the account is created.

  • For cloud identity password strength requirements, see Change your password.

  • To increase security, users must change their passwords when they first access Office 365 services. As a result, before users can access Office 365 services, they must sign into the Office 365 portal, where they are prompted to change their passwords.

  • Admins can set the password expiration policy. For more information see Set a user’s password expiration policy.

There are several tools for resetting passwords for users with cloud identities:

  • Admin resets password   If users lose or forget their passwords, admins can reset users’ passwords in the Office 365 portal or by using Windows PowerShell. Users can only change their own password if they know their existing password.

    For Enterprise plans, if administrators lose or forget their passwords, a different administrator with the Global Administrator role can reset administrators’ passwords in the Office 365 admin center or by using Windows PowerShell. For more information, see Reset passwords for admins.

  • User changes passwords with Outlook Web App   The Outlook Web App options page includes a Change password hyperlink, which redirects users to the Change Password page. The user must know their previous password. For more information, see Change password.

  • Role-based reset password rights   For Enterprise plans, authorized users such as helpdesk staff can be assigned the Reset Password user right and the right to change passwords by using the Office 365 predefined or custom roles without becoming full services administrators. By default in Enterprise plans, admins with the Global Administrator, Password Administrator, or User Management Administrator role can change passwords. For more information, see Assigning admin roles.

  • Reset passwords using Windows PowerShell   Service administrators can use Windows PowerShell to reset passwords.

Federated identity password management:

When using federated identities, passwords are managed in Active Directory. The on-premises Security Token Service negotiates the authentication with Office 365 Federation Gateway without passing users’ local Active Directory passwords over the Internet to Office 365. Local password policies are used, or, for web clients, two-factor identification. Outlook Web App does not include a Change Password hyperlink. Users change their passwords using standard, on-premises tools or through their desktop PC logon options.

If you have Directory Sync with single sign-on (SSO) enabled in your Office 365 environment and there is an outage that impacts your federated identity provider, Password Sync Backup for Federated Sign-in provides the option to manually switch your domain to Password Sync. Using Password Sync will allow your users to access Office 365 while the outage is fixed. Learn how to switch from Single Sign-On to Password Sync.

An Office 365 license gives a user access to a set of Office 365 services. An administrator assigns a license to each user for the service they need access to. For example, you can assign a user access to Lync Online, but not SharePoint Online.

Office 365 billing admins can make changes to subscription details like the number of user licenses and number of additional services your company uses. Check out Assign or remove a license in Office 365.

Security groups are used in SharePoint Online to control access to sites. Security groups can be created in the Office 365 admin center. For more information about security groups, see the Office 365 Administration service description.

Office 365 Enterprise follows a role-based access control (RBAC) model: permissions and capabilities are defined by management roles. The person who signs up for Office 365 for his or her organization automatically becomes a global administrator, or top-level administrator. There are five administrator roles: global administrator, billing administrator, password administrator, service administrator, and user management administrator. For more information about administrator roles in Office 365 Enterprise, including how they apply to Exchange Online, SharePoint Online, and Lync Online administration, see Assigning administrator roles.

Partners can be authorized to administer accounts on behalf of customers. The customer does not require a user account for the partners use and does not consume an Office 365 license when granting delegated administration authority. Partners can assign full or limited access to users within their organization. Limited access includes rights to reset passwords, manage service requests, and monitor service health. To learn more, see Add or delete a delegated admin.

The following table shows the user and group features available in each Office 365 plan.

 

Feature

Office 365 Business Essentials

Office 365 Business Premium

Office 365 Enterprise E1

Office 365 Education E1

Office 365 Government E1

Office 365 Enterprise E3

Office 365 Education E3

Office 365 Government E3

Office 365 Enterprise E4

Office 365 Education E4

Office 365 Government E4

Office 365 Enterprise K1

Office 365 Government K1

Cloud identity

Yes

Yes

Yes

Yes

Yes

Yes

Federated identity (single sign-on)

Yes

Yes

Yes

Yes

Yes

Yes

Multi-Factor Authentication for Office 365

Yes

Yes

Yes

Yes

Yes

Yes

Office 365 desktop setup

Yes

Yes

Yes

Yes

No

No

Manage users from Office 365

Yes

Yes

Yes

Yes

Yes

Yes

Bulk upload using .csv files

Yes

Yes

Yes

Yes

Yes

Yes

Directory Sync tool

Yes

Yes

Yes

Yes

Yes

Yes

Azure Active Directory Module for Windows PowerShell

Yes

Yes

Yes

Yes

Yes

Yes

Exchange simple (cutover) migration

Yes

Yes

Yes

Yes

Yes

Yes

Delete accounts from Office 365

Yes2

Yes 1

Yes 1

Yes 1

Yes 1

Yes 1

Admin can reset user password in Office 365 or by using Windows PowerShell

Yes3

Yes 3

Yes 3

Yes 3

Yes 3

Yes 3

Users can change their own password

Yes 3

Yes 3

Yes 3

Yes 3

Yes 3

Yes 3

Admin can change how often passwords expire

Yes

Yes

Yes

Yes

Yes

Yes

Manage licenses

Yes4

Yes4

Yes4 5

Yes4 5

Yes4 5

Yes4 5

Manage security groups from the Office 365 admin center

No

Yes

Yes

Yes

Yes

Yes

Multiple administrator roles available

Yes

Yes

Yes

Yes

Yes

Yes

Allow a partner to administer Office 365 for you

Yes

Yes

Yes

Yes

Yes

Yes

NoteNote:
1 If using directory synchronization, you must delete accounts by using Active Directory, rather than using the Office 365 portal or by using the Azure Active Directory Module for Windows PowerShell.
2If using password synchronization, users must change their passwords in the local Active Directory.
3Users can only change their password if they know their old password.
4Reducing seats that were purchased with a term discount may be subject to an early termination fee. This is not applicable for subscriptions paid on a monthly basis.
5The following plans do not support license seat changes from the Office 365 Admin Center:
  • Office 365 Education E1

  • Office 365 Education E3

  • Office 365 Education E4

  • Office 365 Government E1

  • Office 365 Government E3

  • Office 365 Government E4

  • Office 365 Government K1

If you have comments or questions about this topic, we'd love to hear from you. Just send your feedback to Office 365 Service Description Feedback. Your comments will help us provide the most accurate and concise content.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft