There's a lot you can do in Active users
, and you're going to be doing a lot of it. Interacting with your active users—adding new ones, disabling terminated ones, resetting passwords, and adding and removing licenses—is the bulk of the work that most Office 365 administrators do:
The Active users panel
The top bar for Active users
gives you the options to add a user, change which users you're viewing, search users, export your list of users to CSV, and other functions, available under the More
drop-down menu.
Again, the options you see here may vary, depending on what products you have (you won't see an option for Directory synchronization
if you're not syncing Office 365 to Active Directory, for instance).
The most common activities are adding a user and resetting passwords (particularly if you don't sync to Active Directory), but a dynamic, quickly changing company may also have a lot of setting licenses to do. We'll go over those functions and how to work with the views of your users (a vital skill, if you're a large company with a lot of users) in some detail. Most of the other functions are fairly self-explanatory.
We'll go over much of this information again in Chapter 3, Administering Azure Active Directory, drilling down into PowerShell and some of its more obscure details.
To add a user, you'll enter the user's First name
andLast name
, and this will assemble the Display name
by default. If you want the display name to be something different than the first and last names, change it after it populates by default; this won't affect the first or last names:
Add a new user
Most instances of Office 365 have more than one domain, but usually, one's the real domain, and one's domain.onmicrosoft.com
, which hardly anyone uses. In most Office 365 tenants, the default domain has been set to whatever your company usually uses for public websites and the like. However, there might be circumstances where a user needs to be assigned to a different domain name. Enter the username, and use the drop-down menu to select the correct domain name if the default isn't the right one.
It's important to select a location if it hasn't prepopulated for you. You won't be able to add licensing until the location is set.
Whether you fill out the contact information or not is probably a matter of your company's policy. It won't affect a user's capabilities if you don't do it, but if you do, that information will be carried into Exchange and SharePoint, so it won't need to be reentered in the global address list or user profiles:
Password and role options
The options for setting the password include either autogenerating it and emailing it to the email you choose upon completion of the new user task, or creating it manually by yourself. For either option, you can force the user to change it when they sign-in, or allow them to continue to use it.
Most users will be assigned User (no administrator access)
, and most IT staff who need administrative access will probably be assigned Global administrator
, but in a large organization, you may well want to use the Customized administrator
setting to fine-tune which rights you grant.
Finally, you will need to set the licenses. You'll see a series of toggle switches that represent all of the licenses your company has available:
Assign licenses
The last toggle is Create user without product license
. While Microsoft labels this as Not recommended
, it might be a perfectly reasonable thing to do if you're not the one with the authority to purchase extra licenses; get the user created without a license, and they'll be able to get into the Office 365 portal and set their new password while you're waiting for the purchasing people to acquire the license. (This is also what you're likely to do if you need to create a service account.)
You must set one of the toggle switches, or it won't allow you to create the user. So, if there are no available licenses, use the one that creates the user without a license.
After you're done, you'll get a window telling you the user's password (if it was autogenerated) and offering to email that password to the default address (usually yours, if you're the primary Office 365 administrator.)
You can reset passwords, set licenses and roles, disable or enable Office 365 sign-in, add new aliases and change which email address is primary, and perform many other functions, via the user panel.
To access the user panel, simply click on an active user, and it'll open to the right.
A lot of these functions are very similar to the equivalent that you'd perform for new users. For example, resetting a password is just like setting it for the first time for a new user:
The user panel
Assigning a license is just like assigning a license to a new user. But there are some functions that can be performed via the user panel that don't have an equivalent in the Add a user
task:
- Group memberships aren't something that you can assign in
Add a user
, because the mailbox needs to be provisioned before groups can be assigned. By clicking Edit
under Group memberships
in the user panel, you can add the user to a group, see the groups they're already in, and delete them from groups they are members of.
- You can also change the sign-in settings. If you have an employee that's leaving the company at the end of the day, you can cut off their ability to sign in to Office 365 products without either deleting them or changing their password by simply setting their
Sign-in status
to Sign-in b
locked
. (There will be more on this topic in Chapter 3, Administering Azure Active Directory.) This is especially useful if they're synchronized with Active Directory and it's handled by a different department, so you don't have the rights to change their password or delete them. You should note, though, that because this disables sign-in, it won't affect a user who is already signed in until that sign in expires. So it's not the best tool to use for the person who's being frog-marched out the door by security right now and might still be signed in on their personal tablet. - You can view the devices that a user has installed Office onto, and deactivate their installation. (Possibly a good idea to do to the home laptop of that employee in the previous example! However, you can only perform it on PC and macOS devices, not mobile ones, so you still can't get that tablet.) If an employee had a device stolen or destroyed, and they're at their five-device limit for Office installations, you can deactivate the lost device here, so that they can install it on their replacement device.
- If you click the expanding carat for
Mail Settings
, you can directly work with mailbox permissions, email forwarding, litigation hold, auto replies, what apps the user is allowed to use to access email with, and whether they're in the global address list, without having to go into Exchange. (We'll go into what these options mean in more detail in Chapter 3, Administering Azure Active Directory and Chapter 4, Administering Exchange Online – Essentials.) There's also a direct link to Exchange, which will take you straight into this user's Exchange properties. - The expanding carat for
OneDrive Settings
gives you the option to get access to the user's OneDrive, which is very helpful if they're out of the office or have left the company, and there's important business information that they are storing in there. You can also turn external sharing to the user's OneDrive (meaning that the user can share with users outside of your company) on or off. - You can kick off a one-time sign-out event that kicks the user out of every instance of Office 365 they're signed into. This is useful if you're changing their username, or in the case of that employee being frog-marched out the door in the example. Oddly, though this has nothing to do with OneDrive; it's stored under the
OneDrive Settings
carat. - The direct links at the bottom let you edit the user's Skype for Business properties, or go directly to their multi-factor authentication settings.
Views
are covered in detail in Chapter 3, Administering Azure Active Directory, so we won't delve too deeply here.
There's a default view that shows all users. If you have a small company, that might be fine. As soon as you have a large number of users (or accounts, such as service accounts that were assigned email addresses, external contacts who were invited as guest users, former employees, special-purpose administrator accounts, and so on), the list can get unwieldy. You may want to use one of the other default views, or create one of your own. See Chapter 3, Administering Azure Active Directory for more information on how to do this.
Finally, the last function of the Active users
page that we'll discuss is the Import multiple users
function. If you have a moderately large organization and you are not planning to synchronize with AD, you might want to import a large number of users at the same time:
Import multiple users
You get to this feature by clicking the More
drop-down menu at the top of Active users
. Download a CSV file to use as a template (you can choose one with just the headers, or one with sample user data, to help you understand how to format your users), enter all of your users into it, upload with the Browse
button, and then click Verify
to make sure your formatting is correct. Click N
ext
and follow the prompts. You'll be able to set a sign-in status and choose product licenses on the next page, and then send the results to yourself or someone else. (Note that the passwords handled this way will be in plain text, so you may want to require your users to change their passwords as soon as possible.)
Other functions of the Active users
page are fairly self-explanatory, such as Delete a user
or Export
. Let's move on.
Contacts
are email addresses from outside of your organization that are recorded in Exchange so that users can find them in the global address list:
Contacts
It's easier to enter a contact than it is to enter a user—there are a lot fewer fields to fill out.
Display name
and Email
are the only required fields, although if you are going to use contacts heavily and need to be able to search for them with multiple criteria, you might want to fill in the other fields.
By default, contacts appear in the global address list, although you can exclude them with the Hide from my organization address list
toggle. Contacts, as a concept, come from Microsoft Exchange, and are a means to include people from outside the company in distribution lists. They can also be included in Office 365 Groups, as of May 2017.
Guest users
, as a concept, are more closely related to SharePoint and OneDrive. A guest user has been granted access, via sharing, to a resource on SharePoint or OneDrive. They're only relevant if your organization allows external sharing.
A guest user will automatically be created if you create a sharing link for a specific email address within SharePoint or OneDrive. You can't create them here, but you can view and delete them.
Note that guest users don't have a presence in the global address list, and the same email address can't be both a contact and a guest user. If you have a need to give people who are frequently contacted by your users access to SharePoint and OneDrive while also having them as a global contact, and also having them on a list that automatically sends them and other people email, it might make more sense to use an Office 365 Group rather than a traditional distribution list, because members of those Groups can be both guest users and mail contacts at the same time.
Up to 30 days after you delete a user, they can be restored:
Deleted users
Use the Deleted users
screen to see who has been deleted, export them if you need a CSV report, and restore them.
More vital information about the user recycle bin will be covered in Chapter 3, Administering Azure Active Directory.