Office 365 Identity & Access: Manage Users & Permissions. This article demonstrates how to manage user accounts and permissions in Office 365 using Identity and Access Management tools.
We start by exploring an overview of Office 365 Identity and Access Management solutions. In this section, we discuss how to create different types of users and grant them access to resources in Office 365 Identity and Access Management.Ā
In particular, this section focuses on creating internal and external users with Microsoft 365, Azure AD Portal, or Azure AD PowerShell. Additionally, we demonstrate how to utilize these three tools to grant users access to necessary resources.
Furthermore, administering user accounts and permissions involves resetting user passwords. So, this article discusses how to reset passwords for Office 365 users using the three methods.
Overview of Office 365 Identity and Access Management
The Office 365 Identity and Access Management (IAM) tool allows admins to manage user accounts and permissions. Microsoft 365 offers 2 types of users: internal and external.Ā
Internal users are part of the organization, while external users belong to another organization added to the Office 365 tenant for collaboration purposes.
Once you create an internal or external user, you grant them access to resources through roles or groups. To grant access via roles, add the user to the role.
When granting users access to resources via group membership, adding the users to the group is recommended. Then, you add the group to the appropriate Azure AD role.
This approach ensures that the users inherit the permissions assigned to the group.
Note that you must first enable role assignment when creating the group to add groups to roles. However, once you enable this setting, it is permanent for the group.
Alternatively, you grant a role assignable group access to an inbuilt role, and then add users to the group.
Method 1:
Use M365 Portal to Manage User Accounts and Permissions with Office 365 Identity and Access Management
Additionally, we provide step-by-step guidance on creating a Microsoft 365 group, adding users to the group, and assigning a user or group to a role.
Step 1 Option 2: Create Office 365 Internal Users in the Microsoft 365 Portal
1. To begin managing user and permission in Microsoft 365, access admin.microsoft.com with an account that has the appropriate permissions.
2. Next, access the Active Users page. Click the navigation menu icon (if it’s not already expanded), and select “Active users” from the Users node.
3. On the “Active users” page, click “Add users” to initiate the new user creation workflow. This guides you through the process of adding the necessary user details and, if needed, assigning licenses and roles.
Step 1 Option 2: Create Office 365 External Users in Microsoft 365 Portal
To ensure that other users can add the external user’s calendar to their calendar, it’s recommended that you first add the user as a Mail Contact for the user in Exchange Online before creating an external user in Microsoft 365.
In my experience, if you skip this step, other users may encounter issues adding the external user’s calendar to their own.
However, if internal users don’t need to add the external user to their calendars, you can skip this step and move on to stage 2 below:
Stage 1: add a Mail Contact for the user in Exchange Online (optional).
To open the Exchange Online Contacts page, sign in to admin.exchange.microsoft.com using your admin credentials. Once signed in, navigate to the Recipients -> Contacts page.
Finally, click “Add a mail contact” and complete the steps. I added my Gmail account to use a demo.
Stage 2: add the Mail Contact as a guest user.
Sign in to admin.microsoft.com and navigate to the “Guest users” section within the Users tab. Next, click “Add guest user” to initiate adding a new guest user.
The action opens the Azure AD “New user” page in a new browser tab. In the Azure AD page, select the Invite user option, add the required information, and click the Invite button.Ā
To activate their account, the external user needs to check their email from Microsoft and follow the link provided in the message.
Step 2 Option 1: Grant User Accounts Permissions Via Roles in Office 365 Portal
To assign roles to users in Office 365, navigate to the Microsoft 365 portal and follow the instructions below.
Assign internal and external users to Microsoft 365 roles.Ā
1. On the menu, expand Roles and click Role Assignments.Ā
2. Next, click the Azure AD role to assign a user, for example, “Helpdesk Administrator.”
3. On the role flyout, click theĀ Assigned tab. Then, click the “Add users.”Ā Finally, select the users you want to assign the role and clickĀ Add.Ā
Once added, check the “Assigned” tab to confirm that they have been successfully added.
Also ReadĀ Check out Office 365 User Reports
Step 2 Option 2: Grant User Accounts Permissions Via Groups in Microsoft 365 Portal
To assign users access via groups, follow a 2 step process.
First, add the users to the group. Next, assign the group to a role using the role management interface.
As mentioned earlier, selecting the option to assign roles to groups must be done when creating the group. Therefore, to use groups for assigning user roles, create a group and enable the role assignment feature during the creation process.
1. To do this, in the Microsoft 365 portal, expand “Teams & groups,” then select “Active teams & groups.”
2. Next, to open the “Add a group” workflow, click Add a group.
When creating a new group, you can add users to the group in the “Members” section of the workflow. In addition, you can check the “allow admin role to be assigned to this group” checkbox in the “Settings” section.
Refer to the second screenshot below for the configuration.
3. To assign roles to a group, navigate the menu, expand Roles, and click Role Assignments.
4. After clicking on Role Assignments, select the Azure AD role you want to assign to the group, such as “Helpdesk Administrator.”
5. Then, on the role flyout, click the Assigned tab. Then, click the “Add groups.”Ā
6. Finally, select the groups you want to assign the role and click Add.
Once you add groups to the role, check “Assigned” tab to confirm that they have been successfully added.
Reset Office 365 User Password in Microsoft 365 Portal
1. To reset a user password in the Microsoft 365 portal, expand the “Users” menu in the navigation panel. Next, select “Active users” and hover over the user account that requires the password reset.
2. Click on the key symbol that appears when hovering over the account. This initiates the password reset process.
3. Finally, select the desired options on the “Reset password” flyout and click “Reset password.” The Microsoft 365 portal displays a confirmation message with the new password.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free.Ā 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Method 2:
Use Azure AD Portal to Manage User Accounts & Permissions with Office 365 IAM
Ā This portal provides a range of features and tools that enable admins to manage user accounts, including configure permissions and more. This section explores the critical steps to managing user accounts in the Azure AD portal.
Step 1 Option 1: Create Office 365 Internal Users in Azure AD Portal
1. First, sign in to portal.azure.com and navigate to the Users option in the menu.Ā
2. Then, click “+Add” and select User. Finally, choose the Create user template, provide the required details, and click Create.
Step 1 Option 2: Create Office 365 External Users in Azure AD Portal
Earlier, I recommended adding a Mail Contact for the user before creating an external user. This is recommended if your internal users need to add the external user’s calendar to their own.
To create a mail contact, sign in to the Exchange Online Contact page at admin.exchange.microsoft.com. After signing in, navigate to the Recipients -> Contacts page. Then, click “Add a mail contact” and complete the required steps.
To send an invitation to an external user in Azure AD after completing the optional step above, follow these steps:
1. First, follow the “Step 1 of 2” guideline until reaching Step 2.
2. Then, select the Invite user template. Finally, provide the required information and click Invite.
Once you finish the steps above, the user receives an email from Microsoft.
It contains a link to finalize their Azure AD registration. The user should click the link to complete the process.
Step 2 Option 1: Granting User Accounts Permissions Via Roles in Azure AD Portal
1. Once you have created a user, use the Azure AD portal to assign roles to the user. Click “Roles and Administrators” in the Azure Active Directory menu to accomplish this task.Ā
2. Then, choose the role you want to assign to the user. Use search function, if needed.Ā
3. Next, click “+ Add assignments” to finalize the process.
Step 2 Option 2: Granting User Accounts Permissions Via Groups in Azure AD Portal
In step 3 of 1 above, we demonstrated how to assign permissions to users through Azure AD roles. However, a potentially better method is assigning user roles based on group membership.
Follow these steps to complete the tasks in Azure AD:
Firstly, create a group and enable it to be assigned AD roles.Ā Secondly, add the users as members to the new group.
Finally, assign the roles you want to assign to the users by assigning the roles to the Azure AD group.
Here are the hands-on steps:
1. Click “Groups” in the menu, and then click “New group”.
2. Turn on “Azure AD roles are assigned to the group,” select the options in the screenshot below, and click “Create” to complete creating the group.Ā
Reset Office 365 User Password in Azure AD Portal
Admins must be able to reset passwords to manage user accounts and permissions using the Office 365 Identity and Access Management solutions. Therefore, it’s good to know that user passwords can be reset in the Azure AD portal.
1. Click the Users node to reset a user’s account in the Azure Active Directory portal.Ā
2. Utilize the search functionality to select the user. Then, complete the process by clicking the “Reset password” located above the user’s details.
Method 3:
Use PowerShell to Manage User Accounts and Permissions with Office 365 Identity and Access Management
Now, let’s move on to the third and final method, which involves using PowerShell to accomplish the same task.
First, we need to install the PowerShell modules required for the tasks at hand.
Step 1: Install the Required Modules: AzureAD, ExchangePowerShell, Az.Accounts and Az.Resources
1. Open PowerShell as admin. Search PowerShell, then click “Run as Administrator.”
2. To open a new instance that runs commands from downloaded modules, execute the following command after opening PowerShell as an admin.
powershell.exe -ExecutionPolicy "RemoteSigned"
3. Then, to install the necessary PowerShell modules, run the following commands. The first command installs the modules, while the second imports them into your current PowerShell session.
Install-Module AzureAD, ExchangeOnlineManagement, Az.Accounts, Az.Resources
Import-Module AzureAD, ExchangeOnlineManagement, Az.Resources, Az.Accounts
Connect-AzureAD
2. Once connected, run the following commands to create a new Office 365 user.Ā Ā
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "enter password here"
New-AzureADUser -DisplayName "M365 PowerShell" -PasswordProfile $PasswordProfile -UserPrincipalName "M365.PowerShell@itechguides.com" -AccountEnabled $true -MailNickName "M365PowerShell"
Step 2 Option 2: Create Office 365 External Users in PowerShell
As mentioned in the previous two methods, an external user can be added by first creating them as a mail contact, which is an optional step.
If your internal users need to add the external user’s calendar to their own, then follow steps 1 to 2 to add a mail contact using PowerShell. Alternatively, skip to step 3.
1. To connect to Exchange Online on the PowerShell console that was opened in Step 2 Option 1, run the command below and enter your login details when prompted by PowerShell.Ā Ā
Connect-ExchangeOnline
2. Add a Mail Contact for the external user you intend to invite using this command. Modify parts of the command to your needs.Ā
New-MailContact -Name "Victor Gmaail PowerShell" -ExternalEmailAddress "enter user's email here"
3. Next, send the invitation by running the command provided: modify the parameters before running the command.Ā
New-AzureADMSInvitation -InvitedUserEmailAddress email@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"
Step 3 Option 1: Granting User Accounts Permissions Via Roles in PowerShell
Run the following commands to assign a user to a role. Modify the commands to meet your requirements.Ā
I have included comments in the script to explain each command.Ā
#step 1: get the ID of the user you want to add to a role:
$userid = (Get-AzADUser -DisplayName "M365 PowerShell").id
#step 2: Get the ID of the role you want to assign the user
$roleDefinitionid = (Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'").Id
#step 3: assign the user the role
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinitionid -PrincipalId $userid
Step 3 Option 2: Granting User Accounts Permissions Via Groups in PowerShell
To assign role to a user via its group membership, run the commands in the script below.Ā
#step 1: Create a role-assignable group in Azure Active Directory - skip this step if you have an existing role assignable group
$group = New-AzureADMSGroup -DisplayName "InfraSOS_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName "InfraSOShelpdeskadministrators" -IsAssignableToRole $true
#step 2: get the ID of the user you want to add to a role:
$userid = (Get-AzADUser -DisplayName "M365 PowerShell").id
#step 3: add the user to the AAD group
Add-AzureADGroupMember -ObjectId $group.id -RefObjectId $userid
#step 4: add azure AD group to an azure AD role
New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinitionid -PrincipalId $group.id
Reset Office 365 User Password in PowerShell
To reset password for an Office 365 user via Azure AD PowerShell, run the following commands:
#step 1: get the ID of the user you want to reset its password:
$userid = (Get-AzADUser -DisplayName "M365 PowerShell").id
#step 2: set a new password for the user
#step 3: reset the passord.
Set-AzureADUserPassword -ObjectId $userid -Password $password -ForceChangePasswordNextLogin $true
Thank you for reading article Office 365 Identity & Access: Manage Users & Permissions. We shall conclude it now.Ā
Office 365 Identity & Access: Manage Users & Permissions Conclusion
In conclusion, managing user accounts and permissions is crucial for your organization’s Office 365 security and functionality. Whether you prefer the Microsoft 365 Portal, Azure AD Portal, or PowerShell, this article’s steps equip you to manage your users confidently.
By following these best practices, effectively manage user accounts and permissions to work collaboratively and securely in the cloud.
So, choose your preferred method and start managing your Office 365 users with confidence today!
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
