Users and groups are at the core of every administrative decision you will make. Before you can create policies or configure some admin center features, you will need to have groups thoughtfully provisioned to be used for appropriate licensing, security, and experience enhancement.
In this chapter, we'll cover Microsoft 365 identity management basics. This includes creation and management of both users and groups and introduces you to a couple of essential security topics such as enabling multi-factor authentication (MFA) through Security Defaults and assigning admin roles.
The recipes included in this chapter are as follows:
This chapter requires users to have administrative privileges in Office 365. Those with a global administrator role will be able to perform every task in each recipe. Specific app and functional administrators will be able to do many of the recipes. No installations/downloads are required for the recipes in this chapter.
When someone joins your organization, you will need to create a new user profile so that person can be assigned credentials to your tenant. In this recipe, we'll walk through the steps of creating a single user via the Microsoft 365 Admin Center.
The user creating the account must be an admin with the appropriate role (such as Global Admin).
In the Password settings section, it is recommended to allow the tenant to set a temporary password by leaving the default selections checked. You may check Send password in email upon completion and add an email address, or when the setup is complete, you will have a chance to copy the user's credentials.
Click Next to move to the Product licenses section.
Click Next to move to the Optional settings section.
From here, you can assign an admin or elevated rights role to the user, or you can add in additional profile information for the user.
In this recipe, you created a new user from scratch. User management starts with this action of creating a new user. Once the user has been created and appropriate product licenses applied, the user will have the ability to sign in.
Adding users one at a time can become quite laborious in a large organization. This recipe provides a method for importing a file and adding users in bulk. Additionally, this can be done through PowerShell, which will be covered in Chapter 3, Administering Office 365 with PowerShell.
The user creating the account must be either a global or user administrator.
Data must be entered into the username and display name columns for each user.
You just imported a CSV file with many users' data to create new users in Office 365 more efficiently. This behind-the-scenes method is functionally the same as manually adding users. However, it applies those selections in bulk and then creates a downloadable file with the login information.
Groups in Office 365 are a great way to manage people with similar tasks, access needs, or users within the same team or department. Groups are an essential component to the Office 365 ecosystem, and when an admin gets groups right, the admin's job becomes much easier to manage. In this recipe, you'll create an Office 365 group.
The user creating the group must be either a global or user administrator.
In this recipe, you created an Office 365 group. Groups are a foundational component to many of the advanced features and products available with your tenant. Groups segment users for ease of administration and collaboration between those users. Understanding how and when to use a group is a vital component to successfully setting up a tenant and may require forward thinking on how and why a group needs to be created.
Creating a group is only the first step. Next, you need to assign users to the group. This is done by navigating to the Groups section, searching for the correct group, and going to the Members tab. Select View all and manage members, and then add or remove members.
Security Defaults are a set of rules and identify security mechanisms preconfigured by Microsoft, but the rules are left disabled by default. Enabling these defaults will impact your entire tenant. Admins and users will be required to start using MFA (adding an additional layer of security upon sign-in), better protecting your tenant and the data within from exposure through phishing and other identity-related attacks.
The See also section of this recipe includes a link to user training as well as additional resources you should read before enabling the Security Defaults, to ensure you are clear on the impact to your organization.
Only an admin with the Global Admin role can make these changes to the tenant security settings. These steps are based on the "new" admin center (released for preview in 2018-2019).
This process assumes you are working from a recently created tenant (2017 or newer). If you are using an older tenant and have set up baseline policies, you will need to disable those policies and move to the new Security Defaults. Additionally, you may need to activate modern authentication in your tenant (the See also section of this recipe has instructions on how to verify this). This is not required for recently created tenants (2017 or newer).
You've just enabled MFA, among other security enhancements, by toggling on Enable Security defaults. Security defaults are rules, or conditional access policies, which are set by default to help control how users and admins interact with Office 365.
As a tenant admin, you will be asked for reports and information about the users in your tenant. One of the basic requests is around the number of users. A basic user export provides all this information and much more. In this recipe, we'll obtain that from the Microsoft 365 Admin Center.
The user creating the account must be an admin with the appropriate role (such as Global Admin, User Admin, and so on).
You used the Export Users button to pull down a CSV report of active users that can be sorted, filtered, or shared.
When guests are added to your tenant directly by an admin or by a user in Teams, SharePoint, or other apps, those guests are stored in the Micosoft 365 admin center and can be viewed and deleted there. In this recipe, we'll cover the steps required to search for and manage guest users.
Guest users must be allowed in your tenant for any to appear in the admin center once invited by Team or group owners.
In this recipe, you found guest users in your tenant and explored the details for one of them. The Guest Users screen of the Microsoft 365 admin center allows viewing, editing, and deleting of all invited guests.
You can only delete one guest user at a time from the Users > Guest Users screen. Go to the Users > Active users screen to delete guest users in bulk. You'll just need to filter the Active users screen to Guest users first, as seen here:
User templates save user administrators time by applying pre-selected licenses, applications, assigned domains, and metadata (such as Office information) to users created using that template. In this recipe, we'll cover the steps to creating a user template.
You must be an O365 administrator to manage users and user templates.
In this recipe, you configured a user template to save you time when creating additional users who will have very similar, if not identical, profile parameters such as office location, department, and so on.
User templates are saved configurations for certain user types that allow administrators to apply consistent licenses, app permissions, domains, and office contact information to users belonging to a common group or role.
Once a template, such as Human Resources Members, is created, it simply needs to be selected the next time an HR employee is onboarded. The new user's name is entered and all the preconfigured settings for the template are applied, making the process much more efficient.
You cannot edit a user template later. Once it's created, that template remains the same until it is deleted and potentially replaced by a new template. This helps ensure consistency of the users created with the template throughout its life cycle.
By default, anyone in your tenant can create their own O365 groups. This can happen when a user creates a new Team in Microsoft Teams, a plan in Planner, and several other apps that use O365 groups at the core. In this recipe, we'll use PowerShell to restrict users from self-provisioning their own O365 groups (whether intentionally or incidentally when creating other resources).
You'll need to be able to create security groups (not just O365 groups) and have the latest version of the AzureADPreview
module for PowerShell installed. This can be installed by running SharePoint Online Management Shell as administrator and entering the following command:
Install-Module AzureADPreview
There's currently no way to do this without PowerShell.
$GroupName = "<SecurityGroupName>" $AllowGroupCreation = "False" Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values
<SecurityGroupName>
in line 1 to the name of your security group. In our example, line 1 would resemble the following:$GroupName = "O365 Group Creators"
You have just executed a PowerShell script that will restrict creation of additional O365 groups to members of a specific security group. Don't forget to add members to the new security group once it's created.
Once the script has run, users who are not global admins or members of a qualifying group or role will be unable to create new groups immediately. They can still create new plans and channels associated with existing groups, but will see a message letting them know they cannot create new groups when the opportunity would have traditionally been available:
Another example would be a user without permission trying to create a new team in Teams. They can click Join or create a team as usual, but the option to create a new group/team will not exist:
A final example would be a user creating a new SharePoint team site. They can still create team sites in SharePoint using the new or classic team template, where the classic team site template wouldn't create an associated group anyway. The only change would be the new team site template not being able to create an associated O365 group as would otherwise be normal. If they create the site first and later try to connect it to a new group separately, they will receive the following notice:
Tip
Consider utilizing a training course (digital or in person) for users to "earn" the ability to create O365 groups (by getting added to your new security group) after taking the time to understand the implications and best practices.
User management is usually assigned to helpdesk resources, and not a global admin. This recipe outlines the steps to assigning user management admin roles to users. This role provides its members an appropriate level of permission to manage users, but not all the access and abilities granted to the global admin role. Let's assign the User Administrator admin role to a user.
You'll need access to Azure AD and the Global administrator or Privileged Role administrator role to assign other admin roles.
You've just used Azure AD to assign the User Administrator admin role. Users and accounts assigned to the user management role can reset passwords, create and manage users and groups, filter and manage service requests, and monitor service health. Azure AD is the preferred method of assigning roles because you can assign to multiple accounts at once. As you'll see in the next recipe, the Microsoft 365 Admin Center only allows one account to be assigned at a time.
Tip
Use shared service accounts (for example, helpdesk@natechamberlain.com
) to minimize the administrative tasks involved during employee turnover and onboarding.
In the previous recipe, Assigning the User Administrator admin role in Azure AD, we covered assigning a specific admin role via Azure AD. In this recipe, we'll do the same, but from within the Microsoft 365 admin center.
You must be a global administrator or privileged role administrator to assign other admin roles.
In this recipe, you assigned the User Admin role via the Microsoft 365 admin center. Like how you'd assign product licenses to users, the Microsoft 365 Admin Center's Active users blade allows you to assign admin roles as well from this singular, central location.
Important note
If you try to select more than one user at a time using this method, you will not get the Manage roles option. That's a limitation of the Microsoft 365 Admin Center and one reason you may wish to manage administrator roles using Azure AD instead.
Shipping Details
USA:
'Economy: Delivery to most addresses in the US within 10-15 business days
Premium: Trackable Delivery to most addresses in the US within 3-8 business days
UK:
Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable
Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands
EU:
Premium: Trackable delivery to most EU destinations within 4-9 business days.
Australia:
Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.
Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.
India:
Premium: Delivery to most Indian addresses within 5-6 business days
Rest of the World:
Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days
Asia:
Premium: Delivery to most Asian addresses within 5-9 business days
Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.
Unfortunately, due to several restrictions, we are unable to ship to the following countries:
Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.
The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.
List of EU27 countries: www.gov.uk/eu-eea:
A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.
The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.
For example:
Cancellation Policy for Published Printed Books:
You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.
Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.
Return Policy:
We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:
On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.
Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.
You can pay with the following card types:
Shipping Details
USA:
'Economy: Delivery to most addresses in the US within 10-15 business days
Premium: Trackable Delivery to most addresses in the US within 3-8 business days
UK:
Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable
Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands
EU:
Premium: Trackable delivery to most EU destinations within 4-9 business days.
Australia:
Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.
Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.
India:
Premium: Delivery to most Indian addresses within 5-6 business days
Rest of the World:
Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days
Asia:
Premium: Delivery to most Asian addresses within 5-9 business days
Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.
Unfortunately, due to several restrictions, we are unable to ship to the following countries: