We start by exploring an overview of Office 365 Identity and Access Management solutions. In this section, we discuss how to create different types of users and grant them access to resources in Office 365 Identity and Access Management.
In particular, this section focuses on creating internal and external users with Microsoft 365, Azure AD Portal, or Azure AD PowerShell. Additionally, we demonstrate how to utilize these three tools to grant users access to necessary resources.
Overview of Office 365 Identity and Access Management
Internal users are part of the organization, while external users belong to another organization added to the Office 365 tenant for collaboration purposes.
Once you create an internal or external user, you grant them access to resources through roles or groups. To grant access via roles, add the user to the role.
When granting users access to resources via group membership, adding the users to the group is recommended. Then, you add the group to the appropriate Azure AD role.
This approach ensures that the users inherit the permissions assigned to the group.
Note that you must first enable role assignment when creating the group to add groups to roles. However, once you enable this setting, it is permanent for the group.
Alternatively, you grant a role assignable group access to an inbuilt role, and then add users to the group.
Use M365 Portal to Manage User Accounts and Permissions with Office 365 Identity and Access Management
Additionally, we provide step-by-step guidance on creating a Microsoft 365 group, adding users to the group, and assigning a user or group to a role.
Step 1 Option 2: Create Office 365 Internal Users in the Microsoft 365 Portal
1. To begin managing user and permission in Microsoft 365, access admin.microsoft.com with an account that has the appropriate permissions.
2. Next, access the Active Users page. Click the navigation menu icon (if it’s not already expanded), and select “Active users” from the Users node.
3. On the “Active users” page, click “Add users” to initiate the new user creation workflow. This guides you through the process of adding the necessary user details and, if needed, assigning licenses and roles.
Step 1 Option 2: Create Office 365 External Users in Microsoft 365 Portal
To ensure that other users can add the external user’s calendar to their calendar, it’s recommended that you first add the user as a Mail Contact for the user in Exchange Online before creating an external user in Microsoft 365.
In my experience, if you skip this step, other users may encounter issues adding the external user’s calendar to their own.
However, if internal users don’t need to add the external user to their calendars, you can skip this step and move on to stage 2 below:
Stage 1: add a Mail Contact for the user in Exchange Online (optional).
To open the Exchange Online Contacts page, sign in to admin.exchange.microsoft.com using your admin credentials. Once signed in, navigate to the Recipients -> Contacts page.
Finally, click “Add a mail contact” and complete the steps. I added my Gmail account to use a demo.
Stage 2: add the Mail Contact as a guest user.
Sign in to admin.microsoft.com and navigate to the “Guest users” section within the Users tab. Next, click “Add guest user” to initiate adding a new guest user.
The action opens the Azure AD “New user” page in a new browser tab. In the Azure AD page, select the Invite user option, add the required information, and click the Invite button.
To activate their account, the external user needs to check their email from Microsoft and follow the link provided in the message.
Step 2 Option 1: Grant User Accounts Permissions Via Roles in Office 365 Portal
To assign roles to users in Office 365, navigate to the Microsoft 365 portal and follow the instructions below.
Assign internal and external users to Microsoft 365 roles.
1. On the menu, expand Roles and click Role Assignments.
2. Next, click the Azure AD role to assign a user, for example, “Helpdesk Administrator.”
Step 2 Option 2: Grant User Accounts Permissions Via Groups in Microsoft 365 Portal
To assign users access via groups, follow a 2 step process.
First, add the users to the group. Next, assign the group to a role using the role management interface.
As mentioned earlier, selecting the option to assign roles to groups must be done when creating the group. Therefore, to use groups for assigning user roles, create a group and enable the role assignment feature during the creation process.
1. To do this, in the Microsoft 365 portal, expand “Teams & groups,” then select “Active teams & groups.”
2. Next, to open the “Add a group” workflow, click Add a group.
When creating a new group, you can add users to the group in the “Members” section of the workflow. In addition, you can check the “allow admin role to be assigned to this group” checkbox in the “Settings” section.
Refer to the second screenshot below for the configuration.
3. To assign roles to a group, navigate the menu, expand Roles, and click Role Assignments.
4. After clicking on Role Assignments, select the Azure AD role you want to assign to the group, such as “Helpdesk Administrator.”
5. Then, on the role flyout, click the Assigned tab. Then, click the “Add groups.”
Reset Office 365 User Password in Microsoft 365 Portal
2. Click on the key symbol that appears when hovering over the account. This initiates the password reset process.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Use Azure AD Portal to Manage User Accounts & Permissions with Office 365 IAM
This portal provides a range of features and tools that enable admins to manage user accounts, including configure permissions and more. This section explores the critical steps to managing user accounts in the Azure AD portal.
Step 1 Option 2: Create Office 365 External Users in Azure AD Portal
Earlier, I recommended adding a Mail Contact for the user before creating an external user. This is recommended if your internal users need to add the external user’s calendar to their own.
To create a mail contact, sign in to the Exchange Online Contact page at admin.exchange.microsoft.com. After signing in, navigate to the Recipients -> Contacts page. Then, click “Add a mail contact” and complete the required steps.
1. First, follow the “Step 1 of 2” guideline until reaching Step 2.
2. Then, select the Invite user template. Finally, provide the required information and click Invite.
Step 2 Option 2: Granting User Accounts Permissions Via Groups in Azure AD Portal
Follow these steps to complete the tasks in Azure AD:
Firstly, create a group and enable it to be assigned AD roles. Secondly, add the users as members to the new group.
Finally, assign the roles you want to assign to the users by assigning the roles to the Azure AD group.
Here are the hands-on steps:
1. Click “Groups” in the menu, and then click “New group”.
Reset Office 365 User Password in Azure AD Portal
Admins must be able to reset passwords to manage user accounts and permissions using the Office 365 Identity and Access Management solutions. Therefore, it’s good to know that user passwords can be reset in the Azure AD portal.
1. Click the Users node to reset a user’s account in the Azure Active Directory portal.
Step 1: Install the Required Modules: AzureAD, ExchangePowerShell, Az.Accounts and Az.Resources
1. Open PowerShell as admin. Search PowerShell, then click “Run as Administrator.”
2. To open a new instance that runs commands from downloaded modules, execute the following command after opening PowerShell as an admin.
powershell.exe -ExecutionPolicy "RemoteSigned"
3. Then, to install the necessary PowerShell modules, run the following commands. The first command installs the modules, while the second imports them into your current PowerShell session.
Install-Module AzureAD, ExchangeOnlineManagement, Az.Accounts, Az.Resources Import-Module AzureAD, ExchangeOnlineManagement, Az.Resources, Az.Accounts
2. Once connected, run the following commands to create a new Office 365 user.
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $PasswordProfile.Password = "enter password here" New-AzureADUser -DisplayName "M365 PowerShell" -PasswordProfile $PasswordProfile -UserPrincipalName "M365.PowerShell@itechguides.com" -AccountEnabled $true -MailNickName "M365PowerShell"
Step 2 Option 2: Create Office 365 External Users in PowerShell
As mentioned in the previous two methods, an external user can be added by first creating them as a mail contact, which is an optional step.
If your internal users need to add the external user’s calendar to their own, then follow steps 1 to 2 to add a mail contact using PowerShell. Alternatively, skip to step 3.
2. Add a Mail Contact for the external user you intend to invite using this command. Modify parts of the command to your needs.
New-MailContact -Name "Victor Gmaail PowerShell" -ExternalEmailAddress "enter user's email here"
New-AzureADMSInvitation -InvitedUserEmailAddress email@example.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"
Step 3 Option 1: Granting User Accounts Permissions Via Roles in PowerShell
Run the following commands to assign a user to a role. Modify the commands to meet your requirements.
I have included comments in the script to explain each command.
#step 1: get the ID of the user you want to add to a role: $userid = (Get-AzADUser -DisplayName "M365 PowerShell").id #step 2: Get the ID of the role you want to assign the user $roleDefinitionid = (Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'").Id #step 3: assign the user the role $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinitionid -PrincipalId $userid
Step 3 Option 2: Granting User Accounts Permissions Via Groups in PowerShell
To assign role to a user via its group membership, run the commands in the script below.
#step 1: Create a role-assignable group in Azure Active Directory - skip this step if you have an existing role assignable group $group = New-AzureADMSGroup -DisplayName "InfraSOS_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName "InfraSOShelpdeskadministrators" -IsAssignableToRole $true #step 2: get the ID of the user you want to add to a role: $userid = (Get-AzADUser -DisplayName "M365 PowerShell").id #step 3: add the user to the AAD group Add-AzureADGroupMember -ObjectId $group.id -RefObjectId $userid #step 4: add azure AD group to an azure AD role New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinitionid -PrincipalId $group.id
Reset Office 365 User Password in PowerShell
#step 1: get the ID of the user you want to reset its password: $userid = (Get-AzADUser -DisplayName "M365 PowerShell").id #step 2: set a new password for the user #step 3: reset the passord. Set-AzureADUserPassword -ObjectId $userid -Password $password -ForceChangePasswordNextLogin $true
Thank you for reading article Office 365 Identity & Access: Manage Users & Permissions. We shall conclude it now.
Office 365 Identity & Access: Manage Users & Permissions Conclusion
In conclusion, managing user accounts and permissions is crucial for your organization’s Office 365 security and functionality. Whether you prefer the Microsoft 365 Portal, Azure AD Portal, or PowerShell, this article’s steps equip you to manage your users confidently.
By following these best practices, effectively manage user accounts and permissions to work collaboratively and securely in the cloud.
So, choose your preferred method and start managing your Office 365 users with confidence today!
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free