Users and groups are at the core of every administrative decision you will make. Before you can create policies or configure some admin center features, you will need to have groups thoughtfully provisioned to be used for appropriate licensing, security, and experience enhancement.

In this chapter, we'll cover Microsoft 365 identity management basics. This includes creation and management of both users and groups and introduces you to a couple of essential security topics such as enabling multi-factor authentication (MFA) through Security Defaults and assigning admin roles.

The recipes included in this chapter are as follows:

• Creating a new user
• Importing users in bulk
• Creating a new Office 365 group
• Enabling Security Defaults (MFA)
• Exporting users
• Managing guest users
• Creating a user template
• Restricting users from creating new O365 groups
• Assigning the User Administrator admin role in Azure Active Directory (AD)
• Managing admin roles in the Microsoft 365 Admin Center

This chapter requires users to have administrative privileges in Office 365. Those with a global administrator role will be able to perform every task in each recipe. Specific app and functional administrators will be able to do many of the recipes. No installations/downloads are required for the recipes in this chapter.

When someone joins your organization, you will need to create a new user profile so that person can be assigned credentials to your tenant. In this recipe, we'll walk through the steps of creating a single user via the Microsoft 365 Admin Center.

Getting ready

The user creating the account must be an admin with the appropriate role (such as Global Admin).

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Users > Active users.
3. Select Add a user.
4. A form will display, in which you enter the user's basic information. Fill in the first section, Set up the basics:
   

   Figure 2.1 – Fields and options for setting up a new user in Office 365

   In the Password settings section, it is recommended to allow the tenant to set a temporary password by leaving the default selections checked. You may check Send password in email upon completion and add an email address, or when the setup is complete, you will have a chance to copy the user's credentials.

   Click Next to move to the Product licenses section.

5. As discussed in Chapter 1, Office 365 Setup and Basic Administration, select the appropriate location and license. Additionally, you can select the Create user without product license (not recommended) option if you would like to assign licenses later:
   

   Figure 2.2 – License options when adding a new user

   Click Next to move to the Optional settings section.

   From here, you can assign an admin or elevated rights role to the user, or you can add in additional profile information for the user.

6. Select the appropriate option by expanding the section and filling in the details:
   

   Figure 2.3 – Optional role and profile information for a new user

7. Click Next to move to the Finish section.
8. Your user is not yet created. Review the information and click Finish adding:
   

   Figure 2.4 – Confirmation screen for reviewing the details of a new user

9. From this screen, you can copy the User details and provide those to the user:

Figure 2.5 – Optional ability to save a new user's configuration as a template for future new users

How it works…

In this recipe, you created a new user from scratch. User management starts with this action of creating a new user. Once the user has been created and appropriate product licenses applied, the user will have the ability to sign in.

Adding users one at a time can become quite laborious in a large organization. This recipe provides a method for importing a file and adding users in bulk. Additionally, this can be done through PowerShell, which will be covered in Chapter 3, Administering Office 365 with PowerShell.

Getting ready

The user creating the account must be either a global or user administrator.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Users > Active users.
3. Select Add multiple users.
4. Click Add multiple users:
   

   Figure 2.6 – The Add multiple users button of the Active users page

5. The Import multiple users panel will open. From here, you can download a sample comma-separated values (CSV) file, enter your user information according to the column headings in the download, and then upload it to your tenant:
   

   Figure 2.7 – The upload file dialog for downloading templates of and importing CSV files of new users

6. The CSV file must include all the exact column headings that are found in the sample. If you move the headings, the upload may not work appropriately.

   Data must be entered into the username and display name columns for each user.

7. Click Next to move to the Set user options section.
8. From this screen, you can set the Sign-in status and select product licenses for the bulk loaded users:
   

   Figure 2.8 – Dialog options for allowing sign-in and assigning product licenses upon import

9. Click Next to move to the View your result section.
10. On the View your result screen, you can choose to send the results to an email address, check how many users were created, and download the results. Note that the results will include plaintext passwords. The results will help show how many users were successfully created and maybe illustrate a need for licensing adjustment to meet the number of users:
    

    Figure 2.9 – Confirmation of created users with the option to email a result file to users

11. Click Send and close to finish the process.

How it works…

You just imported a CSV file with many users' data to create new users in Office 365 more efficiently. This behind-the-scenes method is functionally the same as manually adding users. However, it applies those selections in bulk and then creates a downloadable file with the login information.

See also

• Learn more about using a CSV file to import users at https://docs.microsoft.com/en-us/Office365/enterprise/add-several-users-at-the-same-time#more-information-about-how-to-add-users-to-microsoft-365.

Groups in Office 365 are a great way to manage people with similar tasks, access needs, or users within the same team or department. Groups are an essential component to the Office 365 ecosystem, and when an admin gets groups right, the admin's job becomes much easier to manage. In this recipe, you'll create an Office 365 group.

Getting ready

The user creating the group must be either a global or user administrator.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Groups > Add a group.
3. Select the group type you wish to create, and then click Next.
4. In the Set up the basics section, enter a group name and description, then click Next.
5. From the Edit settings page, assign the group a unique email address, choose if the group is public or private, and determine if the group should have a Microsoft Teams team:
   

   Figure 2.10 – New Office 365 group creation dialog

6. Click Next to move to the Owners section.
7. In the Owners box, select two users who will have ownership of the group.
8. Your group is not yet created. On the Review and finish adding group screen, review your selections and click Create group to complete the process:

Figure 2.11 – Confirmation of a newly created Office 365 group

How it works…

In this recipe, you created an Office 365 group. Groups are a foundational component to many of the advanced features and products available with your tenant. Groups segment users for ease of administration and collaboration between those users. Understanding how and when to use a group is a vital component to successfully setting up a tenant and may require forward thinking on how and why a group needs to be created.

There's more…

Creating a group is only the first step. Next, you need to assign users to the group. This is done by navigating to the Groups section, searching for the correct group, and going to the Members tab. Select View all and manage members, and then add or remove members.

See also

• Understanding the group types: https://docs.microsoft.com/en-US/microsoft-365/admin/create-groups/compare-groups
• Managing a group: https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-groups?view=o365-worldwide
• Adding guests to a group: https://support.office.com/en-us/article/adding-guests-to-office-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6

Security Defaults are a set of rules and identify security mechanisms preconfigured by Microsoft, but the rules are left disabled by default. Enabling these defaults will impact your entire tenant. Admins and users will be required to start using MFA (adding an additional layer of security upon sign-in), better protecting your tenant and the data within from exposure through phishing and other identity-related attacks.

The See also section of this recipe includes a link to user training as well as additional resources you should read before enabling the Security Defaults, to ensure you are clear on the impact to your organization.

Getting ready

Only an admin with the Global Admin role can make these changes to the tenant security settings. These steps are based on the "new" admin center (released for preview in 2018-2019).

This process assumes you are working from a recently created tenant (2017 or newer). If you are using an older tenant and have set up baseline policies, you will need to disable those policies and move to the new Security Defaults. Additionally, you may need to activate modern authentication in your tenant (the See also section of this recipe has instructions on how to verify this). This is not required for recently created tenants (2017 or newer).

How to do it…

1. Sign in to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Go to the Azure AD Properties page at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties.
3. Select Manage Security defaults at the bottom of the page.
4. The Enable Security defaults panel will load:
   

   Figure 2.12 – Information about and ability to Enable Security defaults

5. Toggle the Enable Security defaults selector to Yes.
6. Click Save.

How it works…

You've just enabled MFA, among other security enhancements, by toggling on Enable Security defaults. Security defaults are rules, or conditional access policies, which are set by default to help control how users and admins interact with Office 365.

See also

• User training on how to download and use Microsoft Authenticator with Office 365: https://support.office.com/en-us/article/use-microsoft-authenticator-with-office-365-1412611f-ad8d-43ab-807c-7965e5155411?ui=en-US&rs=en-US&ad=US#ID0EAADAAA=_Step_1
• Verify if your tenant is set up with modern authentication (typically applies to tenants older than 2017): https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online
• Understanding the new Security Defaults and the impact to your users and tenant: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

As a tenant admin, you will be asked for reports and information about the users in your tenant. One of the basic requests is around the number of users. A basic user export provides all this information and much more. In this recipe, we'll obtain that from the Microsoft 365 Admin Center.

Getting ready

The user creating the account must be an admin with the appropriate role (such as Global Admin, User Admin, and so on).

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Users > Active users.
3. Click Export Users:
   

   Figure 2.13 – The Export Users button in the Active users top menu

4. A dialog box will appear—click Continue or No.
5. A CSV file that provides several columns of information on each user will download to your PC.

How it works…

You used the Export Users button to pull down a CSV report of active users that can be sorted, filtered, or shared.

When guests are added to your tenant directly by an admin or by a user in Teams, SharePoint, or other apps, those guests are stored in the Micosoft 365 admin center and can be viewed and deleted there. In this recipe, we'll cover the steps required to search for and manage guest users.

Getting ready

Guest users must be allowed in your tenant for any to appear in the admin center once invited by Team or group owners.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Users > Guest Users.
3. Use the search bar to search for specific guest(s).
4. Use the ellipsis menu on any user's name when viewing and searching the main listing to delete a user:
   

   Figure 2.14 – Delete a user option on the ellipsis menu for a user

5. You can also select a user's name to view or edit contact information and O365 group memberships. You can use the trash icon under the user's name and email to delete the user:

Figure 2.15 – User detail panel that appears when a user is selected from Active users

How it works…

In this recipe, you found guest users in your tenant and explored the details for one of them. The Guest Users screen of the Microsoft 365 admin center allows viewing, editing, and deleting of all invited guests.

There's more…

You can only delete one guest user at a time from the Users > Guest Users screen. Go to the Users > Active users screen to delete guest users in bulk. You'll just need to filter the Active users screen to Guest users first, as seen here:

Figure 2.16 – Active user view filter options with Guest users selected

See also

• Learn more about managing O365 guests at https://support.office.com/en-us/article/Adding-guests-to-Office-365-Groups-bfc7a840-868f-4fd6-a390-f347bf51aff6.
• Find ways to work with guest user accounts using PowerShell at https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-guest-access-in-groups.

User templates save user administrators time by applying pre-selected licenses, applications, assigned domains, and metadata (such as Office information) to users created using that template. In this recipe, we'll cover the steps to creating a user template.

Getting ready

You must be an O365 administrator to manage users and user templates.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Users > Active users.
3. Select User Templates > Add template from the ribbon menu:
   

   Figure 2.17 – Add template option available upon clicking User templates in the Active users page

4. Name your template (this appears on the User templates menu as an option later) and give it a clear description. Click Next:
   

   Figure 2.18 – The first screen of creating a user template including name and description fields

5. Choose to which domain users under this template should be added. This is useful when your organization encompasses multiple business units or company names operating under different domains or even subdomains. Also, choose whether these users will have an autogenerated or standard password and if that should be changed by the user on their first sign-in. Click Next:
   

   Figure 2.19 – The second screen, Basics, when creating a user template

6. Choose which location and licenses will be applied to these users, then scroll down to the next section Licenses:
   

   Figure 2.20 – The third screen, Licenses, when creating a user template

7. All the apps within each of the licenses you selected in the preceding screenshot appear automatically, allowing you to choose specific apps to enable/disable for users created with this template. When satisfied, click Next:
   

   Figure 2.21 – Available apps for all licenses

8. On the Optional settings page, choose which (if any) administrator roles to apply to these users, then complete the Profile info section with info that should be applied by default to all users created using this template. Click Next when finished to review your template:
   

   Figure 2.22 – The fourth screen, Optional settings, when creating a user template

9. If satisfied with the template, choose Finish adding; otherwise, choose Edit in the respective section to make changes first:
   

   Figure 2.23 – The final screen, Finish, for confirmation of details in a new user template

10. Your template will show a confirmation message. Close this when finished:
    

    Figure 2.24 – The confirmation message with optional Next steps after creating a user template

11. Now, when you go to create new users, you'll be able to save time by selecting the template to pre-fill much of the data:
    

    Figure 2.25 – A newly created user template now available for selection

12. When selected, you'll have minimal information to complete for adding the new user under that template. As seen here, it's basically just name, display name, and username:

Figure 2.26 – Screen shown once the existing user template is selected for creating a new user

How it works…

In this recipe, you configured a user template to save you time when creating additional users who will have very similar, if not identical, profile parameters such as office location, department, and so on.

User templates are saved configurations for certain user types that allow administrators to apply consistent licenses, app permissions, domains, and office contact information to users belonging to a common group or role.

Once a template, such as Human Resources Members, is created, it simply needs to be selected the next time an HR employee is onboarded. The new user's name is entered and all the preconfigured settings for the template are applied, making the process much more efficient.

There's more…

You cannot edit a user template later. Once it's created, that template remains the same until it is deleted and potentially replaced by a new template. This helps ensure consistency of the users created with the template throughout its life cycle.

See also

• Check out Lori Craw's article on user templates on TechCommunity: https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-to-admin-center-templates-for-adding-users-faster/ba-p/856424

By default, anyone in your tenant can create their own O365 groups. This can happen when a user creates a new Team in Microsoft Teams, a plan in Planner, and several other apps that use O365 groups at the core. In this recipe, we'll use PowerShell to restrict users from self-provisioning their own O365 groups (whether intentionally or incidentally when creating other resources).

Getting ready

You'll need to be able to create security groups (not just O365 groups) and have the latest version of the AzureADPreview module for PowerShell installed. This can be installed by running SharePoint Online Management Shell as administrator and entering the following command:

Install-Module AzureADPreview

There's currently no way to do this without PowerShell.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Groups > Groups.
3. Select Add a group.
4. Choose Security and Next:
   

   Figure 2.27 – Security groupt type selected

5. Name and describe the group (we're using O365 Group Creators as our example). Click Next:
   

   Figure 2.28 – Group name and description fields when creating a new group

6. Click Create group to confirm details and create the group. Close the panel.
7. Copy the following script from here (if you're reading the e-book) or from https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups:

   $GroupName = "<SecurityGroupName>"
   $AllowGroupCreation = "False"
   Connect-AzureAD
   $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
   if(!$settingsObjectID)
   {
   	  $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
       $settingsCopy = $template.CreateDirectorySetting()
       New-AzureADDirectorySetting -DirectorySetting $settingsCopy
       $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
   }
   $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
   $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
   if($GroupName)
   {
   	$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
   }
    else {
   $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
   }
   Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
   (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

8. Paste the script into Notepad (or similar text editor). Change <SecurityGroupName> in line 1 to the name of your security group. In our example, line 1 would resemble the following:

   $GroupName = "O365 Group Creators"

9. Open SharePoint Online Management Shell (as administrator).
10. Copy the text from your open Notepad application and paste into PowerShell. Hit Enter:
    

    Figure 2.29 – PowerShell screen with pasted script adjusted with our "allowed" group name

11. A sign-in dialog will appear, requesting your administrator credentials to complete the change:
    

    Figure 2.30 – Sign-in dialog presented as part of executing the PowerShell script

12. The script will take a moment to complete, and when finished will show the following:

Figure 2.31 – Confirmation message in PowerShell

How it works…

You have just executed a PowerShell script that will restrict creation of additional O365 groups to members of a specific security group. Don't forget to add members to the new security group once it's created.

Once the script has run, users who are not global admins or members of a qualifying group or role will be unable to create new groups immediately. They can still create new plans and channels associated with existing groups, but will see a message letting them know they cannot create new groups when the opportunity would have traditionally been available:

Figure 2.32 – Message that appears to Planner users when group creation is disabled for them

Another example would be a user without permission trying to create a new team in Teams. They can click Join or create a team as usual, but the option to create a new group/team will not exist:

Figure 2.33 – Teams screen that appears for users who cannot create new teams (therefore, groups)

A final example would be a user creating a new SharePoint team site. They can still create team sites in SharePoint using the new or classic team template, where the classic team site template wouldn't create an associated group anyway. The only change would be the new team site template not being able to create an associated O365 group as would otherwise be normal. If they create the site first and later try to connect it to a new group separately, they will receive the following notice:

Figure 2.34 – Message that appears when users in SharePoint attempt to associate a site with a new group

Tip

Consider utilizing a training course (digital or in person) for users to "earn" the ability to create O365 groups (by getting added to your new security group) after taking the time to understand the implications and best practices.

See also

• Find more information and depth on this process at https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups.
• Gregory Zelfond has written an excellent blog post encouraging extra consideration of the landscape of modern collaboration before disabling group creation: https://sharepointmaven.com/why-you-should-never-disable-team-site-creation-in-office-365/

User management is usually assigned to helpdesk resources, and not a global admin. This recipe outlines the steps to assigning user management admin roles to users. This role provides its members an appropriate level of permission to manage users, but not all the access and abilities granted to the global admin role. Let's assign the User Administrator admin role to a user.

Getting ready

You'll need access to Azure AD and the Global administrator or Privileged Role administrator role to assign other admin roles.

How to do it…

1. Go to Azure AD at https://aad.portal.azure.com.
2. Select Azure Active Directory from the left navigation menu:
   

   Figure 2.35 – Azure Active Directory highlighted in the left-hand navigation menu in the Azure AD admin center

3. Select Roles and administrators from beneath the Manage header:
   

   Figure 2.36 – Roles and administrators highlighted in the Manage section

4. Search or scroll the list until you locate User administrator, then select it:
   

   Figure 2.37 – User administrator role highlighted in Administrative roles search results

5. Select Add assignments:
   

   Figure 2.38 – Add assignments option in the Assignments screen of the User administrator role details

6. Select each shared service account or individual user you want added to this role group. The search bar can help find specific accounts more quickly. When finished, select Add:
   

   Figure 2.39 – Selected users being added to an admin role in Azure AD

7. You may now exit Azure AD:

Figure 2.40 – The confirmation notification that appears once users are successfully assigned

How it works…

You've just used Azure AD to assign the User Administrator admin role. Users and accounts assigned to the user management role can reset passwords, create and manage users and groups, filter and manage service requests, and monitor service health. Azure AD is the preferred method of assigning roles because you can assign to multiple accounts at once. As you'll see in the next recipe, the Microsoft 365 Admin Center only allows one account to be assigned at a time.

Tip

Use shared service accounts (for example, helpdesk@natechamberlain.com) to minimize the administrative tasks involved during employee turnover and onboarding.

See also

• Learn more about this role, and all others available in Azure AD, at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles.

In the previous recipe, Assigning the User Administrator admin role in Azure AD, we covered assigning a specific admin role via Azure AD. In this recipe, we'll do the same, but from within the Microsoft 365 admin center.

Getting ready

You must be a global administrator or privileged role administrator to assign other admin roles.

How to do it…

1. Go to the Microsoft 365 Admin Center at https://admin.microsoft.com/.
2. Select Users > Active users:
   

   Figure 2.41 – Active users link in the left-hand navigation pane of the Microsoft 365 admin center

3. Search or scroll to select the account to which you're assigning the admin role(s). Then, use the ellipses to select Manage roles:
   

   Figure 2.42 – Manage roles option available on the ellipsis menu when a user is selected

4. Select/deselect the role(s) you're assigning or unassigning:
   

   Figure 2.43 – Admin center access options, with User admin selected

5. You'll also notice there's an expandable Show all by category section for more (less common) admin roles not shown in the previous screenshot. These are divided into Collaboration, Devices, Global, Identity, Other, Read-only, and Security & Compliance categories. You can see some of the options in the following screenshot:
   

   Figure 2.44 – Role options shown by category instead

6. When finished selecting/deselecting, click Save changes. If successful, you'll see Admin roles updated:

Figure 2.45 – Confirmation message once admin roles have been added

How it works…

In this recipe, you assigned the User Admin role via the Microsoft 365 admin center. Like how you'd assign product licenses to users, the Microsoft 365 Admin Center's Active users blade allows you to assign admin roles as well from this singular, central location.

Important note

If you try to select more than one user at a time using this method, you will not get the Manage roles option. That's a limitation of the Microsoft 365 Admin Center and one reason you may wish to manage administrator roles using Azure AD instead.

See also

• Learn more about admin roles in the Microsoft 365 Admin Center at https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles.