Enterprise User Management Documentation - Azure AD
Enterprise User Management Documentation - Azure AD
Enterprise User Management Documentation - Azure AD
This article introduces the Azure AD administrator to the relationship between top identity management tasks for
users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization
grows, you can use Azure AD groups and administrator roles to:
Assign licenses to groups instead of to individually
Delegate permissions to distribute the work of Azure AD management to less-privileged roles
Assign enterprise app access to groups
NOTE
The group-based licensing feature currently is in public preview. During the preview, the feature is available with any paid
Azure Active Directory (Azure AD) license plan or trial.
Application Administrator Can add and manage enterprise applications and application
registrations, and configure proxy application settings.
Application Administrators can view Conditional Access
policies and devices, but not manage them.
Cloud Application Administrator Can add and manage enterprise applications and enterprise
app registrations. This role has all of the permissions of the
Application Administrator, except it can't manage application
proxy settings.
Application Developer Can add and update application registrations, but can't
manage enterprise applications or configure an application
proxy.
New Azure AD administrator roles are being added. Check the Azure portal or the administrator role permission
reference for current available roles.
Next steps
If you're a beginning Azure AD administrator, get the basics down in Azure Active Directory Fundamentals.
Or you can start creating groups, assigning licenses, assigning app access or assigning administrator roles.
Add or delete users using Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or delete
users you must be a User administrator or Global administrator.
Delete a user
You can delete an existing user using Azure Active Directory portal.
To delete a user, follow these steps:
1. Sign in to the Azure portal using a User administrator account for the organization.
2. Search for and select Azure Active Directory from any page.
3. Search for and select the user you want to delete from your Azure AD tenant. For example, Mary Parker.
4. Select Delete user .
The user is deleted and no longer appears on the Users - All users page. The user can be seen on the Deleted
users page for the next 30 days and can be restored during that time. For more information about restoring a user,
see Restore or remove a recently deleted user using Azure Active Directory.
When a user is deleted, any licenses consumed by the user are made available for other users.
NOTE
You must use Windows Server Active Directory to update the identity, contact information, or job information for users whose
source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
synchronization cycle to complete before you'll see the changes.
Next steps
After you've added your users, you can do the following basic processes:
Add or change profile information
Assign roles to users
Create a basic group and add members
Work with dynamic groups and users
Or you can do other user management tasks, such as adding guest users from another directory or restoring a
deleted user. For more information about other available actions, see Azure Active Directory user management
documentation.
Assign or remove licenses in the Azure Active
Directory portal
9/7/2020 • 4 minutes to read • Edit Online
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and
associated members) for that service. Only users with active licenses will be able to access and use the licensed
Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.
3. On the Assign page, select Users and groups , and then search for and select the user you're assigning the
license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then select
OK .
The Assign license page updates to show that a user is selected and that the assignments are configured.
NOTE
Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the
Usage location . You can set this value in the Azure Active Director y > Users > Profile > Settings area in
Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
5. Select Assign .
The user is added to the list of licensed users and has access to the included Azure AD services.
NOTE
Licenses can also be assigned directly to a user from the user's Licenses page. If a user has a license assigned
through a group membership and you want to assign the same license to the user directly, it can be done only from
the Products page mentioned in step 1 only.
3. On the Assign page, select Users and groups , and then search for and select the group you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then select
OK .
The Assign license page updates to show that a user is selected and that the assignments are configured.
5. Select Assign .
The group is added to the list of licensed groups and all of the members have access to the included Azure
AD services.
Remove a license
You can remove a license from a user's Azure AD user page, from the group overview page for a group assignment,
or starting from the Azure AD Licenses page to see the users and groups for a license.
To remove a license from a user
1. On the Licensed users page for the service plan, select the user that should no longer have the license. For
example, Alain Charon.
2. Select Remove license .
IMPORTANT
Licenses that a user inherits from a group can't be removed directly. Instead, you have to remove the user from the group
from which they're inheriting the license.
NOTE
When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed,
the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based
licensing will be marked as suspended rather than deleted .
Next steps
After you've assigned your licenses, you can perform the following processes:
Identify and resolve license assignment problems
Add licensed users to a group for licensing
Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory
Add or change profile information
Quickstart: Grant permission to create unlimited app
registrations
9/7/2020 • 4 minutes to read • Edit Online
In this quick start guide, you will create a custom role with permission to create an unlimited number of app
registrations, and then assign that role to a user. The assigned user can then use the Azure AD portal, Azure AD
PowerShell, or Microsoft Graph API to create application registrations. Unlike the built-in Application Developer
role, this custom role grants the ability to create an unlimited number of application registrations. The Application
Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting the
directory-wide object quota. The least privileged role required to create and assign Azure AD custom roles is the
Privileged Role administrator.
If you don't have an Azure subscription, create a free account before you begin.
3. On the Basics tab, provide "Application Registration Creator" for the name of the role and "Can create an
unlimited number of application registrations" for the role description, and then select Next .
4. On the Permissions tab, enter "microsoft.directory/applications/create" in the search box, and then select
the checkboxes next to the desired permissions, and then select Next .
5. On the Review + create tab, review the permissions and select Create .
Assign the role in the Azure AD portal
1. Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions in
your Azure AD organization.
2. Select Azure Active Director y and then select Roles and administrators .
3. Select the Application Registration Creator role and select Add assignment .
4. Select the desired user and click Select to add the user to the role.
Done! In this quickstart, you successfully created a custom role with permission to create an unlimited number of
app registrations, and then assign that role to a user.
TIP
To assign the role to an application using the Azure AD portal, enter the name of the application into the search box of the
assignment page. Applications are not shown in the list by default, but are returned in search results.
import-module azureadpreview
To verify that the module is ready to use, match the version returned by the following command to the one listed
here:
get-module azureadpreview
ModuleType Version Name ExportedCommands
---------- --------- ---- ----------------
Binary 2.0.0.115 azureadpreview {Add-AzureADAdministrati...}
https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Body
{
"description":"Can create an unlimited number of application registrations.",
"displayName":"Application Registration Creator",
"isEnabled":true,
"rolePermissions":
[
{
"resourceActions":
{
"allowedResourceActions":
[
"microsoft.directory/applications/create"
"microsoft.directory/applications/createAsOwner"
]
},
"condition":null
}
],
"templateId":"<PROVIDE NEW GUID HERE>",
"version":"1"
}
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Body
{
"principalId":"<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
"roleDefinitionId":"<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
"resourceScopes":["/"]
}
Next steps
Feel free to share with us on the Azure AD administrative roles forum.
For more about Azure AD role assignments, see Assign administrator roles.
For more about default user permissions, see comparison of default guest and member user permissions.
Quickstart: Set Microsoft 365 groups to expire in
Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
In this quickstart, you set the expiration policy for your Microsoft 365 groups. When users can set up their own
groups, unused groups can multiply. One way to manage unused groups is to set those groups to expire, to reduce
the maintenance of manually deleting groups.
Expiration policy is simple:
Groups with user activities are automatically renewed as the expiration nears
Group owners are notified to renew an expiring group
A group that is not renewed is deleted
A deleted Microsoft 365 group can be restored within 30 days by a group owner or by an Azure AD
administrator
NOTE
Groups now use Azure AD intelligence to automatically renewed based on whether they have been in recent use. This
renewal decision is based on user activity in groups across Office 365 services like Outlook, SharePoint, Teams, Yammer, and
others.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisite
The least-privileged role required to set up group expiration is User administrator in the organization.
2. Set the expiration interval. Select a preset value or enter a custom value over 31 days.
3. Provide an email address where expiration notifications should be sent when a group has no owner.
4. For this quickstart, set Enable expiration for these Microsoft 365 groups to All .
5. Select Save to save the expiration settings when you're done.
That's it! In this quickstart, you successfully set the expiration policy for the selected Microsoft 365 groups.
Clean up resources
To remove the expiration policy
1. Ensure that you are signed in to the Azure portal with an account that is the Global Administrator for your Azure
AD organization.
2. Select Azure Active Director y > Groups > Expiration .
3. Set Enable expiration for these Microsoft 365 groups to None .
To turn off user creation for groups
1. Select Azure Active Director y > Groups > General .
2. Set Users can create Microsoft 365 groups in Azure por tals to No .
Next steps
For more information about expiration including PowerShell instructions and technical constraints, see the
following article:
Expiration policy PowerShell
Quickstart: Naming policy for groups in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
In this quickstart, you will set up naming policy in your Azure Active Directory (Azure AD) organization for user-
created Microsoft 365 groups, to help you sort and search your organization’s groups. For example, you could use
the naming policy to:
Communicate the function of a group, membership, geographic region, or who created the group.
Help categorize groups in the address book.
Block specific words from being used in group names and aliases.
If you don't have an Azure subscription, create a free account before you begin.
Clean up resources
Remove the naming policy using Azure portal
1. On the Naming policy page, select Delete policy .
2. After you confirm the deletion, the naming policy is removed, including all prefix-suffix naming policy and any
custom blocked words.
Next steps
In this quickstart, you’ve learned how to set the naming policy for your Azure AD organization through the Azure
portal.
Advance to the next article for more information including the PowerShell cmdlets for naming policy, technical
constraints, adding a list of custom blocked words, and the end user experiences across Office 365 apps.
Naming policy PowerShell
Tutorial: Add or remove group members
automatically
4/30/2020 • 3 minutes to read • Edit Online
In Azure Active Directory (Azure AD), you can automatically add or remove users to security groups or Office 365
groups, so you don't always have to do it manually. Whenever any properties of a user or device change, Azure AD
evaluates all dynamic group rules in your Azure AD organization to see if the change should add or remove
members.
In this tutorial, you learn how to:
Create an automatically populated group of guest users from a partner company
Assign licenses to the group for the partner-specific features for guest users to access
Bonus: secure the All users group by removing guest users so that, for example, you can give your member
users access to internal-only sites
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
This feature requires one Azure AD Premium license for you as the global administrator of the organization. If you
don't have one, in Azure AD, select Licenses > Products > Tr y/Buy .
You're not required to assign licenses to the users for them to be members in dynamic groups. You only need the
minimum number of available Azure AD Premium P1 licenses in the organization to cover all such users.
Assign licenses
Now that you have your new group, you can apply the licenses that these partner users need.
1. In Azure AD, select Licenses , select one or more licenses, and then select Assign .
2. Select Users and groups , and select the Guest users Contoso group, and save your changes.
3. Assignment options allow you to turn on or off the service plans included the licenses that you selected.
When you make a change, be sure to click OK to save your changes.
4. To complete the assignment, on the Assign license pane, click Assign at the bottom of the pane.
Next steps
In this tutorial, you learned how to:
Create a group of guest users
Assign licenses to your new group
Change All users group to members only
Advance to the next article to learn more group-based licensing basics
Group licensing basics
Delegate administration in Azure Active Directory
9/7/2020 • 5 minutes to read • Edit Online
With organizational growth comes complexity. One common response is to reduce some of the workload of access
management with Azure Active Directory (AD) admin roles. You can assign the least possible privilege to users to
access their apps and perform their tasks. Even if you don't assign the Global Administrator role to every
application owner, you're placing application management responsibilities on the existing Global Administrators.
There are many reasons for an organization move toward a more decentralized administration. This article can
help you plan for delegation in your organization.
Delegation planning
It's work to develop a delegation model that fits your needs. Developing a delegation model is an iterative design
process, and we suggest you follow these steps:
Define the roles you need
Delegate app administration
Grant the ability to register applications
Delegate app ownership
Develop a security plan
Establish emergency accounts
Secure your administrator roles
Make privileged elevation temporary
Define roles
Determine the Active Directory tasks that are carried out by administrators and how they map to roles. You can
view detailed role descriptions in the Azure portal.
Each task should be evaluated for frequency, importance, and difficulty. These criteria are vital aspects of task
definition because they govern whether a permission should be delegated:
Tasks that you do routinely, have limited risk, and are trivial to complete are excellent candidates for delegation.
Tasks that you do rarely but have great impact across the organization and require high skill levels should be
considered very carefully before delegating. Instead, you can temporarily elevate an account to the required role
or reassign the task.
Next steps
For a reference to the Azure AD role descriptions, see Assign admin roles in Azure AD
What are the default user permissions in Azure
Active Directory?
9/7/2020 • 9 minutes to read • Edit Online
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists
of the type of user, their role assignments, and their ownership of individual objects. This article describes
those default permissions and contains a comparison of the member and guest user defaults. The default user
permissions can be changed only in user settings in Azure AD.
Users and contacts Read all public Read own Read own
properties of users properties properties
and contacts Read display name, Change own
Invite guests email, sign in name, password
Change own photo, user
password principal name, and
Manage own user type properties
mobile phone of other users and
number contacts
Manage own photo Change own
Invalidate own password
refresh tokens Search for another
user by Display
Name, User
Principal Name or
ObjectId (if allowed)
Read manager and
direct report
information of other
users
M EM B ER USER DEFA ULT GUEST USER REST RIC T ED GUEST USER
A REA P ERM ISSIO N S P ERM ISSIO N S P ERM ISSIO N S ( P REVIEW )
Directory Read all company Read display name Read display name
information and verified and verified
Read all domains domains domains
Read all partner
contracts
Users can register application Setting this option to No prevents users from creating
application registrations. The ability can then be granted
back to specific individuals by adding them to the
Application Developer role.
Allow users to connect work or school account with Setting this option to No prevents users from connecting
LinkedIn their work or school account with their LinkedIn account.
For more information, see LinkedIn account connections
data sharing and consent.
Ability to create security groups Setting this option to No prevents users from creating
security groups. Global administrators and User
administrators can still create security groups. See Azure
Active Directory cmdlets for configuring group settings to
learn how.
Ability to create Office 365 groups Setting this option to No prevents users from creating
Office 365 groups. Setting this option to Some allows a
select set of users to create Office 365 groups. Global
administrators and User administrators will still be able to
create Office 365 groups. See Azure Active Directory
cmdlets for configuring group settings to learn how.
P ERM ISSIO N SET T IN G EXP L A N AT IO N
Restrict access to Azure AD administration portal Setting this option to No lets non-administrators use the
Azure AD administration portal to read and manage Azure
AD resources. Yes restricts all non-administrators from
accessing any Azure AD data in the administration portal.
Note : this setting does not restrict access to Azure AD
data using PowerShell or other clients such as Visual
Studio.When set to Yes, to grant a specific non-admin
user the ability to use the Azure AD administration
portal assign any administrative role such as the
Directory Readers role.
This role allows reading basic directory information,
which member users have by default (guests and
service principals do not).
Ability to read other users This setting is available in PowerShell only. Setting this flag
to $false prevents all non-admins from reading user
information from the directory. This flag does not prevent
reading user information in other Microsoft services like
Exchange Online. This setting is meant for special
circumstances, and setting this flag to $false is not
recommended.
NOTE
The guests user access restrictions setting replaced the Guest users permissions are limited setting. For guidance
on using this feature, see Restrict guest access permissions (preview) in Azure Active Directory.
Guests user access restrictions (Preview) Setting this option to Guest users have the same access as
members grants all member user permissions to guest
users by default.
Setting this option to Guest user access is restricted to
properties and memberships of their own directory
objects restricts guest access to only their own user
profile by default. Access to other users are no longer
allowed even when searching by User Principal Name or
objectId. Access to groups including groups
memberships is also no longer allowed. This setting
does not prevent access to groups in other Microsoft
services like Microsoft Teams. See to learn more.
Microsof t Teams Guest access
Guests can invite Setting this option to Yes allows guests to invite other
guests. See Delegate invitations for B2B collaboration to
learn more.
P ERM ISSIO N SET T IN G EXP L A N AT IO N
Members can invite Members can invite Setting this option to Yes allows non-
admin members of your directory to invite guests. See
Delegate invitations for B2B collaboration to learn more.
Admins and users in the guest inviter role can invite Setting this option to Yes allows admins and users in the
"Guest Inviter" role to invite guests. When set to Yes, users
in the Guest inviter role will still be able to invite guests,
regardless of the Members can invite setting. See Delegate
invitations for B2B collaboration to learn more.
Object ownership
Application registration owner permissions
When a user registers an application, they are automatically added as an owner for the application. As an
owner, they can manage the metadata of the application, such as the name and permissions the app requests.
They can also manage the tenant-specific configuration of the application, such as the SSO configuration and
user assignments. An owner can also add or remove other owners. Unlike Global Administrators, owners can
only manage applications they own.
Enterprise application owner permissions
When a user adds a new enterprise application, they are automatically added as an owner. As an owner, they
can manage the tenant-specific configuration of the application, such as the SSO configuration, provisioning,
and user assignments. An owner can also add or remove other owners. Unlike Global Administrators, owners
can manage only the applications they own.
Group owner permissions
When a user creates a group, they are automatically added as an owner for that group. As an owner, they can
manage properties of the group such as the name, as well as manage group membership. An owner can also
add or remove other owners. Unlike Global administrators and User administrators, owners can only manage
groups they own. To assign a group owner, see Managing owners for a group.
Ownership Permissions
The following tables describe the specific permissions in Azure Active Directory member users have over
owned objects. The user only has these permissions on objects they own.
Owned application registrations
Users can perform the following actions on owned application registrations.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
Owned devices
Users can perform the following actions on owned devices.
A C T IO N S DESC RIP T IO N
Owned groups
Users can perform the following actions on owned groups.
A C T IO N S DESC RIP T IO N
Next steps
To learn more about the guests user access restrictions setting, see Restrict guest access permissions
(preview) in Azure Active Directory.
To learn more about how to assign Azure AD administrator roles, see Assign a user to administrator roles
in Azure Active Directory
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource
access in Azure
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
Manage users
Classic subscription administrator roles, Azure roles,
and Azure AD roles
9/7/2020 • 7 minutes to read • Edit Online
If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. This
article helps explain the following roles and when you would use each:
Classic subscription administrator roles
Azure roles
Azure Active Directory (Azure AD) roles
Account Administrator 1 per Azure account Access the Azure Conceptually, the billing
Account Center owner of the subscription.
Manage all The Account Administrator
subscriptions in an has no access to the Azure
account portal.
Create new
subscriptions
Cancel subscriptions
Change the billing
for a subscription
Change the Service
Administrator
Service Administrator 1 per Azure subscription Manage services in By default, for a new
the Azure portal subscription, the Account
Cancel the Administrator is also the
subscription Service Administrator.
Assign users to the The Service Administrator
Co-Administrator has the equivalent access of
role a user who is assigned the
Owner role at the
subscription scope.
The Service Administrator
has full access to the Azure
portal.
In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic
administrators tab.
In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the
properties blade of your subscription.
Azure roles
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access
management to Azure resources, such as compute and storage. Azure RBAC includes over 70 built-in roles. There
are four fundamental Azure roles. The first three apply to all resource types:
Owner Full access to all resources The Service Administrator and Co-
Delegate access to others Administrators are assigned the Owner
role at the subscription scope
Applies to all resource types.
Contributor Create and manage all of types Applies to all resource types.
of Azure resources
Create a new tenant in Azure
Active Directory
Cannot grant access to others
The rest of the built-in roles allow management of specific Azure resources. For example, the Virtual Machine
Contributor role allows the user to create and manage virtual machines. For a list of all the built-in roles, see Azure
built-in roles.
Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users, groups, and applications
that are assigned Azure roles cannot use the Azure classic deployment model APIs.
In the Azure portal, role assignments using Azure RBAC appear on the Access control (IAM) blade. This blade
can be found throughout the portal, such as management groups, subscriptions, resource groups, and various
resources.
When you click the Roles tab, you will see the list of built-in and custom roles.
For more information, see Add or remove Azure role assignments using the Azure portal.
Azure AD roles
Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign
administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following
table describes a few of the more important Azure AD roles.
Global Administrator Manage access to all The person who signs up for the Azure
administrative features in Azure Active Directory tenant becomes a
Active Directory, as well as Global Administrator.
services that federate to Azure
Active Directory
Assign administrator roles to
others
Reset the password for any user
and all other administrators
In the Azure portal, you can see the list of Azure AD roles on the Roles and administrators blade. For a list of all
the Azure AD roles, see Administrator role permissions in Azure Active Directory.
Differences between Azure roles and Azure AD roles
At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control
permissions to manage Azure Active Directory resources. The following table compares some of the differences.
A Z URE RO L ES A Z URE A D RO L ES
Manage access to Azure resources Manage access to Azure Active Directory resources
Scope can be specified at multiple levels (management group, Scope is at the tenant level
subscription, resource group, resource)
Role information can be accessed in Azure portal, Azure CLI, Role information can be accessed in Azure admin portal,
Azure PowerShell, Azure Resource Manager templates, REST Microsoft 365 admin center, Microsoft Graph, AzureAD
API PowerShell
Microsoft paid cloud services, such as Office 365, Enterprise Mobility + Security, Dynamics 365, and other similar
products, require licenses. These licenses are assigned to each user who needs access to these services. To manage
licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure
Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Microsoft
cloud services. Azure AD stores information about license assignment states for users.
Until now, licenses could only be assigned at the individual user level, which can make large-scale management
difficult. For example, to add or remove user licenses based on organizational changes, such as users joining or
leaving the organization or a department, an administrator often must write a complex PowerShell script. This
script makes individual calls to the cloud service.
To address those challenges, Azure AD now includes group-based licensing. You can assign one or more product
licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new
members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are
removed. This licensing management eliminates the need for automating license management via PowerShell to
reflect changes in the organization and departmental structure on a per-user basis.
Licensing requirements
You must have one of the following licenses to use group-based licensing:
Paid or trial subscription for Azure AD Premium P1 and above
Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for
GCCH or Office 365 E3 for DOD and above
Required number of licenses
For any groups assigned a license, you must also have a license for each unique member. While you don't have to
assign each member of the group a license, you must have at least enough licenses to include all of the members.
For example, if you have 1,000 unique members who are part of licensed groups in your tenant, you must have at
least 1,000 licenses to meet the licensing agreement.
Features
Here are the main features of group-based licensing:
Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-
premises, by using Azure AD Connect. You can also create security groups directly in Azure AD (also called
cloud-only groups), or automatically via the Azure AD dynamic group feature.
When a product license is assigned to a group, the administrator can disable one or more service plans in
the product. Typically, this assignment is done when the organization is not yet ready to start using a
service included in a product. For example, the administrator might assign Office 365 to a department, but
temporarily disable the Yammer service.
All Microsoft cloud services that require user-level licensing are supported. This support includes all Office
365 products, Enterprise Mobility + Security, and Dynamics 365.
Group-based licensing is currently available only through the Azure portal. If you primarily use other
management portals for user and group management, such as the Microsoft 365 admin center, you can
continue to do so. But you should use the Azure portal to manage licenses at group level.
Azure AD automatically manages license modifications that result from group membership changes.
Typically, license modifications are effective within minutes of a membership change.
A user can be a member of multiple groups with license policies specified. A user can also have some
licenses that were directly assigned, outside of any groups. The resulting user state is a combination of all
assigned product and service licenses. If a user is assigned same license from multiple sources, the license
will be consumed only once.
In some cases, licenses cannot be assigned to a user. For example, there might not be enough available
licenses in the tenant, or conflicting services might have been assigned at the same time. Administrators
have access to information about users for whom Azure AD could not fully process group licenses. They
can then take corrective action based on that information.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Manage app and resource access using Azure Active
Directory groups
9/7/2020 • 3 minutes to read • Edit Online
Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises
apps, and your resources. Your resources can be part of the Azure AD organization, such as permissions to manage
objects through roles in Azure AD, or external to the organization, such as for Software as a Service (SaaS) apps,
Azure services, SharePoint sites, and on-premises resources.
NOTE
In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:
Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin center
or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage
these groups.
External authority assignment. Access comes from an external source, such as an on-premises directory
or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and
then the external source manages the group members.
Next steps
Now that you have a bit of an introduction to access management using groups, you start to manage your
resources and apps.
Create a new group using Azure Active Directory or Create and manage a new group using PowerShell
cmdlets
Use groups to assign access to an integrated SaaS app
Sync an on-premises group to Azure using Azure AD Connect
Add or delete users using Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or
delete users you must be a User administrator or Global administrator.
Delete a user
You can delete an existing user using Azure Active Directory portal.
To delete a user, follow these steps:
1. Sign in to the Azure portal using a User administrator account for the organization.
2. Search for and select Azure Active Directory from any page.
3. Search for and select the user you want to delete from your Azure AD tenant. For example, Mary Parker.
4. Select Delete user .
The user is deleted and no longer appears on the Users - All users page. The user can be seen on the Deleted
users page for the next 30 days and can be restored during that time. For more information about restoring a
user, see Restore or remove a recently deleted user using Azure Active Directory.
When a user is deleted, any licenses consumed by the user are made available for other users.
NOTE
You must use Windows Server Active Directory to update the identity, contact information, or job information for users
whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
synchronization cycle to complete before you'll see the changes.
Next steps
After you've added your users, you can do the following basic processes:
Add or change profile information
Assign roles to users
Create a basic group and add members
Work with dynamic groups and users
Or you can do other user management tasks, such as adding guest users from another directory or restoring a
deleted user. For more information about other available actions, see Azure Active Directory user management
documentation.
Bulk create users in Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
Azure Active Directory (Azure AD) supports bulk user create and delete operations and supports downloading lists
of users. Just fill out comma-separated values (CSV) template you can download from the Azure AD portal.
Required permissions
In order to bulk create users in the administration portal, you must be signed in as a Global administrator or User
administrator.
WARNING
If you are adding only one entry using the CSV template, you must preserve row 3 and add your new entry to row 4.
4. Open the CSV file and add a line for each user you want to create. The only required values are Name , User
principal name , Initial password and Block sign in (Yes/No) . Then save the file.
5. On the Bulk create user page, under Upload your CSV file, browse to the file. When you select the file and
click Submit , validation of the CSV file starts.
6. After the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must fix
them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that imports the new
users.
8. When the import operation completes, you'll see a notification of the bulk operation job status.
If there are errors, you can download and view the results file on the Bulk operation results page. The file
contains the reason for each error. The file submission must match the provided template and include the exact
column names.
Check status
You can see the status of all of your pending bulk requests in the Bulk operation results page.
Next, you can check to see that the users you created exist in the Azure AD organization either in the Azure portal
or by using PowerShell.
You should see that the users that you created are listed.
Next steps
Bulk delete users
Download list of users
Bulk restore users
Add or update a user's profile information using
Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
Add user profile information, including a profile picture, job-specific information, and some settings using Azure
Active Directory (Azure AD). For more information about adding new users, see How to add or delete users in
Azure Active Directory.
3. Select Edit to optionally add or update the information included in each of the available sections.
Profile picture. Select a thumbnail image for the user's account. This picture appears in Azure
Active Directory and on the user's personal pages, such as the myapps.microsoft.com page.
Identity. Add or update an additional identity value for the user, such as a married last name. You
can set this name independently from the values of First name and Last name. For example, you
could use it to include initials, a company name, or to change the sequence of names shown. In
another example, for two users whose names are ‘Chris Green’ you could use the Identity string to
set their names to 'Chris B. Green' 'Chris R. Green (Contoso).'
Job info. Add any job-related information, such as the user's job title, department, or manager.
Settings. Decide whether the user can sign in to Azure Active Directory tenant. You can also specify
the user's global location.
Contact info. Add any relevant contact information for the user, except for some user's phone or
mobile contact info (only a global administrator can update for users in administrator roles).
Authentication contact info. Verify this information to make sure there's an active phone
number and email address for the user. This information is used by Azure Active Directory to make
sure the user is really the user during sign-in. Authentication contact info can be updated only by a
global administrator.
4. Select Save .
All your changes are saved for the user.
NOTE
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose
source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
synchronization cycle to complete before you'll see the changes.
Next steps
After you've updated your users' profiles, you can perform the following basic processes:
Add or delete users
Assign roles to users
Create a basic group and add members
Or you can perform other user management tasks, such as assigning delegates, using policies, and sharing user
accounts. For more information about other available actions, see Azure Active Directory user management
documentation.
Manage your users with My Staff (preview)
9/7/2020 • 5 minutes to read • Edit Online
My Staff enables you to delegate to a figure of authority, such as a store manager or a team lead, the permissions to
ensure that their staff members are able access to their Azure AD accounts. Instead of relying on a central helpdesk,
organizations can delegate common tasks such as resetting passwords or changing phone numbers to a team
manager. With My Staff, a user who can't access their account can regain access in just a couple of clicks, with no
helpdesk or IT staff required.
Before you configure My Staff for your organization, we recommend that you review this documentation as well as
the user documentation to ensure you understand the functionality and impact of this feature on your users. You
can leverage the user documentation to train and prepare your users for the new experience and help to ensure a
successful rollout.
SMS-based authentication for users is a public preview feature of Azure Active Directory. For more information
about previews, see Supplemental Terms of Use for Microsoft Azure Previews
NOTE
Only users who've been assigned an admin role can access My Staff. If you enable My Staff for a user who is not assigned an
admin role, they won't be able to access My Staff.
Conditional access
You can protect the My Staff portal using Azure AD Conditional Access policy. Use it for tasks like requiring multi-
factor authentication before accessing My Staff.
We strongly recommend that you protect My Staff using Azure AD Conditional Access policies. To apply a
Conditional Access policy to My Staff, you must manually create the My Staff service principal using PowerShell.
Apply a Conditional Access policy to My Staff
1. Install the Microsoft Graph Beta PowerShell cmdlets.
2. Run the following commands:
3. Create a Conditional Access policy that applies to the My Staff cloud application.
Using My Staff
When a user goes to My Staff, they are shown the names of the administrative units over which they have
administrative permissions. In the My Staff user documentation, we use the term "location" to refer to
administrative units. If an administrator's permissions do not have an AU scope, the permissions apply across the
organization. After My Staff has been enabled, the users who are enabled and have been assigned an administrative
role can access it through https://mystaff.microsoft.com. They can select an AU to view the users in that AU, and
select a user to open their profile.
The user is required to change their password the next time they sign in.
Search
You can search for AUs and users in your organization using the search bar in My Staff. You can search across all
AUs and users in your organization, but you can only make changes to users who are in a AU over which you have
been given admin permissions.
You can also search for a user within an AU. To do this, use the search bar at the top of the user list.
Audit logs
You can view audit logs for actions taken in My Staff in the Azure Active Directory portal. If an audit log was
generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.
Next steps
My Staff user documentation Administrative units documentation
Download a list of users in Azure Active Directory
portal
9/7/2020 • 2 minutes to read • Edit Online
Azure Active Directory (Azure AD) supports bulk user import (create) operations.
Required permissions
To download the list of users from the Azure AD admin center, you must be signed in with a user assigned to one
or more organization-level administrator roles in Azure AD (User Administrator is the minimum role required).
Guest inviter and application developer are not considered administrator roles.
Check status
You can see the status of your pending bulk requests in the Bulk operation results page.
Next steps
Bulk add users
Bulk delete users
Bulk restore users
Sharing accounts with Azure AD
9/7/2020 • 3 minutes to read • Edit Online
Overview
Sometimes organizations need to use a single username and password for multiple people, which typically
happens in two cases:
When accessing applications that require a unique sign in and password for each user, whether on-premises
apps or consumer cloud services (for example, corporate social media accounts).
When creating multi-user environments. You might have a single, local account that has elevated privileges and
is used to do core setup, administration, and recovery activities. For example, the local "global administrator"
account for Office 365 or the root account in Salesforce.
Traditionally, these accounts are shared by distributing the credentials (username and password) to the right
individuals or storing them in a shared location where multiple trusted agents can access them.
The traditional sharing model has several drawbacks:
Enabling access to new applications requires you to distribute credentials to everyone that needs access.
Each shared application may require its own unique set of shared credentials, requiring users to remember
multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort
to risky practices. (for example, writing down passwords).
You can't tell who has access to an application.
You can't tell who has accessed an application.
When you want to remove access to an application, you have to update the credentials and redistribute them to
everyone that needs access to that application.
Sharing an account
To use Azure AD to share an account, you need to:
Add an application app gallery or custom application
Configure the application for password Single Sign-On (SSO)
Use group-based assignment and select the option to enter a shared credential
You can also make your shared account more secure with Multi-Factor Authentication (MFA) (learn more about
securing applications with Azure AD) and you can delegate the ability to manage who has access to the application
using Azure AD self-service group management.
Next steps
Application Management in Azure Active Directory
Protecting apps with Conditional Access
Self-service group management/SSAA
Assign administrator and non-administrator roles to
users with Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you
must assign them to a role that provides the permissions they need. For info on which roles manage Azure
resources and which roles manage Azure AD resources, see Classic subscription administrator roles, Azure roles,
and Azure AD roles.
For more information about the available Azure AD roles, see Assigning administrator roles in Azure Active
Directory. To add users, see Add new users to Azure Active Directory.
Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also configure
the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more
information about how to use PIM, see Privileged Identity Management.
NOTE
If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the
Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't
currently select multiple roles and assign them to a user all at once.
The Application administrator role is removed from Alain Charon and it no longer appears on the Alain
Charon - Administrative roles page.
Next steps
Add or delete users
Add or change profile information
Add guest users from another directory
Other user management tasks you can check out are available in Azure Active Directory user management
documentation.
User management enhancements (preview) in Azure
Active Directory
9/7/2020 • 5 minutes to read • Edit Online
This article describes how to use the enhanced user management preview in the Azure Active Directory (Azure AD)
portal. The All users and Deleted users pages have been updated to provide more information and make it
easier to find users. For more information about previews, see Supplemental Terms of Use for Microsoft Azure
Previews.
Changes in the preview include:
More visible user properties including object ID, directory sync status, creation type, and identity issuer
Search now allows combined search of names, emails, and object IDs
Enhanced filtering by user type (member and guest), directory sync status, and creation type
NOTE
This preview is currently not available for Azure AD B2C tenants.
What happen to the bulk capabilities for users and guests? The bulk operations are all still available for users and guests,
including bulk create, bulk invite, bulk delete, and download
users. We’ve just merged them into a menu called Bulk
operations . You can find the Bulk operations options at
the top of the All users page.
What happened to the Source column? The Source column has been replaced with other columns
that provide similar information, while allowing you to filter on
those values independently. Examples include Creation type ,
Director y synced and Identity issuer .
Q UEST IO N A N SW ER
What happened to the User Name column? The User Name column is still there, but it’s been renamed to
User Principal Name . This better reflects the information
contained in that column. You’ll also notice that the full User
Principal Name is now displayed for B2B guests. This matches
what you’d get in MS Graph.
Why can I only perform a "starts with" search and not a There are some limitations that prevent us from allowing you
"contains" search? to perform a "contains" search. We’ve heard the feedback, so
stay tuned.
Why can’t I sort the columns? There are some limitations that prevent us from allowing you
to sort the columns. We’ve heard the feedback, so stay tuned.
Why can I only filter the Director y synced column by Yes? There are some limitations that prevent us from allowing you
to filter this property by the No value. We’ve heard the
feedback, so stay tuned.
Next steps
User operations
Add or change profile information
Add or delete users
Bulk operations
Download list of users
Bulk add users
Bulk delete users
Bulk restore users
Bulk delete users in Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD) portal, you can remove a large number of members to a group by using a
comma-separated values (CSV) file to bulk delete users.
5. On the Bulk delete user page, under Upload your csv file , browse to the file. When you select the file
and click submit, validation of the CSV file starts.
6. When the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must
fix them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that deletes the users.
8. When the deletion operation completes, you'll see a notification that the bulk operation succeeded.
If there are errors, you can download and view the results file on the Bulk operation results page. The file
contains the reason for each error.
Check status
You can see the status of all of your pending bulk requests in the Bulk operation results page.
Next, you can check to see that the users you deleted exist in the Azure AD organization either in the Azure portal
or by using PowerShell.
Verify that the users that you deleted are no longer listed.
Next steps
Bulk add users
Download list of users
Bulk restore users
Restore or remove a recently deleted user using
Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user
account can be restored, along with all its properties. After that 30-day window passes, the user is automatically,
and permanently, deleted.
You can view your restorable users, restore a deleted user, or permanently delete a user using Azure Active
Directory (Azure AD) in the Azure portal.
IMPORTANT
Neither you nor Microsoft customer support can restore a permanently deleted user.
Required permissions
You must have one of the following roles to restore and permanently delete users.
Global administrator
Partner Tier1 Support
Partner Tier2 Support
User administrator
NOTE
Once a user is restored, licenses that were assigned to the user at the time of deletion are also restored even if there are no
seats available for those licenses. If you are then consuming more licenses more than you purchased, your organization
could be temporarily out of compliance for license usage.
To restore a user
1. On the Users - Deleted users page, search for and select one of the available users. For example, Mary
Parker.
2. Select Restore user .
NOTE
If you permanently delete a user by mistake, you'll have to create a new user and manually enter all the previous
information. For more information about creating a new user, see Add or delete users.
Azure Active Directory (Azure AD) supports bulk user restore operations and supports downloading lists of users,
groups, and group members.
5. On the Bulk restore page, under Upload your csv file , browse to the file. When you select the file and
click Submit , validation of the CSV file starts.
6. When the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must
fix them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that restores the users.
8. When the restore operation completes, you'll see a notification that the bulk operation succeeded.
If there are errors, you can download and view the results file on the Bulk operation results page. The file
contains the reason for each error.
Check status
You can see the status of all of your pending bulk requests in the Bulk operation results page.
Next, you can check to see that the users you restored exist in the Azure AD organization either in the Azure portal
or by using PowerShell.
You should see that the users that you restored are listed.
Next steps
Bulk import users
Bulk delete users
Download list of users
Revoke user access in Azure Active Directory
9/7/2020 • 4 minutes to read • Edit Online
Among the scenarios that could require an administrator to revoke all access for a user include compromised
accounts, employee termination, and other insider threats. Depending on the complexity of the environment,
administrators can take several steps to ensure access is revoked. In some scenarios, there could be a period
between initiation of access revocation and when access is effectively revoked.
To mitigate the risks, you must understand how tokens work. There are many kinds of tokens, which fall into one of
the patterns mentioned in the sections below.
2. Reset the user’s password twice in the Active Directory. Refer to Set-ADAccountPassword.
NOTE
The reason for changing a user’s password twice is to mitigate the risk of pass-the-hash, especially if there are delays
in on-premises password replication. If you can safely assume this account isn't compromised, you may reset the
password only once.
IMPORTANT
Don't use the example passwords in the following cmdlets. Be sure to change the passwords to a random string.
Optional steps
Wipe corporate data from Intune-managed applications.
Wipe corporate owned devices be resetting device to factory default settings.
NOTE
Data on the device cannot be recovered after a wipe.
When access is revoked
Once admins have taken the above steps, the user can't gain new tokens for any application tied to Azure Active
Directory. The elapsed time between revocation and the user losing their access depends on how the application is
granting access:
For applications using access tokens , the user loses access when the access token expires.
For applications that use session tokens , the existing sessions end as soon as the token expires. If the
disabled state of the user is synchronized to the application, the application can automatically revoke the
user’s existing sessions if it's configured to do so. The time it takes depends on the frequency of
synchronization between the application and Azure AD.
Next steps
Secure access practices for Azure AD administrators
Add or update user profile information
Close your work or school account in an unmanaged
Azure AD organization
9/7/2020 • 2 minutes to read • Edit Online
If you are a user in an unmanaged Azure Active Directory (Azure AD) organization, and you no longer need to use
apps from that organization or maintain any association with it, you can close your account at any time. An
unmanaged organization does not have a Global administrator. Users in an unmanaged organization can close
their accounts on their own, without having to contact an administrator.
Users in an unmanaged organization are often created during self-service sign-up. An example might be an
information worker in an organization who signs up for a free service. For more information about self-service
sign-up, see What is self-service sign-up for Azure Active Directory?.
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
WARNING
Closing your account is irreversible. When you close your account, all personal data will be removed. You will no longer have
access to your account and data associated with your account.
Next steps
What is self-service sign-up for Azure Active Directory?
Delete the user from Unmanaged Tenant
Accessing and exporting system-generated logs for Unmanaged Tenants
Restrict guest access permissions (preview) in Azure
Active Directory
9/7/2020 • 4 minutes to read • Edit Online
Azure Active Directory (Azure AD) allows you to restrict what external guest users can see in their organization in
Azure AD. Guest users are set to a limited permission level by default in Azure AD, while the default for member
users is the full set of default user permissions. This is a preview of a new guest user permission level in your
Azure AD organization's external collaboration settings for even more restricted access, so your guest access
choices now are:
Same as member users Guests have the same access to Azure AD resources as
member users
Limited access (default) Guests can see membership of all non-hidden groups
When guest access is restricted, guests can view only their own user profile. Permission to view other users isn't
allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest
users from seeing the membership of groups they're in. For more information about the overall default user
permissions, including guest user permissions, see What are the default user permissions in Azure Active
Directory?.
POST https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
{
"guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
}
{
"guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
}
GET https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
Example response:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authorizationPolicy/$entity",
"id": "authorizationPolicy",
"displayName": "Authorization Policy",
"description": "Used to manage authorization related settings across the company.",
"enabledPreviewFeatures": [],
"guestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
"permissionGrantPolicyIdsAssignedToDefaultUserRole": [
"user-default-legacy"
]
}
PS C:\WINDOWS\system32> Get-AzureADMSAuthorizationPolicy
Id : authorizationPolicy
OdataType :
Description : Used to manage authorization related settings across the
company.
DisplayName : Authorization Policy
EnabledPreviewFeatures : {}
GuestUserRoleId : 10dae51f-b6af-4016-8d66-8c2a99b929b3
PermissionGrantPolicyIdsAssignedToDefaultUserRole : {user-default-legacy}
NOTE
You must enter authorizationPolicy as the ID when requested.
Supported Microsoft 365 services
Supported services
By supported we mean that the experience is as expected; specifically, that it is same as current guest experience.
Teams
Outlook (OWA)
SharePoint
Services currently not supported
Service without current support might have compatibility issues with the new guest restriction setting.
Forms
Planner in Teams
Planner app
Project
Yammer
Where do these permissions apply? These directory level permissions are enforced across Azure
AD services and portals including the Microsoft Graph,
PowerShell v2, the Azure portal, and My Apps portal.
Microsoft 365 services leveraging Office 365 groups for
collaboration scenarios are also affected, specifically Outlook,
Microsoft Teams, and SharePoint.
Which parts of the My Apps portal will this feature affect? The groups functionality in the My Apps portal will honor
these new permissions. This includes all paths to view the
groups list and group memberships in My Apps. No changes
were made to the group tile availability. The group tile
availability is still controlled by the existing group setting in
the Azure admin portal.
Do these permissions override SharePoint or Microsoft Teams No. Those existing settings still control the experience and
guest settings? access in those applications. For example, if you see issues in
SharePoint, double check your external sharing settings.
What are the known compatibility issues in Planner and With permissions set to ‘restricted’, guests logged into the
Yammer? Planner app or accessing the Planner in Microsoft Teams won't
be able to access their plans or any tasks.
With permissions set to ‘restricted’, guests logged into
Yammer won't be able to leave the group.
Will my existing guest permissions be changed in my tenant? No changes were made to your current settings. We maintain
backward compatibility with your existing settings. You decide
when you want make changes.
Will these permissions be set by default? No. The existing default permissions remain unchanged. You
can optionally set the permissions to be more restrictive.
Are there any license requirements for this feature? No, there are no new licensing requirements with this feature.
Next steps
To learn more about existing guest permissions in Azure AD, see What are the default user permissions in Azure
Active Directory?.
To see the Microsoft Graph API methods for restricting guest access, see authorizationPolicy resource type.
To revoke all access for a user, see Revoke user access in Azure AD.
What is Azure Active Directory?
9/7/2020 • 9 minutes to read • Edit Online
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps
your employees sign in and access resources in:
External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
Internal resources, such as apps on your corporate network and intranet, along with any cloud apps
developed by your own organization. For more information about creating a tenant for your organization,
see Quickstart: Create a new tenant in Azure Active Directory.
To learn the difference between Azure AD and Active Directory Domain Services, see Compare Active Directory to
Azure Active Directory. You can also use the various Microsoft Cloud for Enterprise Architects Series posters to
better understand the core identity services in Azure, Azure AD, and Office 365.
Azure Active Director y Free. Provides user and group management, on-premises directory
synchronization, basic reports, self-service password change for cloud users, and single sign-on across
Azure, Office 365, and many popular SaaS apps.
Azure Active Director y Premium P1. In addition to the Free features, P1 also lets your hybrid users
access both on-premises and cloud resources. It also supports advanced administration, such as dynamic
groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access
management suite) and cloud write-back capabilities, which allow self-service password reset for your on-
premises users.
Azure Active Director y Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active
Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical
company data and Privileged Identity Management to help discover, restrict, and monitor administrators
and their access to resources and to provide just-in-time access when needed.
"Pay as you go" feature licenses. You can also get additional feature licenses, such as Azure Active
Directory Business-to-Customer (B2C). B2C can help you provide identity and access management
solutions for your customer-facing apps. For more information, see Azure Active Directory B2C
documentation.
For more information about associating an Azure subscription to Azure AD, see Associate or add an Azure
subscription to Azure Active Directory and for more information about assigning licenses to your users, see How
to: Assign or remove Azure Active Directory licenses.
Application management Manage your cloud and on-premises apps using Application
Proxy, single sign-on, the My Apps portal (also known as the
Access panel), and Software as a Service (SaaS) apps. For more
information, see How to provide secure remote access to on-
premises applications and Application Management
documentation.
Azure Active Directory for developers Build apps that sign in all Microsoft identities, get tokens to
call Microsoft Graph, other Microsoft APIs, or custom APIs.
For more information, see Microsoft identity platform (Azure
Active Directory for developers).
C AT EGO RY DESC RIP T IO N
Business-to-Business (B2B) Manage your guest users and external partners, while
maintaining control over your own corporate data. For more
information, see Azure Active Directory B2B documentation.
Business-to-Customer (B2C) Customize and control how users sign up, sign in, and
manage their profiles when using your apps. For more
information, see Azure Active Directory B2C documentation.
Conditional Access Manage access to your cloud apps. For more information, see
Azure AD Conditional Access documentation.
Device Management Manage how your cloud or on-premises devices access your
corporate data. For more information, see Azure AD Device
Management documentation.
Hybrid identity Use Azure Active Directory Connect and Connect Health to
provide a single user identity for authentication and
authorization to all resources, regardless of location (cloud or
on-premises). For more information, see Hybrid identity
documentation.
Managed identities for Azure resources Provides your Azure services with an automatically managed
identity in Azure AD that can authenticate any Azure AD-
supported authentication service, including Key Vault. For
more information, see What is managed identities for Azure
resources?.
Privileged identity management (PIM) Manage, control, and monitor access within your organization.
This feature includes access to resources in Azure AD and
Azure, and other Microsoft Online Services, like Office 365 or
Intune. For more information, see Azure AD Privileged Identity
Management.
Reports and monitoring Gain insights into the security and usage patterns in your
environment. For more information, see Azure Active
Directory reports and monitoring.
Terminology
To better understand Azure AD and its documentation, we recommend reviewing the following terms.
Account An identity that has data associated with it. You cannot have
an account without an identity.
Owner This role helps you manage all Azure resources, including
access. This role is built on a newer authorization system
called Azure role-base access control (Azure RBAC) that
provides fine-grained access management to Azure resources.
For more information, see Classic subscription administrator
roles, Azure roles, and Azure AD administrator roles.
Azure subscription Used to pay for Azure cloud services. You can have many
subscriptions and they're linked to a credit card.
T ERM O R C O N C EP T DESC RIP T IO N
Azure AD directory Each Azure tenant has a dedicated and trusted Azure AD
directory. The Azure AD directory includes the tenant's users,
groups, and apps and is used to perform identity and access
management functions for tenant resources.
Custom domain Every new Azure AD directory comes with an initial domain
name, domainname.onmicrosoft.com. In addition to that initial
name, you can also add your organization's domain names,
which include the names you use to do business and your
users use to access your organization's resources, to the list.
Adding custom domain names helps you to create user
names that are familiar to your users, such as
[email protected].
Microsoft account (also called, MSA) Personal accounts that provide access to your consumer-
oriented Microsoft products and cloud services, such as
Outlook, OneDrive, Xbox LIVE, or Office 365. Your Microsoft
account is created and stored in the Microsoft consumer
identity account system that's run by Microsoft.
Next steps
Sign up for Azure Active Directory Premium
Associate an Azure subscription to your Azure Active Directory
Azure Active Directory Premium P2 feature deployment checklist
Managing custom domain names in your Azure
Active Directory
9/7/2020 • 5 minutes to read • Edit Online
A domain name is an important part of the identifier for many directory resources: it's part of a user name or email
address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) can include a domain name that's owned by the directory that
contains the resource. Only a Global Administrator can manage domains in Azure AD.
4. Select the name of the domain that you want to be the primary domain.
5. Select the Make primar y command. Confirm your choice when prompted.
You can change the primary domain name for your directory to be any verified custom domain that isn't federated.
Changing the primary domain for your directory won't change the user name for any existing users.
What to do if you change the DNS registrar for your custom domain
name
If you change the DNS registrars, there are no additional configuration tasks in Azure AD. You can continue using
the domain name with Azure AD without interruption. If you use your custom domain name with Office 365,
Intune, or other services that rely on custom domain names in Azure AD, see the documentation for those services.
Next steps
Add custom domain names
Remove Exchange mail-enabled security groups in Exchange Admin Center on a custom domain name in Azure
AD
ForceDelete a custom domain name with Microsoft Graph API
Delete a tenant in Azure Active Directory
9/7/2020 • 7 minutes to read • Edit Online
When an Azure AD organization (tenant) is deleted, all resources that are contained in the organization are also
deleted. Prepare your organization by minimizing its associated resources before you delete. Only an Azure Active
Directory (Azure AD) global administrator can delete an Azure AD organization from the portal.
Active (30 days for trial) Data accessible to all Users have normal access to Office 365
files, or apps
Admins have normal access to
Microsoft 365 admin center and
resources
Expired (30 days) Data accessible to all Users have normal access to Office 365
files, or apps
Admins have normal access to
Microsoft 365 admin center and
resources
Disabled (30 days) Data accessible to admin only Users can’t access Office 365 files, or
apps
Admins can access the Microsoft 365
admin center but can’t assign licenses
to or update users
Deprovisioned (30 days after Disabled) Data deleted (automatically deleted if Users can’t access Office 365 files, or
no other services are in use) apps
Admins can access the Microsoft 365
admin center to purchase and manage
other subscriptions
Delete a subscription
You can put a subscription into the Deprovisioned state to be deleted in three days using the Microsoft 365 admin
center.
1. Sign in to the Microsoft 365 admin center with an account that is a global administrator in your
organization. If you are trying to delete the “Contoso” organization that has the initial default domain
contoso.onmicrosoft.com, sign in with a UPN such as [email protected].
2. Preview the new Microsoft 365 admin center by making sure the Tr y the new admin center toggle is
enabled.
3. Once the new admin center is enabled, you need to cancel a subscription before you can delete it. Select
Billing and select Products & ser vices , then select Cancel subscription for the subscription you want to
cancel. You will be brought to a feedback page.
4. Complete the feedback form and select Cancel subscription to cancel the subscription.
5. You can now delete the subscription. Select Delete for the subscription you want to delete. If you cannot find
the subscription in the Products & ser vices page, make sure you have Subscription status set to All .
6. Select Delete subscription to delete the subscription and accept the terms and conditions. All data is
permanently deleted within three days. You can reactivate the subscription during the three-day period if
you change your mind.
7. Now the subscription state has changed, and the subscription is marked for deletion. The subscription enters
the Deprovisioned state 72 hours later.
8. Once you have deleted a subscription in your organization and 72 hours have elapsed, you can sign back
into the Azure AD admin center again and there should be no required action and no subscriptions blocking
your organization deletion. You should be able to successfully delete your Azure AD organization.
Active (30 days for trial) Data accessible to all Users have normal access to self-service
sign-up product, files, or apps
Admins have normal access to
Microsoft 365 admin center and
resources
4. When you select Yes , the deletion of the self-service product will be initiated. There is a notification that will
tell you of the deletion in progress.
5. Now the self-service sign-up product state has changed to Deleted . When you refresh the page, the product
should be removed from the Self-ser vice sign-up products page.
6. Once you have deleted all the products, you can sign back into the Azure AD admin center again and there
should be no required action and no products blocking your organization deletion. You should be able to
successfully delete your Azure AD organization.
Next steps
Azure Active Directory documentation
Understand how multiple Azure Active Directory
organizations interact
9/7/2020 • 2 minutes to read • Edit Online
In Azure Active Directory (Azure AD), each Azure AD organization is fully independent: a peer that is logically
independent from the other Azure AD organizations that you manage. This independence between organizations
includes resource independence, administrative independence, and synchronization independence. There is no
parent-child relationship between organizations.
Resource independence
If you create or delete an Azure AD resource in one organization, it has no impact on any resource in another
organization, with the partial exception of external users.
If you register one of your domain names with one organization, it can't be used by any other organization.
Administrative independence
If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:
By default, the user who creates a organization is added as an external user in that new organization, and
assigned the global administrator role in that organization.
The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,'
unless an administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso'
can control access to organization 'Test' if they control the user account that created 'Test.'
If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that
the user is assigned in any other Azure AD organization.
Synchronization independence
You can configure each Azure AD organization independently to get data synchronized from a single instance of
either:
The Azure AD Connect tool, to synchronize data with a single AD forest.
The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-
premises forests, and/or non-Azure AD data sources.
NOTE
Unlike other Azure resources, your Azure AD organizations are not child resources of an Azure subscription. If your Azure
subscription is canceled or expired, you can still access your Azure AD organization's data using Azure PowerShell, the
Microsoft Graph API, or the Microsoft 365 admin center. You can also associate another subscription with the organization.
Next steps
For Azure AD licensing considerations and best practices, see What is Azure Active Directory licensing?.
What is self-service sign-up for Azure Active
Directory?
9/7/2020 • 2 minutes to read • Edit Online
This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure
AD). If you want to take over a domain name from an unmanaged Azure AD organization, see Take over an
unmanaged directory as administrator.
The following flowchart explains the different combinations for these parameters and the resulting conditions for
the directory and self-service sign-up.
For more information and examples of how to use these parameters, see Set-MsolCompanySettings.
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
Close your work or school account in an unmanaged directory
Take over an unmanaged directory as administrator
in Azure Active Directory
9/7/2020 • 7 minutes to read • Edit Online
This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active
Directory (Azure AD). When a self-service user signs up for a cloud service that uses Azure AD, they are added to
an unmanaged Azure AD directory based on their email domain. For more about self-service or "viral" sign-up for
a service, see What is self-service sign-up for Azure Active Directory?
When the DNS TXT records are verified at your domain name registrar, you can manage the Azure AD
organization.
When you complete the preceding steps, you are now the global administrator of the Fourth Coffee organization
in Office 365. To integrate the domain name with your other Azure services, you can remove it from Office 365 and
add it to a different managed organization in Azure.
Adding the domain name to a managed organization in Azure AD
1. Open the Microsoft 365 admin center.
2. Select Users tab, and create a new user account with a name like [email protected]
that does not use the custom domain name.
3. Ensure that the new user account has global admin privileges for the Azure AD organization.
4. Open Domains tab in the Microsoft 365 admin center, select the domain name and select Remove .
5. If you have any users or groups in Office 365 that reference the removed domain name, they must be
renamed to the .onmicrosoft.com domain. If you force delete the domain name, all users are automatically
renamed, in this example to [email protected].
6. Sign in to the Azure AD admin center with an account that is the global admin for the Azure AD
organization.
7. Select Custom domain names , then add the domain name. You'll have to enter the DNS TXT records to
verify ownership of the domain name.
NOTE
Any users of Power BI or Azure Rights Management service who have licenses assigned in the Office 365 organization must
save their dashboards if the domain name is removed. They must sign in with a user name like
[email protected] rather than [email protected].
C M DL ET USA GE
new-msoldomain –name <domainname> Adds the domain name to organization as Unverified (no DNS
verification has been performed yet).
get-msoldomain The domain name is now included in the list of domain names
associated with your managed organization, but is listed as
Unverified .
get-msoldomainverificationdns –Domainname Provides the information to put into new DNS TXT record for
<domainname> –Mode DnsTxtRecord the domain (MS=xxxxx). Verification might not happen
immediately because it takes some time for the TXT record to
propagate, so wait a few minutes before considering the -
ForceTakeover option.
confirm-msoldomain –Domainname <domainname> – If your domain name is still not verified, you can proceed
ForceTakeover Force with the -ForceTakeover option. It verifies that the TXT
record was created and kicks off the takeover process.
The -ForceTakeover option should be added to the
cmdlet only when forcing an external admin takeover, such as
when the unmanaged organization has Office 365 services
blocking the takeover.
get-msoldomain The domain list now shows the domain name as Verified .
NOTE
The unmanaged Azure AD organization is deleted 10 days after you exercise the external takeover force option.
PowerShell example
1. Connect to Azure AD using the credentials that were used to respond to the self-service offering:
Get-MsolDomain
For example:
4. Copy the value (the challenge) that is returned from this command. For example:
MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9
5. In your public DNS namespace, create a DNS txt record that contains the value that you copied in the
previous step. The name for this record is the name of the parent domain, so if you create this resource
record by using the DNS role from Windows Server, leave the Record name blank and just paste the value
into the Text box.
6. Run the Confirm-MsolDomain cmdlet to verify the challenge:
For example:
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
What is hybrid identity with Azure Active Directory?
9/7/2020 • 2 minutes to read • Edit Online
Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud
applications. Users require access to those applications both on-premises and in the cloud. Managing users both
on-premises and in the cloud poses challenging scenarios.
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common
user identity for authentication and authorization to all resources, regardless of location. We call this hybrid
identity .
With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your
scenarios. The three methods are:
Password hash synchronization (PHS)
Pass-through authentication (PTA)
Federation (AD FS)
These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your
users in when they are on their corporate devices, connected to your corporate network.
For additional information, see Choose the right authentication method for your Azure Active Directory hybrid
identity solution.
Support smartcard
authentication for my
users.4
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be
soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates
(including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard
authentication support, see this blog.
Next Steps
What is Azure AD Connect and Connect Health?
What is password hash synchronization (PHS)?
What is pass-through authentication (PTA)?
What is federation?
What is single-sign on?
Manage app and resource access using Azure Active
Directory groups
9/7/2020 • 3 minutes to read • Edit Online
Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises
apps, and your resources. Your resources can be part of the Azure AD organization, such as permissions to
manage objects through roles in Azure AD, or external to the organization, such as for Software as a Service
(SaaS) apps, Azure services, SharePoint sites, and on-premises resources.
NOTE
In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:
Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin
center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to
manage these groups.
External authority assignment. Access comes from an external source, such as an on-premises
directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the
resource and then the external source manages the group members.
Next steps
Now that you have a bit of an introduction to access management using groups, you start to manage your
resources and apps.
Create a new group using Azure Active Directory or Create and manage a new group using PowerShell
cmdlets
Use groups to assign access to an integrated SaaS app
Sync an on-premises group to Azure using Azure AD Connect
Create a basic group and add members using Azure
Active Directory
9/7/2020 • 4 minutes to read • Edit Online
You can create a basic group using the Azure Active Directory (Azure AD) portal. For the purposes of this article,
a basic group is added to a single resource by the resource owner (administrator) and includes specific
members (employees) that need to access that resource. For more complex scenarios, including dynamic
memberships and rule creation, see the Azure Active Directory user management documentation.
IMPORTANT
You can create a dynamic group for either devices or users, but not for both. You also can't create a device group
based on the device owners' attributes. Device membership rules can only reference device attributions. For more
info about creating a dynamic group for users and devices, see Create a dynamic group and check status
4. The New Group pane will appear and you must fill out the required information.
5. Select a pre-defined Group type . For more information on group types, see Group and membership
types.
6. Create and add a Group name. Choose a name that you'll remember and that makes sense for the
group. A check will be performed to determine if the name is already in use by another group. If the name
is already in use, to avoid duplicate naming, you'll be asked to change the name of your group.
7. Add a Group email address for the group, or keep the email address that is filled in automatically.
8. Group description. Add an optional description to your group.
9. Select a pre-defined Membership type (required). For more information on membership types, see
Group and membership types.
10. Select Create . Your group is created and ready for you to add members.
11. Select the Members area from the Group page, and then begin searching for the members to add to
your group from the Select members page.
Next steps
Manage access to SaaS apps using groups
Manage groups using PowerShell commands
Azure Active Directory version 2 cmdlets for group
management
9/7/2020 • 7 minutes to read • Edit Online
This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure
AD). It also tells you how to get set up with the Azure AD PowerShell module. First, you must download the Azure
AD PowerShell module.
To verify that the module is ready to use, use the following command:
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module,
please refer to the online reference documentation for Azure Active Directory PowerShell Version 2.
NOTE
The Azure AD PowerShell cmdlets does not work with the new Powershell 7 as it is based on .net Core. We are aware and
this is in the process of getting updated. As of now we suggest to use the Windows Powershell 5.x Module to be used for
Azure AD powershell operations.
PS C:\Windows\system32> Connect-AzureAD
The cmdlet prompts you for the credentials you want to use to access your directory. In this example, we are using
[email protected] to access the demonstration directory. The cmdlet returns a confirmation to
show the session was connected successfully to your directory:
Now you can start using the AzureAD cmdlets to manage groups in your directory.
Retrieve groups
To retrieve existing groups from your directory, use the Get-AzureADGroups cmdlet.
To retrieve all groups in the directory, use the cmdlet without parameters:
PS C:\Windows\system32> get-azureadgroup
The cmdlet now returns the group whose objectID matches the value of the parameter you entered:
DeletionTimeStamp :
ObjectId : e29bae11-4ac0-450c-bc37-6dae8f3da61b
ObjectType : Group
Description :
DirSyncEnabled :
DisplayName : Pacific NW Support
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
You can search for a specific group using the -filter parameter. This parameter takes an ODATA filter clause and
returns all groups that match the filter, as in the following example:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
NOTE
The Azure AD PowerShell cmdlets implement the OData query standard. For more information, see $filter in OData system
query options using the OData endpoint.
Create groups
To create a new group in your directory, use the New-AzureADGroup cmdlet. This cmdlet creates a new security
group called “Marketing":
Update groups
To update an existing group, use the Set-AzureADGroup cmdlet. In this example, we’re changing the DisplayName
property of the group “Intune Administrators.” First, we’re finding the group using the Get-AzureADGroup cmdlet
and filter using the DisplayName attribute:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Next, we’re changing the Description property to the new value “Intune Device Administrators”:
Now, if we find the group again, we see the Description property is updated to reflect the new value:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Device Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Delete groups
To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:
The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is
the ObjectID of the user we want to add as a member to the group.
Get members
To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:
Remove members
To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is
shown here:
Verify members
To verify the group memberships of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. This cmdlet
takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of groups
for which to check the memberships. The list of groups must be provided in the form of a complex variable of
type “Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”, so we first must create a variable with that
type:
Next, we provide values for the groupIds to check in the attribute “GroupIds” of this complex variable:
Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-
016f3cfeeeea against the groups in $g, we should use:
PS C:\Windows\system32> Select-AzureADGroupIdsUserIsMemberOf -ObjectId 72cd4bbd-2594-40a2-935c-
016f3cfeeeea -GroupIdsForMembershipCheck $g
OdataMetadata
Value
-------------
-----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)
{31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}
The value returned is a list of groups of which this user is a member. You can also apply this method to check
Contacts, Groups or Service Principals membership for a given list of groups, using Select-
AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-
AzureADGroupIdsServicePrincipalIsMemberOf
The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is
the ObjectID of the user or service principal we want to add as an owner of the group.
To retrieve the owners of a group, use the Get-AzureADGroupOwner cmdlet:
The cmdlet returns the list of owners (users and service principals) for the specified group:
If you want to remove an owner from a group, use the Remove-AzureADGroupOwner cmdlet:
PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId
e831b3fd-77c9-49c7-9fca-de43e109ef67
Reserved aliases
When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as
part of the email address of the group. Groups with the following highly privileged email aliases can only be
created by an Azure AD global administrator.
abuse
admin
administrator
hostmaster
majordomo
postmaster
root
secure
security
ssl-admin
webmaster
Next steps
You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Azure Active Directory cmdlets for configuring
group settings
9/7/2020 • 8 minutes to read • Edit Online
This article contains instructions for using Azure Active Directory (Azure AD) PowerShell cmdlets to create and
update groups. This content applies only to Microsoft 365 groups (sometimes called unified groups).
IMPORTANT
Some settings require an Azure Active Directory Premium P1 license. For more information, see the Template settings table.
For more information on how to prevent non-administrator users from creating security groups, set
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False as described in Set-
MSOLCompanySettings.
Microsoft 365 groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you
don't see any Settings objects in your directory, because your directory is configured with the default settings. To
change the default settings, you must create a new settings object using a settings template. Settings templates
are defined by Microsoft. There are several different settings templates. To configure Microsoft 365 group settings
for your directory, you use the template named "Group.Unified". To configure Microsoft 365 group settings on a
single group, use the template named "Group.Unified.Guest". This template is used to manage guest access to an
Microsoft 365 group.
The cmdlets are part of the Azure Active Directory PowerShell V2 module. For instructions how to download and
install the module on your computer, see the article Azure Active Directory PowerShell Version 2. You can install
the version 2 release of the module from the PowerShell gallery.
Uninstall-Module AzureADPreview
Uninstall-Module azuread
Install-Module AzureADPreview
Get-AzureADDirectorySettingTemplate
Id DisplayName Description
-- ----------- -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Microsoft 365 group
16933506-8a8d-4f0d-ad58-e1db05a5b929 Company.BuiltIn Setting templates define the different
settings that can be used for the associ...
4bc7f740-180e-4586-adb6-38b2e9024e6b Application...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
2. To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage
guideline URL value; that is, the Group.Unified template:
$Setting = $Template.CreateDirectorySetting()
$Setting["UsageGuidelinesUrl"] = "https://guideline.example.com"
$Setting.Values
Output:
Name Value
---- -----
EnableMIPLabels false
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl https://guideline.example.com
ClassificationList
EnableGroupCreation True
$Setting["UsageGuidelinesUrl"] = ""
Template settings
Here are the settings defined in the Group.Unified SettingsTemplate. Unless otherwise indicated, these features
require an Azure Active Directory Premium P1 license.
GroupCreationAllowedGroupId GUID of the security group for which the members are
Type: String allowed to create Microsoft 365 groups even when
Default: "" EnableGroupCreation == false.
Get-AzureADDirectorySettingTemplate
2. To set guest policy for groups at the directory level, you need Group.Unified template
$Setting = $template.CreateDirectorySetting()
$Setting["AllowToAddGuests"] = $False
$Setting.Values
These steps read settings at directory level, which apply to all Office groups in the directory.
1. Read all existing directory settings:
Get-AzureADDirectorySetting -All $True
3. Read all directory settings values of a specific directory settings object, using Settings ID GUID:
This cmdlet returns the names and values in this settings object for this specific group:
Name Value
---- -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
CustomBlockedWordsList
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl https://guideline.example.com
ClassificationList
EnableGroupCreation True
Get-AzureADDirectorySettingTemplate
Id DisplayName Description
-- ----------- -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Microsoft 365 group
4bc7f740-180e-4586-adb6-38b2e9024e6b Application ...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
2. Retrieve the template object for the Groups.Unified.Guest template:
$SettingCopy = $Template1.CreateDirectorySetting()
$SettingCopy["AllowToAddGuests"]=$False
5. Get the ID of the group you want to apply this setting to:
6. Create the new setting for the required group in the directory:
$Setting["AllowToAddGuests"] = $True
5. Then you can set the new value for this setting:
6. You can read the value of the setting to make sure it has been updated correctly:
Additional reading
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Search groups and members (preview) in Azure
Active Directory
9/7/2020 • 3 minutes to read • Edit Online
This article tells you how to search for members and owners of a group and how to use search filters as part of the
groups improvement preview in the Azure Active Directory (Azure AD) portal. There are lots of improvements in
the groups experiences to help you manage your groups, including members and owners, quickly and easily. For
more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Changes in this preview include:
New groups search capabilities, such as substring search in group names
New filtering and sorting options on member and owner lists
New search capabilities for member and owner lists
More accurate group counts for large groups
For example, a search for “policy” will now return both "MDM policy – West" and "Policy group." A group named
"New_policy" wouldn't be returned.
You can perform the same search on group membership lists as well.
You can now sort the groups list by name using the arrows to the right of the name column heading to sort the
list in ascending or descending order.
Next steps
These articles provide additional information on working with groups in Azure AD.
View your groups and members
Manage group membership
Manage dynamic rules for users in a group
Edit your group settings
Manage access to resources using groups
Manage access to SaaS apps using groups
Manage groups using PowerShell commands
Add an Azure subscription to Azure Active Directory
Add or remove group members using Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory, you can continue to add and remove group members.
4. From the MDM policy - West Over view page, select Members from the Manage area.
5. Select Add members , and then search and select each of the members you want to add to the group, and
then choose Select .
You'll get a message that says the members were added successfully.
6. Refresh the screen to see all of the member names added to the group.
In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device
properties. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership
is supported for security groups or Microsoft 365 Groups. When a group membership rule is applied, user and
device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or
device, all dynamic group rules in the organization are processed for membership changes. Users and devices
are added or removed if they meet the conditions for a group. Security groups can be used for either devices or
users, but Microsoft 365 Groups can be only user groups.
NOTE
The rule builder might not be able to display some rules constructed in the text box. You might see a message when the
rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing
of dynamic group rules in any way.
For examples of syntax, supported properties, operators, and values for a membership rule, see Dynamic
membership rules for groups in Azure Active Directory.
4. On the Group page, enter a name and description for the new group. Select a Membership type for
either users or devices, and then select Add dynamic quer y . The rule builder supports up to five
expressions. To add more than five expressions, you must use the text box.
5. To see the custom extension properties available for your membership query:
a. Select Get custom extension proper ties
b. Enter the application ID, and then select Refresh proper ties .
6. After creating the rule, select Save .
7. Select Create on the New group page to create the group.
If the rule you entered isn't valid, an explanation of why the rule couldn't be processed is displayed in an Azure
notification in the portal. Read it carefully to understand how to fix the rule.
The following status messages can be shown for Membership processing status:
Evaluating : The group change has been received and the updates are being evaluated.
Processing : Updates are being processed.
Update complete : Processing has completed and all applicable updates have been made.
Processing error : Processing couldn't be completed because of an error evaluating the membership rule.
Update paused : Dynamic membership rule updates have been paused by the administrator.
MembershipRuleProcessingState is set to “Paused”.
The following status messages can be shown for Membership last updated status:
<Date and time >: The last time the membership was updated.
In Progress : Updates are currently in progress.
Unknown : The last update time can't be retrieved. The group might be new.
If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the
Over view page for the group. If no pending dynamic membership updates can be processed for all the groups
within the organization for more than 24 hours, an alert is shown on the top of All groups .
In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic
memberships for groups. Dynamic group membership reduces the administrative overhead of adding and
removing users. This article details the properties and syntax to create dynamic membership rules for users or
devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see
if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are
added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or
remove a member of a dynamic group.
You can create a dynamic group for devices or for users, but you can't create a rule that contains both users
and devices.
You can't create a device group based on the device owners' attributes. Device membership rules can only
reference device attributes.
NOTE
This feature requires an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic
groups. You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the
minimum number of licenses in the Azure AD organization to cover all such users. For example, if you had a total of 1,000
unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1
to meet the license requirement. No license is required for devices that are members of a dynamic device group.
NOTE
The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule
builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of
dynamic group rules in any way.
Parentheses are optional for a single expression. The total length of the body of your membership rule cannot
exceed 2048 characters.
Supported properties
There are three types of properties that can be used to construct a membership rule.
Boolean
String
String collection
The following are the user properties that you can use to create a single expression.
Properties of type boolean
P RO P ERT IES A L LO W ED VA L UES USA GE
mail Any string value or null (SMTP address (user.mail -eq "value")
of the user)
mailNickName Any string value (mail alias of the user) (user.mailNickName -eq "value")
For the properties used for device rules, see Rules for devices.
O P ERATO R SY N TA X
Equals -eq
Contains -contains
Match -match
In -in
Not In -notIn
user.department -in
["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]
Supported values
The values used in an expression can consist of several types, including:
Strings
Boolean – true, false
Numbers
Arrays – number array, string array
When specifying a value within an expression it is important to use the correct syntax to avoid errors. Some
syntax tips are:
Double quotes are optional unless the value is a string.
String and regex operations are not case sensitive.
When a string value contains double quotes, both quotes should be escaped using the ` character, for example,
user.department -eq `"Sales`" is the proper syntax when "Sales" is the value.
You can also perform Null checks, using null as a value, for example, user.department -eq null .
Use of Null values
To specify a null value in a rule, you can use the null value.
Use -eq or -ne when comparing the null value in an expression.
Use quotes around the word null only if you want it to be interpreted as a literal string value.
The -not operator can't be used as a comparative operator for null. If you use it, you get an error whether you
use null or $null.
The correct way to reference the null value is as follows:
Operator precedence
All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal
precedence:
-eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
-not
-and
-or
-any -all
The following is an example of operator precedence where two expressions are being evaluated for the user:
Parentheses are needed only when precedence does not meet your requirements. For example, if you want
department to be evaluated first, the following shows how parentheses can be used to determine order:
user.country –eq "US" –and (user.department –eq "Marketing" –or user.department –eq "Sales")
Multi-value properties
Multi-value properties are collections of objects of the same type. They can be used to create membership rules
using the -any and -all logical operators.
P RO P ERT IES VA L UES USA GE
A rule such as this one can be used to group all users for whom an Microsoft 365 (or other Microsoft Online
Service) capability is enabled. You could then apply with a set of policies to the group.
Example 2
The following expression selects all users who have any service plan that is associated with the Intune service
(identified by service name "SCO"):
The following tips can help you use the rule properly.
The Manager ID is the object ID of the manager. It can be found in the manager's Profile .
For the rule to work, make sure the Manager property is set correctly for users in your organization. You can
check the current value in the user's Profile .
This rule supports only the manager's direct reports. In other words, you can't create a group with the
manager's direct reports and their reports.
This rule can't be combined with any other membership rules.
Create an "All users" rule
You can create a group containing all users within an organization using a membership rule. When users are
added or removed from the organization in the future, the group's membership is adjusted automatically.
The "All users" rule is constructed using single expression using the -ne operator and the null value. This rule adds
B2B guest users as well as member users to the group.
If you want your group to exclude guest users and include only members of your organization, you can use the
following syntax:
Custom extension properties are synced from on-premises Windows Server AD or from a connected SaaS
application and are of the format of user.extension_[GUID]_[Attribute] , where:
[GUID] is the unique identifier in Azure AD for the application that created the property in Azure AD
[Attribute] is the name of the property as it was created
An example of a rule that uses a custom extension property is:
The custom property name can be found in the directory by querying a user's property using Graph Explorer and
searching for the property name. Also, you can now select Get custom extension proper ties link in the
dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties
to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension
properties for that app.
NOTE
The organizationalUnit attribute is no longer listed and should not be used. This string is set by Intune in specific cases
but is not recognized by Azure AD, so no devices are added to groups based on this attribute.
NOTE
systemlabels is a read-only attribute that cannot be set with Intune.
For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -eq
"10.0.17763"). The formatting can be validated with the Get-MsolDevice PowerShell cmdlet.
NOTE
For the deviceOwnership when creating Dynamic Groups for devices you need to set the value equal to "Company". On
Intune the device ownership is represented instead as Corporate. Refer to OwnerTypes for more details.
Next steps
These articles provide additional information on groups in Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Validate a dynamic group membership rule (preview)
in Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules (in public preview). On
the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is
working as expected. When creating or updating dynamic group rules, administrators want to know whether a user
or a device will be a member of the group. This helps evaluate whether user or device meets the rule criteria and
aid in troubleshooting when membership is not expected.
Step-by-step walk-through
To get started, go to Azure Active Director y > Groups . Select an existing dynamic group or create a new
dynamic group and click on Dynamic membership rules. You can then see the Validate Rules tab.
On Validate rules tab, you can select users to validate their memberships. 20 users or devices can be selected at
one time.
After choosing the users or devices from the picker, and Select , validation will automatically start and validation
results will appear.
The results tell whether a user is a member of the group or not. If the rule is not valid or there is a network issue,
the result will show as Unknown . In case of Unknown , the detailed error message will describe the issue and
actions needed.
You can modify the rule and validation of memberships will be triggered. To see why user is not a member of the
group, click on "View details" and verification details will show the result of each expression composing the rule.
Click OK to exit.
Next steps
Dynamic membership rules for groups
Change static group membership to dynamic in
Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD).
Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If
you create a new group instead, you would need to update those references. Dynamic group membership
eliminates management overhead adding and removing users. This article tells you how to convert existing groups
from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
WARNING
When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the
membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that
the original members might lose access until the membership rule is fully processed.
We recommend that you test the new membership rule beforehand to make sure that the new membership in the group is
as expected.
3. After creating the rule, select Add quer y at the bottom of the page.
4. Select Save on the Proper ties page for the group to save your changes. The Membership type of the
group is immediately updated in the group list.
TIP
Group conversion might fail if the membership rule you entered was incorrect. A notification is displayed in the upper-right
hand corner of the portal that it contains an explanation of why the rule can't be accepted by the system. Read it carefully to
understand how you can adjust the rule to make it valid. For examples of rule syntax and a complete list of the supported
properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Azure Active Directory.
Here is an example of functions that switch membership management on an existing group. In this example, care is
taken to correctly manipulate the GroupTypes property and preserve any values that are unrelated to dynamic
membership.
#The moniker for dynamic groups as used in the GroupTypes property of a group object
$dynamicGroupTypeString = "DynamicMembership"
function ConvertDynamicGroupToStatic
{
Param([string]$groupId)
#remove the type for dynamic groups, but keep the other type values
$groupTypes.Remove($dynamicGroupTypeString)
#modify the group properties to make it a static group: i) change GroupTypes to remove the dynamic type,
ii) pause execution of the current rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "Paused"
}
function ConvertStaticGroupToDynamic
{
Param([string]$groupId, [string]$dynamicMembershipRule)
#modify the group properties to make it a static group: i) change GroupTypes to add the dynamic type, ii)
start execution of the rule, iii) set the rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -
MembershipRule $dynamicMembershipRule
}
ConvertDynamicGroupToStatic "a58913b2-eee4-44f9-beb2-e381c375058f"
Using Azure Active Directory (Azure AD) portal, you can add a large number of members to a group by using a
comma-separated values (CSV) file to bulk import group members.
6. Open the CSV file and add a line for each group member you want to import into the group (required
values are either Member object ID or User principal name ). Then save the file.
7. On the Bulk impor t group members page, under Upload your csv file , browse to the file. When you
select the file, validation of the CSV file starts.
8. When the file contents are validated, the bulk import page displays File uploaded successfully . If there
are errors, you must fix them before you can submit the job.
9. When your file passes validation, select Submit to start the Azure bulk operation that imports the group
members to the group.
10. When the import operation completes, you'll see a notification that the bulk operation succeeded.
For details about each line item within the bulk operation, select the values under the # Success , # Failure , or
Total Requests columns. If failures occurred, the reasons for failure will be listed.
Bulk import service limits
Each bulk activity to import a list of group members can run for up to one hour. This enables importation of a list of
at least 40,000 members.
Next steps
Bulk remove group members
Download members of a group
Download a list of all groups
Bulk remove group members in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD) portal, you can remove a large number of members from a group by
using a comma-separated values (CSV) file to bulk remove group members.
6. Open the CSV file and add a line for each group member you want to remove from the group (required
values are Member object ID or User principal name). Then save the file.
7. On the Bulk remove group members page, under Upload your csv file , browse to the file. When you
select the file, validation of the CSV file starts.
8. When the file contents are validated, the bulk import page displays File uploaded successfully . If there
are errors, you must fix them before you can submit the job.
9. When your file passes validation, select Submit to start the Azure bulk operation that removes the group
members from the group.
10. When the removal operation completes, you'll see a notification that the bulk operation succeeded.
For details about each line item within the bulk operation, select the values under the # Success , # Failure , or
Total Requests columns. If failures occurred, the reasons for failure will be listed.
Next steps
Bulk import group members
Download members of a group
Download a list of all groups
Bulk download members of a group in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD) portal, you can bulk download the members of a group in your
organization to a comma-separated values (CSV) file.
Next steps
Bulk import group members
Bulk remove group members
Bulk download a list of groups in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD) portal, you can bulk download the list of all the groups in your
organization to a comma-separated values (CSV) file.
Next steps
Bulk remove group members
Download members of a group
Restore a deleted Microsoft 365 group in Azure
Active Directory
9/7/2020 • 2 minutes to read • Edit Online
When you delete an Microsoft 365 group in the Azure Active Directory (Azure AD), the deleted group is retained
but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be
restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It is not available
for security groups and distribution groups. Please note that the 30-day group restoration period is not
customizable.
NOTE
Don't use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an
Microsoft 365 group.
RO L E P ERM ISSIO N S
Global administrator, Group administrator, Partner Tier2 Can restore any deleted Microsoft 365 group
support, and Intune administrator
User administrator and Partner Tier1 support Can restore any deleted Microsoft 365 group except those
groups assigned to the Company Administrator role
User Can restore any deleted Microsoft 365 group that they own
View and manage the deleted Microsoft 365 groups that are available
to restore
1. Sign in to the Azure AD admin center with a User administrator account.
2. Select Groups , then select Deleted groups to view the deleted groups that are available to restore.
View the deleted Microsoft 365 groups that are available to restore
using Powershell
The following cmdlets can be used to view the deleted groups to verify that the one or ones you're interested in
have not yet been permanently purged. These cmdlets are part of the Azure AD PowerShell module. More
information about this module can be found in the Azure Active Directory PowerShell Version 2 article.
1. Run the following cmdlet to display all deleted Microsoft 365 groups in your Azure AD organization that are
still available to restore.
Get-AzureADMSDeletedGroup
2. Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run
the following cmdlet to verify that the specific deleted group has not yet been permanently purged.
2. Alternatively, the following cmdlet can be run to permanently remove the deleted group.
Next steps
These articles provide additional information on Azure Active Directory groups.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Edit your group information using Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD), you can edit a group's settings, including updating its name, description,
or membership type.
4. Select the group MDM policy - West , and then select Proper ties from the Manage area.
5. Update the General settings information as needed, including:
Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users
or service principals, and are able to manage the group including membership. Only existing group owners or
group-managing administrators can assign group owners. Group owners aren't required to be members of the
group.
When a group has no owner, group-managing administrators are still able to manage the group. It is
recommended for every group to have at least one owner. Once owners are assgined to a group, the last owner of
the group cannot be removed. Please make sure to select another owner before removing the last owner from the
group.
4. On the MDM policy - West - Owners page, select Add owners , and then search for and select the user
that will be the new group owner, and then choose Select .
After you select the new owner, you can refresh the Owners page and see the name added to the list of
owners.
4. On the MDM policy - West - Owners page, select the user you want to remove as a group owner, choose
Remove from the user's information page, and select Yes to confirm your decision.
After you remove the owner, you can return to the Owners page and see the name has been removed from
the list of owners.
Next steps
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Use groups to assign access to an integrated SaaS app
Integrating your on-premises identities with Azure Active Directory
Azure Active Directory cmdlets for configuring group settings
Add or remove a group from another group using
Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
This article helps you to add and remove a group from another group using Azure Active Directory.
NOTE
If you're trying to delete the parent group, see How to update or delete a group and its members.
IMPORTANT
We don't currently support:
Adding groups to a group synced with on-premises Active Directory.
Adding Security groups to Office 365 groups.
Adding Office 365 groups to Security groups or other Office 365 groups.
Assigning apps to nested groups.
Applying licenses to nested groups.
Adding distribution groups in nesting scenarios.
NOTE
You can add your group as a member to only one group at a time. Additionally, the Select Group box filters the
display based on matching your entry to any part of a user or device name. However, wildcard characters aren't
supported.
4. On the MDM policy - West - Group memberships page, select Group memberships , select Add ,
locate the group you want your group to be a member of, and then choose Select . For this exercise, we're
using the MDM policy - All org group.
The MDM policy - West group is now a member of the MDM policy - All org group, inheriting all the
properties and configuration of the MDM policy - All org group.
5. Review the MDM policy - West - Group memberships page to see the group and member
relationship.
6. For a more detailed view of the group and member relationship, select the group name (MDM policy -
All org ) and take a look at the MDM policy - West page details.
Additional information
These articles provide additional information on Azure Active Directory.
View your groups and members
Create a basic group and add members
Add or remove members from a group
Edit your group settings
Using a group to manage access to SaaS applications
Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory
Using a group to manage access to SaaS
applications
9/7/2020 • 2 minutes to read • Edit Online
Using Azure Active Directory (Azure AD) with an Azure AD Premium license plan, you can use groups to assign
access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access for the
marketing department to use five different SaaS applications, you can create a group that contains the users in
the marketing department, and then assign that group to these five SaaS applications that are needed by the
marketing department. This way you can save time by managing the membership of the marketing department
in one place. Users then are assigned to the application when they are added as members of the marketing
group, and have their assignments removed from the application when they are removed from the marketing
group. This capability can be used with hundreds of applications that you can add from within the Azure AD
Application Gallery.
IMPORTANT
You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan.
Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-
based assignment to applications at this time.
Next steps
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Application Management in Azure Active Directory
Azure Active Directory cmdlets for configuring group settings
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Enforce a naming policy on Microsoft 365 groups in
Azure Active Directory
9/7/2020 • 13 minutes to read • Edit Online
To enforce consistent naming conventions for Microsoft 365 groups created or edited by your users, set up a
group naming policy for your organizations in Azure Active Directory (Azure AD). For example, you could use the
naming policy to communicate the function of a group, membership, geographic region, or who created the
group. You could also use the naming policy to help categorize groups in the address book. You can use the policy
to block specific words from being used in group names and aliases.
IMPORTANT
Using Azure AD naming policy for Microsoft 365 groups requires that you possess but not necessarily assign an Azure
Active Directory Premium P1 license or Azure AD Basic EDU license for each unique user that is a member of one or more
Microsoft 365 groups.
The naming policy is applied to creating or editing groups created across workloads (for example, Outlook,
Microsoft Teams, SharePoint, Exchange, or Planner). It is applied to both the group name and group alias. If you set
up your naming policy in Azure AD and you have an existing Exchange group naming policy, the Azure AD naming
policy is enforced in your organization.
When group naming policy is configured, the policy will be applied to new Microsoft 365 groups created by end
users. Naming policy does not apply to certain directory roles, such as Global Administrator or User Administrator
(please see below for the complete list of roles exempted from group naming policy). For existing Microsoft 365
groups, the policy will not immediately apply at the time of configuration. Once group owner edits the group
name for these groups, naming policy will be enforced.
2. View or edit the current list of custom blocked words by selecting Download .
3. Upload the new list of custom blocked words by selecting the file icon.
4. Save your changes for the new policy to go into effect by selecting Save .
Uninstall-Module AzureADPreview
Install-Module AzureADPreview
If you are prompted about accessing an untrusted repository, enter Y . It might take few minutes for the new
module to install.
Import-Module AzureADPreview
Connect-AzureAD
In the Sign in to your Account screen that opens, enter your admin account and password to connect
you to your service, and select Sign in .
3. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings
for this organization.
View the current settings
1. Fetch the current naming policy to view the current settings.
$Setting.Values
$Setting["PrefixSuffixNamingRequirement"] =“GRP_[GroupName]_[Department]"
2. Set the custom blocked words that you want to restrict. The following example illustrates how you can add
your own custom words.
$Setting["CustomBlockedWordsList"]=“Payroll,CEO,HR"
3. Save the settings for the new policy to go into effect, such as in the following example.
That's it. You've set your naming policy and added your blocked words.
$Setting["PrefixSuffixNamingRequirement"] =""
$Setting["CustomBlockedWordsList"]=""
W O RK LO A D C O M P L IA N C E
Azure Active Directory portals The Azure AD portal and the Access Panel portal show the
naming policy enforced name when the user types in a group
name when creating or editing a group. When a user enters a
custom blocked word, an error message with the blocked
word is displayed so that the user can remove it.
Outlook Web Access (OWA) Outlook Web Access shows the naming policy enforced name
when the user types a group name or group alias. When an
user enters a custom blocked word, an error message is
shown in the UI along with the blocked word so that the user
can remove it.
Outlook Desktop Groups created in Outlook desktop are compliant with the
naming policy settings. Outlook desktop app doesn't yet
show the preview of the enforced group name and doesn't
return the custom blocked word errors when the user enters
the group name. However, the naming policy is automatically
applied when creating or editing a group, and users see error
messages if there are custom blocked words in the group
name or alias.
Microsoft Teams Microsoft Teams shows the group naming policy enforced
name when the user enters a team name. When a user enters
a custom blocked word, an error message is shown along with
the blocked word so that the user can remove it.
SharePoint SharePoint shows the naming policy enforced name when the
user types a site name or group email address. When an user
enters a custom blocked word, an error message is shown,
along with the blocked word so that the user can remove it.
Microsoft Stream Microsoft Stream shows the group naming policy enforced
name when the user types a group name or group email alias.
When an user enters a custom blocked word, an error
message is shown with the blocked word so the user can
remove it.
Outlook iOS and Android App Groups created in Outlook apps are compliant with the
configured naming policy. Outlook mobile app doesn't yet
show the preview of the naming policy enforced name, and
doesn't return custom blocked word errors when the user
enters the group name. However, the naming policy is
automatically applied on clicking create/edit and users see
error messages if there are custom blocked words in the
group name or alias.
W O RK LO A D C O M P L IA N C E
Groups mobile app Groups created in the Groups mobile app are compliant with
the naming policy. Groups mobile app does not show the
preview of the naming policy and does not return custom
blocked word errors when the user enters the group name.
But the naming policy is automatically applied when creating
or editing a group and users is presented with appropriate
errors if there are custom blocked words in the group name
or alias.
Dynamics 365 for Customer Engagement Dynamics 365 for Customer Engagement is compliant with
the naming policy. Dynamics 365 shows the naming policy
enforced name when the user types a group name or group
email alias. When the user enters a custom blocked word, an
error message is shown with the blocked word so the user
can remove it.
School Data Sync (SDS) Groups created through SDS comply with naming policy, but
the naming policy isn't applied automatically. SDS
administrators have to append the prefixes and suffixes to
class names for which groups need to be created and then
uploaded to SDS. Group create or edit would fail otherwise.
Outlook Customer Manager (OCM) Outlook Customer Manager is compliant with the naming
policy, which is automatically applied to the group created in
Outlook Customer Manager. If a custom blocked word is
detected, group creation in OCM is blocked, and the user is
blocked from using the OCM app.
Classroom app Groups created in Classroom app comply with the naming
policy, but the naming policy isn't applied automatically, and
the naming policy preview isn't shown to the users while
entering a classroom group name. Users must enter the
enforced classroom group name with prefixes and suffixes. If
not, the classroom group create or edit operation fails with
errors.
StaffHub StaffHub teams do not follow the naming policy, but the
underlying Microsoft 365 group does. StaffHub team name
does not apply the prefixes and suffixes and does not check
for custom blocked words. But StaffHub does apply the
prefixes and suffixes and removes blocked words from the
underlying Microsoft 365 group.
Exchange PowerShell Exchange PowerShell cmdlets are compliant with the naming
policy. Users receive appropriate error messages with
suggested prefixes and suffixes and for custom blocked words
if they don't follow the naming policy in the group name and
group alias (mailNickname).
Azure Active Directory PowerShell cmdlets Azure Active Directory PowerShell cmdlets are compliant with
naming policy. Users receive appropriate error messages with
suggested prefixes and suffixes and for custom blocked words
if they don't follow the naming convention in group names
and group alias.
Exchange admin center Exchange admin center is compliant with naming policy. Users
receive appropriate error messages with suggested prefixes
and suffixes and for custom blocked words if they don't follow
the naming convention in the group name and group alias.
Microsoft 365 admin center Microsoft 365 admin center is compliant with naming policy.
When a user creates or edits group names, the naming policy
is automatically applied, and users receive appropriate errors
when they enter custom blocked words. The Microsoft 365
admin center doesn't yet show a preview of the naming policy
and doesn't return custom blocked word errors when the user
enters the group name.
Next steps
These articles provide additional information on Azure AD groups.
See existing groups
Expiration policy for Microsoft 365 groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Configure the expiration policy for Microsoft 365
groups
9/7/2020 • 7 minutes to read • Edit Online
This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them.
You can set expiration policy only for Microsoft 365 groups in Azure Active Directory (Azure AD).
Once you set a group to expire:
Groups with user activities are automatically renewed as the expiration nears.
Owners of the group are notified to renew the group, if the group is not auto-renewed.
Any group that is not renewed is deleted.
Any Microsoft 365 group that is deleted can be restored within 30 days by the group owners or the
administrator.
Currently, only one expiration policy can be configured for all Microsoft 365 groups in an Azure AD organization.
NOTE
Configuring and using the expiration policy for Microsoft 365 groups requires you to possess but not necessarily assign
Azure AD Premium licenses for the members of all groups to which the expiration policy is applied.
For information on how to download and install the Azure AD PowerShell cmdlets, see Azure Active Directory
PowerShell for Graph 2.0.0.137.
RO L E P ERM ISSIO N S
Global administrator, Group administrator, or User Can create, read, update, or delete the Microsoft 365 groups
administrator expiration policy settings
Can renew any Microsoft 365 group
For more information on permissions to restore a deleted group, see Restore a deleted Microsoft 365 group in
Azure Active Directory.
NOTE
When you first set up expiration, any groups that are older than the expiration interval are set to 35 days until expiration
unless the group is automatically renewed or the owner renews it.
When a dynamic group is deleted and restored, it's seen as a new group and re-populated according to the rule. This
process can take up to 24 hours.
Expiration notices for groups used in Teams appear in the Teams Owners feed.
Email notifications
If groups are not automatically renewed, email notifications such as this one are sent to the Microsoft 365 group
owners 30 days, 15 days, and 1 day prior to expiration of the group. The language of the email is determined by
groups owner's preferred language or Azure AD language setting. If the group owner has defined a preferred
language, or multiple owners have the same preferred language, then that language is used. For all other cases,
Azure AD language setting is used.
From the Renew group notification email, group owners can directly access the group details page in the Access
Panel. There, the users can get more information about the group such as its description, when it was last renewed,
when it will expire, and also the ability to renew the group. The group details page now also includes links to the
Microsoft 365 group resources, so that the group owner can conveniently view the content and activity in their
group.
When a group expires, the group is deleted one day after the expiration date. An email notification such as this one
is sent to the Microsoft 365 group owners informing them about the expiration and subsequent deletion of their
Microsoft 365 group.
The group can be restored within 30 days of its deletion by selecting Restore group or by using PowerShell
cmdlets, as described in Restore a deleted Microsoft 365 group in Azure Active Directory. Please note that the 30-
day group restoration period is not customizable.
If the group you're restoring contains documents, SharePoint sites, or other persistent objects, it might take up to
24 hours to fully restore the group and its contents.
NOTE
In order to manage group memberships on Access Panel, "Restrict access to Groups in Access Panel" needs to be set to "No"
in Azure Active Directory Groups General Setting.
How Microsoft 365 group expiration works with a mailbox on legal hold
When a group expires and is deleted, then 30 days after deletion the group's data from apps like Planner, Sites, or
Teams is permanently deleted, but the group mailbox that is on legal hold is retained and is not permanently
deleted. The administrator can use Exchange cmdlets to restore the mailbox to fetch the data.
How Microsoft 365 group expiration works with retention policy
The retention policy is configured by way of the Security and Compliance Center. If you have set up a retention
policy for Microsoft 365 groups, when a group expires and is deleted, the group conversations in the group
mailbox and files in the group site are retained in the retention container for the specific number of days defined in
the retention policy. Users won't see the group or its content after expiration, but can recover the site and mailbox
data via e-discovery.
PowerShell examples
Here are examples of how you can use PowerShell cmdlets to configure the expiration settings for Microsoft 365
groups in your Azure AD organization:
1. Install the PowerShell v2.0 module and sign in at the PowerShell prompt:
2. Configure the expiration settings Use the New-AzureADMSGroupLifecyclePolicy cmdlet to set the lifetime
for all Microsoft 365 groups in the Azure AD organization to 365 days. Renewal notifications for Microsoft
365 groups without owners will be sent to '[email protected]'
3. Retrieve the existing policy Get-AzureADMSGroupLifecyclePolicy: This cmdlet retrieves the current Microsoft
365 group expiration settings that have been configured. In this example, you can see:
The policy ID
The lifetime for all Microsoft 365 groups in the Azure AD organization is set to 365 days
Renewal notifications for Microsoft 365 groups without owners will be sent to
'[email protected].'
Get-AzureADMSGroupLifecyclePolicy
4. Update the existing policy Set-AzureADMSGroupLifecyclePolicy: This cmdlet is used to update an existing
policy. In the example below, the group lifetime in the existing policy is changed from 365 days to 180 days.
5. Add specific groups to the policy Add-AzureADMSLifecyclePolicyGroup: This cmdlet adds a group to the
lifecycle policy. As an example:
6. Remove the existing Policy Remove-AzureADMSGroupLifecyclePolicy: This cmdlet deletes the Microsoft 365
group expiration settings but requires the policy ID. This cmdlet disables expiration for Microsoft 365
groups.
The following cmdlets can be used to configure the policy in more detail. For more information, see PowerShell
documentation.
Get-AzureADMSGroupLifecyclePolicy
New-AzureADMSGroupLifecyclePolicy
Set-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSGroupLifecyclePolicy
Add-AzureADMSLifecyclePolicyGroup
Remove-AzureADMSLifecyclePolicyGroup
Reset-AzureADMSLifeCycleGroup
Get-AzureADMSLifecyclePolicyGroup
Next steps
These articles provide additional information on Azure AD groups.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Set up self-service group management in Azure
Active Directory
9/7/2020 • 4 minutes to read • Edit Online
You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active
Directory (Azure AD). The owner of the group can approve or deny membership requests, and can delegate
control of group membership. Self-service group management features are not available for mail-enabled
security groups or distribution lists.
Azure AD PowerShell Only owners can add members Open to join for all users
Visible but not available to join in
Access panel
Azure portal Only owners can add members Open to join for all users
Visible but not available to join in
Access panel
Owner is not assigned automatically at
group creation
Access panel Open to join for all users Open to join for all users
Membership options can be changed Membership options can be changed
when the group is created when the group is created
NOTE
An Azure Active Directory Premium (P1 or P2) license is required for users to request to join a security group or Microsoft
365 group and for owners to approve or deny membership requests. Without an Azure Active Directory Premium license,
users can still manage their groups in the Access Panel, but they can't create a group that requires owner approval in the
Access Panel, and they can't request to join a group.
Next steps
These articles provide additional information on Azure Active Directory.
Manage access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Application Management in Azure Active Directory
What is Azure Active Directory?
Integrate your on-premises identities with Azure Active Directory
Assign sensitivity labels to Microsoft 365 groups in
Azure Active Directory
9/7/2020 • 4 minutes to read • Edit Online
Azure Active Directory (Azure AD) supports applying sensitivity labels published by the Microsoft 365 compliance
center to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and
SharePoint. This feature is currently in public GA. For more information about Office 365 apps support, see Office
365 support for sensitivity labels.
IMPORTANT
To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD
organization.
Import-Module AzureADPreview
Connect-AzureAD
In the Sign in to your account page, enter your admin account and password to connect you to your
service, and select Sign in .
3. Fetch the current group settings for the Azure AD organization.
NOTE
If no group settings have been created for this Azure AD organization, you must first create the settings. Follow the
steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD
organization.
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
6. Then save the changes and apply the settings:
That's it. You've enabled the feature and you can apply published labels to groups.
Troubleshooting issues
Sensitivity labels are not available for assignment on a group
The sensitivity label option is only displayed for groups when all the following conditions are met:
1. Labels are published in the Microsoft 365 Compliance Center for this Azure AD organization.
2. The feature is enabled, EnableMIPLabels is set to True in PowerShell.
3. The group is an Microsoft 365 group.
4. The organization has an active Azure Active Directory Premium P1 license.
5. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global
Administrator, Group Administrator, or the group owner.
Please make sure all the conditions are met in order to assign labels to a group.
The label I want to assign is not in the list
If the label you are looking for is not in the list, this could be the case for one of the following reasons:
The label might not be published in the Microsoft 365 Compliance Center. This could also apply to labels that
are no longer published. Please check with your administrator for more information.
The label may be published, however, it is not available to the user that is signed-in. Please check with your
administrator for more information on how to get access to the label.
How to change the label on a group
Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
1. Sign in to the Azure AD admin center with a Global or Group administrator account or as group owner.
2. Select Groups .
3. From the All groups page, select the group that you want to label.
4. On the selected group's page, select Proper ties and select a new sensitivity label from the list.
5. Select Save .
Group setting changes to published labels are not updated on the groups
As a best practice, we don't recommend that you change group settings for a label after the label is applied to
groups. When you make changes to group settings associated with published labels in Microsoft 365 compliance
center, those policy changes aren't automatically applied on the impacted groups.
If you must make a change, use an Azure AD PowerShell script to manually apply updates to the impacted groups.
This method makes sure that all existing groups enforce the new setting.
Next steps
Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Update groups after label policy change manually with Azure AD PowerShell script
Edit your group settings
Manage groups using PowerShell commands
Assign or remove licenses in the Azure Active
Directory portal
9/7/2020 • 4 minutes to read • Edit Online
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and
associated members) for that service. Only users with active licenses will be able to access and use the licensed
Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.
3. On the Assign page, select Users and groups , and then search for and select the user you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then
select OK .
The Assign license page updates to show that a user is selected and that the assignments are configured.
NOTE
Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify
the Usage location . You can set this value in the Azure Active Director y > Users > Profile > Settings area
in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
5. Select Assign .
The user is added to the list of licensed users and has access to the included Azure AD services.
NOTE
Licenses can also be assigned directly to a user from the user's Licenses page. If a user has a license assigned
through a group membership and you want to assign the same license to the user directly, it can be done only from
the Products page mentioned in step 1 only.
3. On the Assign page, select Users and groups , and then search for and select the group you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then
select OK .
The Assign license page updates to show that a user is selected and that the assignments are configured.
5. Select Assign .
The group is added to the list of licensed groups and all of the members have access to the included Azure
AD services.
Remove a license
You can remove a license from a user's Azure AD user page, from the group overview page for a group
assignment, or starting from the Azure AD Licenses page to see the users and groups for a license.
To remove a license from a user
1. On the Licensed users page for the service plan, select the user that should no longer have the license.
For example, Alain Charon.
2. Select Remove license .
IMPORTANT
Licenses that a user inherits from a group can't be removed directly. Instead, you have to remove the user from the group
from which they're inheriting the license.
NOTE
When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed,
the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based
licensing will be marked as suspended rather than deleted .
Next steps
After you've assigned your licenses, you can perform the following processes:
Identify and resolve license assignment problems
Add licensed users to a group for licensing
Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory
Add or change profile information
Assign licenses to users by group membership in
Azure Active Directory
9/7/2020 • 5 minutes to read • Edit Online
This article walks you through assigning product licenses to a group of users and verifying that they're licensed
correctly in Azure Active Directory (Azure AD).
In this example, the Azure AD organization contains a security group called HR Depar tment . This group includes
all members of the human resources department (around 1,000 users). You want to assign Office 365 Enterprise
E3 licenses to the entire department. The Yammer Enterprise service that's included in the product must be
temporarily disabled until the department is ready to start using it. You also want to deploy Enterprise Mobility +
Security licenses to the same group of users.
NOTE
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to
specify the Usage location property on the user.
For group license assignment, any users without a usage location specified inherit the location of the directory. If you have
users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Azure AD
(e.g. via AAD Connect configuration) - that ensures the result of license assignment is always correct and users do not
receive services in locations that are not allowed.
5. To solve this conflict, remove the user from the Kiosk users group. After Azure AD processes the change,
the HR Depar tment licenses are correctly assigned.
Next steps
To learn more about the feature set for license assignment using groups, see the following articles:
What is group-based licensing in Azure Active Directory?
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Identify and resolve license assignment problems for a
group in Azure Active Directory
9/7/2020 • 11 minutes to read • Edit Online
Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error
state. In this article, we explain the reasons why users might end up in this state.
When you assign licenses directly to individual users, without using group-based licensing, the assignment
operation might fail. For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user system,
the cmdlet can fail for many reasons that are related to business logic. For example, there might be an insufficient
number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is
immediately reported back to you.
When you're using group-based licensing, the same errors can occur, but they happen in the background while the
Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to
license the user is never lost, but it's recorded in an error state for future investigation and resolution.
2. Select the notification to open a list of all affected users. You can select each user individually to see more
details.
3. To find all groups that contain at least one error, on the Azure Active Director y blade select Licenses , and
then select Over view . An information box is displayed when groups require your attention.
4. Select the box to see a list of all groups with errors. You can select each group for more details.
The following sections give a description of each potential problem and the way to resolve it.
NOTE
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. We
recommend that administrators set the correct usage location values on users before using group-based licensing to comply
with local laws and regulations.
For more information about this problem, see "Proxy address is already being used" error message in Exchange Online. The
article also includes information on how to connect to Exchange Online by using remote PowerShell.
After you resolve any proxy address problems for the affected users, make sure to force license processing on the
group to make sure that the licenses can now be applied.
TIP
You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1 and
Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses E1
as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without consuming
additional licenses.
Next steps
To learn more about other scenarios for license management through groups, see the following:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
How to migrate users with individual licenses to
groups for licensing
9/7/2020 • 3 minutes to read • Edit Online
You may have existing licenses deployed to users in the organizations via direct assignment; that is, using
PowerShell scripts or other tools to assign individual user licenses. Before you begin using group-based licensing
to manage licenses in your organization, you can use this migration plan to seamlessly replace existing solutions
with group-based licensing.
The most important thing to keep in mind is that you should avoid a situation where migrating to group-based
licensing will result in users temporarily losing their currently assigned licenses. Any process that may result in
removal of licenses should be avoided to remove the risk of users losing access to services and their data.
An example
An organization has 1,000 users. All users require Office 365 Enterprise E3 licenses. Currently the organization
has a PowerShell script running on premises, adding and removing licenses from users as they come and go.
However, the organization wants to replace the script with group-based licensing so licenses can be managed
automatically by Azure AD.
Here is what the migration process could look like:
1. Using the Azure portal, assign the Office 365 E3 license to the All users group in Azure AD.
2. Confirm that license assignment has completed for all users. Go to the overview page for the group, select
Licenses , and check the processing status at the top of the Licenses blade.
Look for “Latest license changes have been applied to all users" to confirm processing has
completed.
Look for a notification on top about any users for whom licenses may have not been successfully
assigned. Did we run out of licenses for some users? Do some users have conflicting license plans
that prevent them from inheriting group licenses?
3. Spot check some users to verify that they have both the direct and group licenses applied. Go to the profile
page for a user, select Licenses , and examine the state of licenses.
This is the expected user state during migration:
This confirms that the user has both direct and inherited licenses. We see that Office 365 E3 is
assigned.
Select each license to see which services are enabled. To verify that the direct and group licenses
enable exactly the same services for the user, select Assignments .
4. After confirming that both direct and group licenses are equivalent, you can start removing direct licenses
from users. You can test this by removing them for individual users in the portal and then run automation
scripts to have them removed in bulk. Here is an example of the same user with the direct licenses
removed through the portal. Notice that the license state remains unchanged, but we no longer see direct
assignments.
Next steps
Learn more about other scenarios for group license management:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Change license assignments for a user or group in
Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
This article describes how to move users and groups between service license plans in Azure Active Directory
(Azure AD). The goal Azure AD's approach is to ensure that there's no loss of service or data during the license
change. Users should switch between services seamlessly. The license plan assignment steps in this article
describe changing a user or group on Office 365 E1 to Office 365 E3, but the steps apply to all license plans.
When you update license assignments for a user or group, the license assignment removals and new assignments
are made simultaneously so that users do not lose access to their services during license changes or see license
conflicts between plans.
Next steps
Learn about other scenarios for license management through groups in the following articles:
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group licensing in Azure Active Directory
Azure Active Directory group licensing additional scenarios
PowerShell examples for group licensing in Azure Active Directory
Scenarios, limitations, and known issues using
groups to manage licensing in Azure Active
Directory
9/7/2020 • 12 minutes to read • Edit Online
Use the following information and examples to gain a more advanced understanding of Azure Active Directory
(Azure AD) group-based licensing.
Usage location
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the
administrator has to specify the Usage location property on the user. In the Azure portal, you can specify usage
location in User > Profile > Settings .
For group license assignment, any users without a usage location specified inherit the location of the directory. If
you have users in multiple locations, make sure to reflect that correctly in your user resources before adding
users to groups with licenses.
NOTE
Group license assignment will never modify an existing usage location value on a user. We recommend that you always set
usage location as part of your user creation flow in Azure AD (e.g. via AAD Connect configuration) - that will ensure the
result of license assignment is always correct, and users do not receive services in locations that are not allowed.
For this example, modify one user and set their extensionAttribute1 to the value of EMS;E5_baseservices; if you
want the user to have both licenses. You can make this modification on-premises. After the change syncs with the
cloud, the user is automatically added to both groups, and licenses are assigned.
WARNING
Use caution when modifying an existing group’s membership rule. When a rule is changed, the membership of the group
will be re-evaluated and users who no longer match the new rule will be removed (users who still match the new rule will
not be affected during this process). Those users will have their licenses removed during the process which may result in
loss of service, or in some cases, loss of data.
If you have a large dynamic group you depend on for license assignment, consider validating any major changes on a
smaller test group before applying them to the main group.
As a result, the user has 7 of the 12 services in the product enabled, while using only one license for this
product.
Selecting the E3 license shows more details, including information about which services are enabled for
the user by by the group license assignment.
NOTE
The Microsoft Stream service has been automatically added and enabled in this group, in addition to the Exchange
Online service:
5. If you want to disable the new service in this group, click the On/Off toggle next to the service and click
the Save button to confirm the change. Azure AD will now process all users in the group to apply the
change; any new users added to the group will not have the Microsoft Stream service enabled.
NOTE
Users may still have the service enabled through some other license assignment (another group they are members
of or a direct license assignment).
6. If needed, perform the same steps for other groups with this product assigned.
NOTE
Audit logs are available on most blades in the Azure Active Directory section of the portal. Depending on where you access
them, filters may be pre-applied to only show activity relevant to the context of the blade. If you are not seeing the results
you expect, examine the filtering options or access the unfiltered audit logs under Azure Active Director y > Activity >
Audit logs .
TIP
You can also type the name of the group in the Target filter to scope the results.
3. Select an item in the list to see the details of what has changed. Under Modified Properties both old and
new values for the license assignment are listed.
Here is an example of recent group license changes, with details:
2. Similarly, to see when groups finished processing, use the filter value Finish applying group based license
to users.
TIP
In this case, the Modified Properties field contains a summary of the results - this is useful to quickly check if
processing resulted in any errors. Sample output:
Modified Properties
...
Name : Result
Old Value : []
New Value : [Users successfully assigned licenses: 6, Users for whom license assignment failed:
0.];
3. To see the complete log for how a group was processed, including all user changes, set the following
filters:
Initiated By (Actor) : "Microsoft Azure AD Group-Based Licensing"
Date Range (optional): custom range for when you know a specific group started and finished
processing
This sample output shows the start of processing, all resulting user changes, and the finish of processing.
TIP
Clicking items related to Change user license will show details for license changes applied to each individual user.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
PowerShell examples for group-based licensing in Azure Active Directory
PowerShell and Graph examples for group-based
licensing in Azure AD
9/7/2020 • 13 minutes to read • Edit Online
Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell and
Microsoft Graph support is limited to read-only operations. However, there are some useful tasks that can be
performed using the existing MSOnline PowerShell cmdlets and Microsoft Graph. This document provides
examples of what is possible.
NOTE
Before you begin running cmdlets, make sure you connect to your organization first, by running the
Connect-MsolService cmdlet.
WARNING
This code is provided as an example for demonstration purposes. If you intend to use it in your environment, consider
testing it first on a small scale, or in a separate test organization. You may have to adjust the code to meet the specific
needs of your environment.
Output:
SkuPartNumber
-------------
ENTERPRISEPREMIUM
EMSPREMIUM
NOTE
The data is limited to product (SKU) information. It is not possible to list the service plans disabled in the license.
Use the following sample to get the same data from Microsoft Graph.
GET https://graph.microsoft.com/v1.0/groups/99c4216a-56de-42c4-a4ac-e411cd8c7c41?$select=assignedLicenses
Output:
HTTP/1.1 200 OK
{
"value": [
{
"assignedLicenses": [
{
"accountId":"f1b45b40-57df-41f7-9596-7f2313883635",
"skuId":"c7df2760-2c81-4ef7-b578-5b5392b571df",
"disabledPlans":[]
},
{
"accountId":"f1b45b40-57df-41f7-9596-7f2313883635",
"skuId":" b05e124f-c7cc-45a0-a6aa-8cf78c946968",
"disabledPlans":[]
},
],
}
]
}
Output:
} | Format-Table
Output:
Output:
GET https://graph.microsoft.com/v1.0/groups?$filter=hasMembersWithLicenseErrors+eq+true
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"id": "11151866-5419-4d93-9141-0603bbf78b42",
... # other group properties.
},
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"id": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
...
},
... # other groups with license errors.
]
"odata.nextLink":"https://graph.microsoft.com/v1.0/ groups?
$filter=hasMembersWithLicenseErrors+eq+true&$skipToken=<encodedPageToken>"
}
Output:
GET https://graph.microsoft.com/v1.0/groups/11151866-5419-4d93-9141-0603bbf78b42/membersWithLicenseErrors
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"id": "6d325baf-22b7-46fa-a2fc-a2500613ca15",
... # other user properties.
},
... # other users.
],
"odata.nextLink":"https://graph.microsoft.com/v1.0/groups/11151866-5419-4d93-9141-
0603bbf78b42/membersWithLicenseErrors?$skipToken=<encodedPageToken>"
}
NOTE
This script enumerates all users in the organization, which might not be optimal for large organizations.
Get-MsolUser -All | Where {$_.IndirectLicenseErrors } | % {
$user = $_;
$user.IndirectLicenseErrors | % {
New-Object Object |
Add-Member -NotePropertyName UserName -NotePropertyValue $user.DisplayName -PassThru |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName GroupId -NotePropertyValue $_.ReferencedObjectId -PassThru |
Add-Member -NotePropertyName LicenseError -NotePropertyValue $_.Error -PassThru
}
}
Output:
Here is another version of the script that searches only through groups that contain license errors. It may be
more optimized for scenarios where you expect to have few groups with problems.
foreach($license in $user.Licenses)
{
#we look for the specific license SKU in all licenses assigned to the user
if ($license.AccountSkuId -ieq $skuId)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
#If the collection is empty, this means the license is assigned directly - this is the case for
users who have never been licensed via groups in the past
if ($license.GroupsAssigningLicense.Count -eq 0)
{
return $true
}
#If the collection contains the ID of the user object, this means the license is assigned
directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
#Returns TRUE if the user is inheriting the license from a group
function UserHasLicenseAssignedFromGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId)
foreach($license in $user.Licenses)
{
#we look for the specific license SKU in all licenses assigned to the user
if ($license.AccountSkuId -ieq $skuId)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
#If the collection contains at least one ID not matching the user ID this means that the
license is inherited from a group.
#Note: the license may also be assigned directly in addition to being inherited
if ($assignmentSource -ine $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
This script executes those functions on each user in the organization, using the SKU ID as input - in this example
we are interested in the license for Enterprise Mobility + Security, which in our organization is represented with
ID contoso:EMS :
#the license SKU we are interested in. use Get-MsolAccountSku to see a list of all identifiers in your
organization
$skuId = "contoso:EMS"
Output:
Graph doesn’t have a straightforward way to show the result, but it can be seen from this API:
GET https://graph.microsoft.com/v1.0/users/e61ff361-5baf-41f0-b2fd-380a6a5e406a?
$select=licenseAssignmentStates
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"id": "e61ff361-5baf-41f0-b2fd-380a6a5e406a",
"licenseAssignmentState":[
{
"skuId": "157870f6-e050-4b3c-ad5e-0f0a377c8f4d",
"disabledPlans":[],
"assignedByGroup": null, # assigned directly.
"state": "Active",
"error": "None"
},
{
"skuId": "1f3174e2-ee9d-49e9-b917-e8d84650f895",
"disabledPlans":[],
"assignedByGroup": "e61ff361-5baf-41f0-b2fd-380a6a5e406a", # assigned by this group.
"state": "Active",
"error": "None"
},
{
"skuId": "240622ac-b9b8-4d50-94e2-dad19a3bf4b5",
"disabledPlans":[
"e61ff361-5baf-41f0-b2fd-380a6a5e406a"
],
"assignedByGroup": "e61ff361-5baf-41f0-b2fd-380a6a5e406a",
"state": "Active",
"error": "None"
},
{
"skuId": "240622ac-b9b8-4d50-94e2-dad19a3bf4b5",
"disabledPlans":[],
"assignedByGroup": null, # It is the same license as the previous one. It means the license is
assigned directly once and inherited from group as well.
"state": " Active ",
"error": " None"
}
],
...
}
],
}
NOTE
It is important to first validate that the direct licenses to be removed do not enable more service functionality than the
inherited licenses. Otherwise, removing the direct license may disable access to services and data for users. Currently it is
not possible to check via PowerShell which services are enabled via inherited licenses vs direct. In the script, we specify the
minimum level of services we know are being inherited from groups and check against that to make sure users do not
unexpectedly lose access to services.
#If the collection contains the ID of the user object, this means the license is assigned directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
return $false
}
#Returns TRUE if the user is inheriting the license from a specific group
function UserHasLicenseAssignedFromThisGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
#Returns the license object corresponding to the skuId. Returns NULL if not found
function GetUserLicense
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
#we look for the specific license SKU in all licenses assigned to the user
foreach($license in $user.Licenses)
{
if ($license.AccountSkuId -ieq $skuId)
{
return $license
}
}
}
return $null
}
#produces a list of disabled service plan names for a set of plans we want to leave enabled
function GetDisabledPlansForSKU
{
Param([string]$skuId, [string[]]$enabledPlans)
return $disabledPlans
}
function GetUnexpectedEnabledPlansForUser
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [string[]]$expectedDisabledPlans)
$extraPlans = @();
#minimum set of service plans we know are inherited from groups - we want to make sure that there aren't any
users who have more services enabled
#which could mean that they may lose access after we remove direct licenses
$servicePlansFromGroups = ("EXCHANGE_S_ENTERPRISE", "SHAREPOINTENTERPRISE", "OFFICESUBSCRIPTION")
#process all members in the group and get full info about each user in the group looping through group
members.
Get-MsolGroupMember -All -GroupObjectId $groupId | Get-MsolUser -ObjectId {$_.ObjectId} | Foreach {
$user = $_;
$operationResult = "";
}
else
{
$operationResult = "User does not inherit this license from this group. License removal was
skipped."
}
}
else
{
$operationResult = "User has no direct license to remove. Skipping."
}
#format output
New-Object Object |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName OperationResult -NotePropertyValue $operationResult -
PassThru
} | Format-Table
#END: executing the script
Output:
UserId OperationResult
------ ---------------
7c7f860f-700a-462a-826c-f50633931362 Removed direct license from user.
0ddacdd5-0364-477d-9e4b-07eb6cdbc8ea User has extra plans that may be lost - license removal was skipped.
Extra plans: SHAREPOINTWAC
aadbe4da-c4b5-4d84-800a-9400f31d7371 User has no direct license to remove. Skipping.
NOTE
Please update the values for the variables $skuId and $groupId which is being targeted for removal of Direct Licenses
as per your test environment before running the above script.
Next steps
To learn more about the feature set for license management through groups, see the following articles:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Product names and service plan identifiers for
licensing
9/7/2020 • 33 minutes to read • Edit Online
When managing licenses in the Azure portal or the Microsoft 365 admin center, you see product names that look
something like Office 365 E3. When you use PowerShell v1.0 cmdlets, the same product is identified using a
specific but less friendly name: ENTERPRISEPACK. When using PowerShell v2.0 cmdlets or Microsoft Graph, the
same product is identified using a GUID value: 6fd2c87f-b296-42f0-b197-1e91e994b900. The following table lists
the most commonly used Microsoft online service products and provides their various ID values. These tables are
for reference purposes and are accurate only as of the date when this article was last updated. Microsoft does not
plan to update them for newly added services periodically.
Product name : Used in management portals
String ID : Used by PowerShell v1.0 cmdlets when performing operations on licenses
GUID : GUID used by the Microsoft Graph API
Ser vice plans included : A list of service plans in the product that correspond to the string ID and GUID
Ser vice plans included (friendly names) : A list of service plans (friendly names) in the product that
correspond to the string ID and GUID
NOTE
This information is accurate as of April 28, 2020.
SERVIC E P L A N S
SERVIC E P L A N S IN C L UDED ( F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED N A M ES)
SKYPE FOR BUSINESS MCOIMP b8b749f8-a4ef-4887- MCOIMP (afc06cb0- SKYPE FOR BUSINESS
ONLINE (PLAN 1) 9539-c95b1eaa5db7 b4f4-4473-8286- ONLINE (PLAN 1)
d644f70d8faf) (afc06cb0-b4f4-4473-
8286-d644f70d8faf)
NOTE
All service plans related to Azure Active Directory can now be assigned together, to the same user. This simplifies certain
license management scenarios, such as moving users from Azure AD Basic to Azure AD Premium P1.
SERVIC E P L A N N A M E GUID
CRMPLAN1 119cf168-b6cf-41fb-b82e-7fee7bae5814
CRMPLAN2 bf36ca64-95c6-4918-9275-eb9f4ce2c04f
CRMSTANDARD f9646fb2-e3b2-4309-95de-dc4833737456
DYN365_ENTERPRISE_CUSTOMER_SERVICE 99340b49-fb81-4b1e-976b-8f2ae8e9394f
DYN365_ENTERPRISE_P1 d56f3deb-50d8-465a-bedb-f079817ccac1
DYN365_ENTERPRISE_P1_IW 056a5f80-b4e0-4983-a8be-7ad254a113c9
DYN365_ENTERPRISE_SALES 2da8e897-7791-486b-b08f-cc63c8129df7
DYN365_ENTERPRISE_TEAM_MEMBERS 6a54b05e-4fab-40e7-9828-428db3b336fa
EMPLOYEE_SELF_SERVICE ba5f0cfa-d54a-4ea0-8cf4-a7e1dc4423d8
SERVIC E P L A N N A M E GUID
EXCHANGE_B_STANDARD 90927877-dcff-4af6-b346-2332c0b15bb7
EXCHANGE_L_STANDARD d42bdbd6-c335-4231-ab3d-c8f348d5aff5
EXCHANGE_S_ARCHIVE da040e0a-b393-4bea-bb76-928b3fa1cf5a
SERVIC E P L A N N A M E GUID
EXCHANGE_S_DESKLESS 4a82b400-a79f-41a4-b4e2-e94f5787b113
EXCHANGE_S_ENTERPRISE efb87545-963c-4e0d-99df-69c6916d9eb0
EXCHANGE_S_ESSENTIALS 1126bef5-da20-4f07-b45e-ad25d2581aa8
EXCHANGE_S_STANDARD 9aaf7827-d63c-4b61-89c3-182f06f82e5c
EXCHANGE_S_STANDARD_MIDMARKET fc52cc4b-ed7d-472d-bbe7-b081c23ecc56
Service: Intune
The following service plans cannot be assigned together:
SERVIC E P L A N N A M E GUID
INTUNE_A c1ec4a95-1f05-45b3-a911-aa3fa01094f5
INTUNE_A_VL 3e170737-c728-4eae-bbb9-3f3360f7184c
INTUNE_B 2dc63b8a-df3d-448f-b683-8655877c9360
SERVIC E P L A N N A M E GUID
ONEDRIVEENTERPRISE afcafa6a-d966-4462-918c-ec0b4e0fe642
SHAREPOINT_S_DEVELOPER a361d6e2-509e-4e25-a8ad-950060064ef4
SHAREPOINTDESKLESS 902b47e5-dcb2-4fdc-858b-c63a90a2bdb9
SHAREPOINTENTERPRISE 5dbe027f-2339-4123-9542-606e4d348a72
SHAREPOINTENTERPRISE_EDU 63038b2c-28d0-45f6-bc36-33062963b498
SHAREPOINTENTERPRISE_MIDMARKET 6b5b6a67-fc72-4a1f-a2b5-beecf05de761
SHAREPOINTLITE a1f3d0a8-84c0-4ae0-bae4-685917b8ab48
SHAREPOINTSTANDARD c7699d2e-19aa-44de-8edf-1736da088ca1
SHAREPOINTSTANDARD_EDU 0a4983bb-d3e5-4a09-95d8-b2d0127b3df5
SHAREPOINTSTANDARD_YAMMERSHADOW 4c9efd0c-8de7-4c71-8295-9f5fdb0dd048
MCOIMP afc06cb0-b4f4-4473-8286-d644f70d8faf
MCOSTANDARD_MIDMARKET b2669e95-76ef-4e7e-a367-002f60a39f3e
MCOSTANDARD 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
MCOLITE 70710b6b-3ab4-4a38-9f6d-9f169461650a
SERVIC E P L A N N A M E GUID
MCOPSTN1 4ed3ff63-69d7-4fb7-b984-5aec7f605ca8
MCOPSTN2 5a10155d-f5c1-411a-a8ec-e99aae125390
MCOPSTN5 54a152dc-90de-4996-93d2-bc47e670fc06
Service: Yammer
The following service plans cannot be assigned together:
SERVIC E P L A N N A M E GUID
YAMMER_ENTERPRISE 7547a3fe-08ee-4ccb-b430-5077c5041653
YAMMER_EDU 2078e8df-cff6-4290-98cb-5408261a760a
YAMMER_MIDSIZE 41bf139a-4e60-409f-9346-a1361efc6dfb
Next steps
To learn more about the feature set for license management through groups, see the following:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure AD
Administrator role permissions in Azure Active
Directory
9/7/2020 • 82 minutes to read • Edit Online
Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in
less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning
administrative roles, resetting user passwords, managing user licenses, and managing domain names. The
default user permissions can be changed only in user settings in Azure AD.
Available roles
The following administrator roles are available:
Application Administrator
Users in this role can create and manage all aspects of enterprise applications, application registrations, and
application proxy settings. Note that users assigned to this role are not added as owners when creating new
application registrations or enterprise applications.
This role also grants the ability to consent to delegated permissions and application permissions, with the
exception of permissions on the Microsoft Graph API.
IMPORTANT
This exception means that you can still consent to permissions for other apps (for example, non-Microsoft apps or apps
that you have registered), but not to permissions on Azure AD itself. You can still request these permissions as part of
the app registration, but granting (that is, consenting to) these permissions requires an Azure AD admin. This means
that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can
write to the entire directory and through that app's permissions elevate themselves to become a global admin.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an
application, and use those credentials to impersonate the application’s identity. If the application’s identity has been
granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this
role could perform those actions while impersonating the application. This ability to impersonate the application’s
identity may be an elevation of privilege over what the user can do via their role assignments. It is important to
understand that assigning a user to the Application Administrator role gives them the ability to impersonate an
application’s identity.
Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to
No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps
accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners
when creating new application registrations or enterprise applications.
Authentication Administrator
Users with this role can set or reset non-password credentials for some users and can update passwords for all
users. Authentication administrators can require users who are non-administrators or assigned to some roles
to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke
remember MFA on the device , which prompts for MFA on the next sign-in. These actions apply only to
users who are non-administrators or who are assigned one or more of the following roles:
Authentication Administrator
Directory Readers
Guest Inviter
Message Center Reader
Reports Reader
The Privileged authentication administrator role has permission can force re-registration and multi-factor
authentication for all users.
IMPORTANT
Users with this role can change credentials for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to
assume that user's identity and permissions. For example:
Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those
apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators.
Through this path an Authentication Administrator may be able to assume the identity of an application owner and
then further assume the identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant
access to sensitive or private information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center,
and human resources systems.
Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive
or private information.
IMPORTANT
This is a sensitive role. The keyset administrator role should be carefully audited and assigned with care during pre-
production and production.
B2C IEF Policy Administrator
Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and
therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization.
By editing policies, this user can establish direct federation with external identity providers, change the
directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to
complete an authentication, create new users, send user data to external systems including full migrations, and
edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role
cannot change the encryption keys or edit the secrets used for federation in the organization.
IMPORTANT
The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for
organizations in production. Activities by these users should be closely audited, especially for organizations in
production.
Billing Administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Cloud Application Administrator
Users in this role have the same permissions as the Application Administrator role, excluding the ability to
manage application proxy. This role grants the ability to create and manage all aspects of enterprise
applications and application registrations. This role also grants the ability to consent to delegated permissions,
and application permissions excluding Microsoft Graph and Azure AD Graph. Users assigned to this role are
not added as owners when creating new application registrations or enterprise applications.
IMPORTANT
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an
application, and use those credentials to impersonate the application’s identity. If the application’s identity has been
granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this
role could perform those actions while impersonating the application. This ability to impersonate the application’s
identity may be an elevation of privilege over what the user can do via their role assignments. It is important to
understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an
application’s identity.
IN C A N DO
Microsoft 365 compliance center Protect and manage your organization's data across
Microsoft 365 services
Manage compliance alerts
IN C A N DO
Cloud App Security Has read-only permissions and can manage alerts
Can create and modify file policies and allow file governance
actions
Can view all the built-in reports under Data Management
IN C A N DO
Microsoft 365 compliance center Monitor compliance-related policies across Microsoft 365
services
Manage compliance alerts
Cloud App Security Has read-only permissions and can manage alerts
Can create and modify file policies and allow file governance
actions
Can view all the built-in reports under Data Management
NOTE
To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be a Global Administrator.
Customer Lockbox access approver
Manages Customer Lockbox requests in your organization. They receive email notifications for Customer
Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn
the Customer Lockbox feature on or off. Only global admins can reset the passwords of people assigned to this
role.
Desktop Analytics Administrator
Users in this role can manage the Desktop Analytics and Office Customization & Policy services. For Desktop
Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and
health status. For Office Customization & Policy service, this role enables users to manage Office policies.
Device Administrators
This role is available for assignment only as an additional local administrator in Device settings. Users with this
role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory.
They do not have the ability to manage devices objects in Azure Active Directory.
Directory Readers
Users in this role can read basic directory information. This role should be used for:
Granting a specific set of guest users read access instead of granting it to all guest users.
Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal
to admins only" is set to "Yes".
Granting service principals access to directory where Directory.Read.All is not an option.
Directory Synchronization Accounts
Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or
supported for any other use.
Directory Writers
Users in this role can read and update basic information of users, groups, and service principals. Assign this
role only to applications that don’t support the Consent Framework. It should not be assigned to any users.
Dynamics 365 administrator / CRM Administrator
Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is
present, as well as the ability to manage support tickets and monitor service health. More information at Use
the service admin role to manage your Azure AD organization.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." It is
"Dynamics 365 Administrator" in the Azure portal.
Exchange Administrator
Users with this role have global permissions within Microsoft Exchange Online, when the service is present.
Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor
service health. More information at About Office 365 admin roles.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." It is
"Exchange Administrator" in the Azure portal. It is "Exchange Online administrator" in the Exchange admin center.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global
Administrator" in the Azure portal.
Global Reader
Users in this role can read settings and administrative information across Microsoft 365 services but can't take
management actions. Global reader is the read-only counterpart to Global administrator. Assign Global reader
instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with
other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning
the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center,
SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and
Device Management admin center.
NOTE
Global reader role has a few limitations right now -
OneDrive admin center - OneDrive admin center does not support the Global reader role
M365 admin center - Global reader can't read customer lockbox requests. You won't find the Customer lockbox
requests tab under Suppor t in the left pane of M365 Admin Center.
Office Security & Compliance Center - Global reader can't read SCC audit logs, do content search, or see Secure
Score.
Teams admin center - Global reader cannot read Teams lifecycle , Analytics & repor ts , IP phone device
management and App catalog .
Privileged Access Management (PAM) doesn't support the Global reader role.
Azure Information Protection - Global reader is supported for central reporting only, and when your Azure AD
organization isn't on the unified labeling platform.
These features are currently in development.
Groups Administrator
Users in this role can create/manage groups and its settings like naming and expiration policies. It is important
to understand that assigning a user to this role gives them the ability to manage all groups in the organization
across various workloads like Teams, SharePoint, Yammer in addition to Outlook. Also the user will be able to
manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as
well as workload specific ones like Teams and SharePoint Admin Centers.
Guest Inviter
Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can
invite user setting is set to No. More information about B2B collaboration at About Azure AD B2B
collaboration. It does not include any other permissions.
Helpdesk Administrator
Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor
service health. Invalidating a refresh token forces the user to sign in again. Helpdesk administrators can reset
passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following
roles only:
Directory Readers
Guest Inviter
Helpdesk Administrator
Message Center Reader
Password Administrator
Reports Reader
IMPORTANT
Users with this role can change passwords for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to
assume that user's identity and permissions. For example:
Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those
apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Through
this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further
assume the identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who might have access to sensitive or private information or critical configuration in
Azure.
Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant
access to sensitive or private information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center,
and human resources systems.
Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive
or private information.
Delegating administrative permissions over subsets of users and applying policies to a subset of users is
possible with Administrative Units (now in public preview).
This role was previously called "Password Administrator" in the Azure portal. The "Helpdesk Administrator"
name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API.
Hybrid Identity Administrator
Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in
Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication
methods, Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd
party federation provider), and to deploy related on-premises infrastructure to enable them. On-prem
infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless Single
Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server
2016 computers. In addition, this role grants the ability to see sign-in logs and access to health and analytics
for monitoring and troubleshooting purposes.
Insights Administrator
Users in this role can access the full set of administrative capabilities in the M365 Insights application. This role
has the ability to read directory information, monitor service health, file support tickets, and access the Insights
admin settings aspects.
Insights Business Leader
Users in this role can access a set of dashboards and insights via the M365 Insights application. This includes
full access to all dashboards and presented insights and data exploration functionality. Users in this role do not
have access to product configuration settings, which is the responsibility of the Insights Admin role.
Intune Administrator
Users with this role have global permissions within Microsoft Intune Online, when the service is present.
Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as
create and manage groups. More information at Role-based administration control (RBAC) with Microsoft
Intune.
This role can create and manage all security groups. However, Intune Admin does not have admin rights over
Office groups. That means the admin cannot update owners or memberships of all Office groups in the
organization. However, he/she can manage the Office group that he creates which comes as a part of his/her
end-user privileges. So, any Office group (not security group) that he/she creates should be counted against
his/her quota of 250.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Intune Service Administrator." It is "Intune
Administrator" in the Azure portal.
Kaizala Administrator
Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is
present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can
access reports related to adoption & usage of Kaizala by Organization members and business reports
generated using the Kaizala actions.
License Administrator
Users in this role can add, remove, and update license assignments on users, groups (using group-based
licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage
subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no
access to view, create, or manage support tickets.
Message Center Privacy Reader
Users in this role can monitor all notifications in the Message Center, including data privacy messages.
Message Center Privacy Readers get email notifications including those related to data privacy and they can
unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center
Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups,
domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Message Center Reader
Users in this role can monitor notifications and advisory health updates in Office 365 Message center for their
organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers
receive weekly email digests of posts, updates, and can share message center posts in Office 365. In Azure AD,
users assigned to this role will only have read-only access on Azure AD services such as users and groups. This
role has no access to view, create, or manage support tickets.
Modern Commerce User
Do not use. This role is automatically assigned from Commerce, and is not intended or supported for any other
use. See details below.
The Modern Commerce User role gives certain users permission to access Microsoft 365 admin center and see
the left navigation entries for Home , Billing , and Suppor t . The content available in these areas is controlled
by commerce-specific roles assigned to users to manage products that they bought for themselves or your
organization. This might include tasks like paying bills, or for access to billing accounts and billing profiles.
Users with the Modern Commerce User role typically have administrative permissions in other Microsoft
purchasing systems, but do not have Global administrator or Billing administrator roles used to access the
admin center.
When is the Modern Commerce User role assigned?
Self-ser vice purchase in Microsoft 365 admin center – Self-service purchase gives users a chance to
try out new products by buying or signing up for them on their own. These products are managed in the
admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the
Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-
service purchases (for Power BI, Power Apps, Power automate) through PowerShell. For more information,
see Self-service purchase FAQ.
Purchases from Microsoft commercial marketplace – Similar to self-service purchase, when a user
buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User
role is assigned if they don’t have the Global admin or Billing admin role. In some cases, users might be
blocked from making these purchases. For more information, see Microsoft commercial marketplace.
Proposals from Microsoft – A proposal is a formal offer from Microsoft for your organization to buy
Microsoft products and services. When the person who is accepting the proposal doesn’t have a Global
admin or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the
proposal and the Modern Commerce User role to access admin center. When they access the admin center
they can only use features that are authorized by their commerce-specific role.
Commerce-specific roles – Some users are assigned commerce-specific roles. If a user isn't a Global or
Billing admin, they get the Modern Commerce User role so they can access the admin center.
If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center.
If they were managing any products, either for themselves or for your organization, they won’t be able to
manage them. This might include assigning licenses, changing payment methods, paying bills, or other tasks
for managing subscriptions.
Network Administrator
Users in this role can review network perimeter architecture recommendations from Microsoft that are based
on network telemetry from their user locations. Network performance for Office 365 relies on careful
enterprise customer network perimeter architecture which is generally user location specific. This role allows
for editing of discovered user locations and configuration of network parameters for those locations to
facilitate improved telemetry measurements and design recommendations
Office Apps Administrator
Users in this role can manage Office 365 apps' cloud settings. This includes managing cloud policies, self-
service download management and the ability to view Office apps related report. This role additionally grants
the ability to manage support tickets, and monitor service health within the main admin center. Users assigned
to this role can also manage communication of new features in Office apps.
Partner Tier1 Support
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is
intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Partner Tier2 Support
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is
intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Password Administrator
Users with this role have limited ability to manage passwords. This role does not grant the ability to manage
service requests or monitor service health. Password administrators can reset passwords of other users who
are non-administrators or members of the following roles only:
Directory Readers
Guest Inviter
Password Administrator
Power BI Administrator
Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as
the ability to manage support tickets and monitor service health. More information at Understanding the
Power BI admin role.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". It is
"Power BI Administrator" in the Azure portal.
IMPORTANT
This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. This
role does not include any other privileged abilities in Azure AD like creating or updating users. However, users assigned
to this role can grant themselves or others additional privilege by assigning additional roles.
Reports Reader
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center
and the adoption context pack in Power BI. Additionally, the role provides access to sign-in reports and activity
in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader
role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure
settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or
manage support tickets.
Search Administrator
Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin
center. Additionally, these users can view the message center, monitor service health, and create service
requests.
Search Editor
Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin
center, including bookmarks, Q&As, and locations.
Security Administrator
Users with this role have permissions to manage security-related features in the Microsoft 365 security center,
Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection,
and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at
Permissions in the Office 365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center Monitor security-related policies across Microsoft 365
services
Manage security threats and alerts
View reports
Azure Advanced Threat Protection Monitor and respond to suspicious security activity
Cloud App Security Add admins, add policies and settings, upload logs and
perform governance actions
Azure Security Center Can view security policies, view security states, edit security
policies, view alerts and recommendations, dismiss alerts
and recommendations
Office 365 service health View the health of Office 365 services
Smart lockout Define the threshold and duration for lockouts when failed
sign-in events happen.
IN C A N DO
Security operator
Users with this role can manage alerts and have global read-only access on security-related features, including
all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity
Management and Office 365 Security & Compliance Center. More information about Office 365 permissions is
available at Permissions in the Office 365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center All permissions of the Security Reader role
View, investigate, and respond to security threats alerts
Office 365 Security & Compliance Center All permissions of the Security Reader role
View, investigate, and respond to security alerts
Windows Defender ATP and EDR All permissions of the Security Reader role
View, investigate, and respond to security alerts
Office 365 service health View the health of Office 365 services
Security Reader
Users with this role have global read-only access on security-related feature, including all information in
Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as
well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security &
Compliance Center. More information about Office 365 permissions is available at Permissions in the Office
365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center View security-related policies across Microsoft 365 services
View security threats and alerts
View reports
IN C A N DO
Identity Protection Center Read all security reports and settings information for
security features
Anti-spam
Encryption
Data loss prevention
Anti-malware
Advanced threat protection
Anti-phishing
Mailflow rules
Privileged Identity Management Has read-only access to all information surfaced in Azure
AD Privileged Identity Management: Policies and reports for
Azure AD role assignments and security reviews.
Cannot sign up for Azure AD Privileged Identity
Management or make any changes to it. In the Privileged
Identity Management portal or via PowerShell, someone in
this role can activate additional roles (for example, Global
Admin or Privileged Role Administrator), if the user is
eligible for them.
Windows Defender ATP and EDR View and investigate alerts. When you turn on role-based
access control in Windows Defender ATP, users with read-
only permissions such as the Azure AD Security reader role
lose access until they are assigned to a Windows Defender
ATP role.
Cloud App Security Has read-only permissions and can manage alerts
Azure Security Center Can view recommendations and alerts, view security
policies, view security states, but cannot make changes
Office 365 service health View the health of Office 365 services
NOTE
Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. We have
renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph
API, and Azure AD PowerShell.
SharePoint Administrator
Users with this role have global permissions within Microsoft SharePoint Online, when the service is present,
as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor
service health. More information at About admin roles.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." It is
"SharePoint Administrator" in the Azure portal.
NOTE
This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and
configuration of policies related to SharePoint and OneDrive resources.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator." It is "Skype
for Business Administrator" in the Azure portal.
P ERM ISSIO N C A N DO
Only on users who are non-admins or in any of the Delete and restore
following limited admin roles:
Directory Readers Disable and enable
Groups Administrator Invalidate refresh Tokens
Guest Inviter
Helpdesk Administrator Manage all user properties including User Principal
Name
Message Center Reader
Password Administrator Reset password
Reports Reader
Update (FIDO) device keys
User Administrator
IMPORTANT
Users with this role can change passwords for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to
assume that user's identity and permissions. For example:
Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those
apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. Through this
path a User Administrator may be able to assume the identity of an application owner and then further assume the
identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant
access to sensitive or private information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center,
and human resources systems.
Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive
or private information.
Role Permissions
The following tables describe the specific permissions in Azure Active Directory given to each role. Some roles
may have additional permissions in Microsoft services outside of Azure Active Directory.
Application Administrator permissions
Can create and manage all aspects of app registrations and enterprise apps.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.aad.b2c/trustFramework/keySets/allTasks Read and configure key sets in Azure Active Directory B2C.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.aad.cloudAppSecurity/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.aad.cloudAppSecurity.
microsoft.directory/applications/allProperties/allTasks Create and delete applications, and read and update all
properties in Azure Active Directory.
microsoft.directory/contacts/allProperties/allTasks Create and delete contacts, and read and update all
properties in Azure Active Directory.
microsoft.directory/contracts/allProperties/allTasks Create and delete contracts, and read and update all
properties in Azure Active Directory.
microsoft.directory/devices/allProperties/allTasks Create and delete devices, and read and update all
properties in Azure Active Directory.
microsoft.directory/directoryRoles/allProperties/allTasks Create and delete directoryRoles, and read and update all
properties in Azure Active Directory.
microsoft.directory/domains/allProperties/allTasks Create and delete domains, and read and update all
properties in Azure Active Directory.
microsoft.directory/groups/allProperties/allTasks Create and delete groups, and read and update all
properties in Azure Active Directory.
microsoft.directory/groupSettings/allProperties/allTasks Create and delete groupSettings, and read and update all
properties in Azure Active Directory.
microsoft.directory/organization/allProperties/allTasks Create and delete organization, and read and update all
properties in Azure Active Directory.
microsoft.directory/policies/allProperties/allTasks Create and delete policies, and read and update all
properties in Azure Active Directory.
microsoft.directory/roleAssignments/allProperties/allTasks Create and delete roleAssignments, and read and update all
properties in Azure Active Directory.
microsoft.directory/roleDefinitions/allProperties/allTasks Create and delete roleDefinitions, and read and update all
properties in Azure Active Directory.
microsoft.directory/servicePrincipals/allProperties/allTasks Create and delete servicePrincipals, and read and update all
properties in Azure Active Directory.
microsoft.directory/subscribedSkus/allProperties/allTasks Create and delete subscribedSkus, and read and update all
properties in Azure Active Directory.
A C T IO N S DESC RIP T IO N
microsoft.directory/users/allProperties/allTasks Create and delete users, and read and update all properties
in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.aad.identityProtection.
microsoft.office365.securityComplianceCenter/allEntities/allT Create and delete all resources, and read and update
asks standard properties in
microsoft.office365.securityComplianceCenter.
microsoft.office365.sharepoint/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.office365.sharepoint.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.directory/domains/allTasks Create and delete domains, and read and update standard
properties in Azure Active Directory.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.azure.print/allEntities/allProperties/allTasks Create and delete printers and connectors, and read and
update all properties in Microsoft Print.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.directory/privilegedIdentityManagement/allEntitie Create and delete all resources, and read and update
s/allTasks standard properties in
microsoft.aad.privilegedIdentityManagement.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.office365.search/allEntities/allProperties/allTasks Create and delete all resources, and read and update all
properties in microsoft.office365.search.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
microsoft.office365.search/content/allProperties/allTasks Create and delete content, and read and update all
properties in microsoft.office365.search.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
microsoft.office365.sharepoint/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.office365.sharepoint.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
A C T IO N S DESC RIP T IO N
A C T IO N S DESC RIP T IO N
Deprecated roles
The following roles should not be used. They have been deprecated and will be removed from Azure AD in the
future.
AdHoc License Administrator
Device Join
Device Managers
Device Users
Email Verified User Creator
Mailbox Administrator
Workplace Device Join
Roles not shown in the portal
Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The following table
organizes those differences.
CRM Service Administrator Dynamics 365 administrator Reflects current product branding
Directory Synchronization Accounts Not shown because it shouldn't be Directory Synchronization Accounts
used documentation
Lync Service Administrator Skype for Business administrator Reflects current product branding
Partner Tier 1 Support Not shown because it shouldn't be Partner Tier1 Support documentation
used
Partner Tier 2 Support Not shown because it shouldn't be Partner Tier2 Support documentation
used
Next steps
To learn more about how to assign a user as an administrator of an Azure subscription, see Add or remove
Azure role assignments (Azure RBAC)
To learn more about how resource access is controlled in Microsoft Azure, see Understand the different
roles
For details on the relationship between subscriptions and an Azure AD tenant, or for instructions to
associate or add a subscription, see Associate or add an Azure subscription to your Azure Active Directory
tenant
View and assign administrator roles in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
You can now see and manage all the members of the administrator roles in the Azure Active Directory portal. If
you frequently manage role assignments, you will probably prefer this experience. And if you ever wondered
“What the heck do these roles really do?”, you can see a detailed list of permissions for each of the Azure AD
administrator roles.
View my roles
It's easy to view your own permissions as well. Select Your Role on the Roles and administrators page to see
the roles that are currently assigned to you.
If you are a Global Administrator or a Privileged Role Administrator, you can easily add or remove members, filter
the list, or select a member to see their active assigned roles.
NOTE
If you have an Azure AD premium P2 license and you already use Privileged Identity Management, all role management
tasks are performed in Privilege Identity Management and not in Azure AD.
Assign a role
1. Sign in to the Azure portal with Global Administrator or Privileged Role Administrator permissions and
select Azure Active Director y .
2. Select Roles and administrators to see the list of all available roles.
3. Select a role to see its assignments.
4. Select Add assignments and select the roles you want to assign. You can select Manage in PIM for
additional management capabilities. If you see something different from the following picture, read the
Note in View assignments for privileged roles to verify whether you're in PIM.
Next steps
Feel free to share with us on the Azure AD administrative roles forum.
For more about roles and Administrator role assignment, see Assign administrator roles.
For default user permissions, see a comparison of default guest and member user permissions.
Custom administrator roles in Azure Active Directory
(preview)
9/7/2020 • 5 minutes to read • Edit Online
This article describes how to understand Azure AD custom roles in Azure Active Directory (Azure AD) with roles-
based access control and resource scopes. Custom Azure AD roles surface the underlying permissions of the built-
in roles, so that you can create and organize your own custom roles. This approach allows you to grant access in a
more granular way than built-in roles, whenever they're needed. This first release of Azure AD custom roles
includes the ability to create a role to assign permissions for managing app registrations. Over time, additional
permissions for organization resources like enterprise applications, users, and devices will be added.
Additionally, Azure AD custom roles support assignments on a per-resource basis, in addition to the more
traditional organization-wide assignments. This approach gives you the ability to grant access to manage some
resources (for example, one app registration) without giving access to all resources (all app registrations).
Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD
license plan. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Security principal
A security principal represents the user that is to be assigned access to Azure AD resources. A user is an individual
who has a user profile in Azure Active Directory.
Role
A role definition, or role, is a collection of permissions. A role definition lists the operations that can be performed
on Azure AD resources, such as create, read, update, and delete. There are two types of roles in Azure AD:
Built-in roles created by Microsoft that can't be changed.
Custom roles created and managed by your organization.
Scope
A scope is the restriction of permitted actions to a particular Azure AD resource as part of a role assignment. When
you assign a role, you can specify a scope that limits the administrator's access to a specific resource. For example,
if you want to grant a developer a custom role, but only to manage a specific application registration, you can
include the specific application registration as a scope in the role assignment.
NOTE
Custom roles can be assigned at directory scope and resource scoped. They cannot yet be assigned at Administrative Unit
scope. Built-in roles can can be assigned at directory scope, and in some cases, Administrative Unit scope. They cannot yet be
assigned at Azure AD resource scope.
Next steps
Create custom role assignments using the Azure portal, Azure AD PowerShell, and Graph API
View the assignments for a custom role
Create and assign a custom role in Azure Active
Directory
9/7/2020 • 3 minutes to read • Edit Online
This article describes how to create new custom roles in Azure Active Directory (Azure AD). For the basics of
custom roles, see the custom roles overview. The role can be assigned either at the directory-level scope or an app
registration resource scope only.
Custom roles can be created in the Roles and administrators tab on the Azure AD overview page.
3. On the Basics tab, provide a name and description for the role and then click Next .
4. On the Permissions tab, select the permissions necessary to manage basic properties and credential
properties of app registrations. For a detailed description of each permission, see Application registration
subtypes and permissions in Azure Active Directory.
a. First, enter "credentials" in the search bar and select the
microsoft.directory/applications/credentials/update permission.
b. Next, enter "basic" in the search bar, select the microsoft.directory/applications/basic/update
permission, and then click Next .
5. On the Review + create tab, review the permissions and select Create .
Your custom role will show up in the list of available roles to assign.
install-module azureadpreview
import-module azureadpreview
To verify that the module is ready to use, use the following command:
get-module azureadpreview
ModuleType Version Name ExportedCommands
---------- --------- ---- ----------------
Binary 2.0.2.31 azuread {Add-AzureADAdministrati...}
https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Body
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "<GUID>",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/basic/update",
"microsoft.directory/applications/credentials/update"
]
}
]
}
NOTE
The "templateId": "GUID" is an optional parameter being sent in the body depending on requirement. If you have a
requirement for creating multiple different custom role with common parameters , it is best to create a template and define
a templateId . You can generate a templateId beforehand using the powershell cmdlet (New-Guid).Guid .
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Body
{
"principalId":"<GUID OF USER>",
"roleDefinitionId":"<GUID OF ROLE DEFINITION>",
"resourceScope":"/<GUID OF APPLICATION REGISTRATION>"
}
Next steps
Feel free to share with us on the Azure AD administrative roles forum.
For more about roles and Administrator role assignment, see Assign administrator roles.
For default user permissions, see a comparison of default guest and member user permissions.
View custom role assignments in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
This article describes how to view custom roles you have assigned in Azure Active Directory (Azure AD). In Azure
Active Directory (Azure AD), roles can be assigned at an organization-wide scope or with a single-application scope.
Role assignments at the organization-wide scope are added to and can be seen in the list of single application
role assignments.
Role assignments at the single application scope aren't added to and can't be seen in the list of organization-
wide scoped assignments.
install-module azureadpreview
import-module azureadpreview
To verify that the module is ready to use, use the following command:
get-module azuread
ModuleType Version Name ExportedCommands
---------- --------- ---- ----------------
Binary 2.0.0.115 azuread {Add-AzureADAdministrati...}
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments&$filter=roleDefinitionId eq ‘<object-
id-or-template-id-of-role-definition>’
Response
HTTP/1.1 200 OK
{
"id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
"principalId":"ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId":"3671d40a-1aac-426c-a0c1-a3821ebd8218",
"resourceScopes":["/"]
}
4. Select Assignments to view the assignments for the role. Opening the assignments view from within the
app registration shows you the assignments that are scoped to this Azure AD resource.
Next steps
Feel free to share with us on the Azure AD administrative roles forum.
For more about roles and Administrator role assignment, see Assign administrator roles.
For default user permissions, see a comparison of default guest and member user permissions.
Assign administrator and non-administrator roles to
users with Azure Active Directory
9/7/2020 • 2 minutes to read • Edit Online
In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you
must assign them to a role that provides the permissions they need. For info on which roles manage Azure
resources and which roles manage Azure AD resources, see Classic subscription administrator roles, Azure roles,
and Azure AD roles.
For more information about the available Azure AD roles, see Assigning administrator roles in Azure Active
Directory. To add users, see Add new users to Azure Active Directory.
Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also
configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM).
For more information about how to use PIM, see Privileged Identity Management.
NOTE
If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the
Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't
currently select multiple roles and assign them to a user all at once.
The Application administrator role is removed from Alain Charon and it no longer appears on the Alain
Charon - Administrative roles page.
Next steps
Add or delete users
Add or change profile information
Add guest users from another directory
Other user management tasks you can check out are available in Azure Active Directory user management
documentation.
Assign custom roles with resource scope using
PowerShell in Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
This article describes how to create a role assignment at organization-wide scope in Azure Active Directory (Azure
AD). Assigning a role at organization-wide scope grants access across the Azure AD organization. To create a role
assignment with a scope of a single Azure AD resource, see How to create a custom role and assign it at resource
scope.This article uses the Azure Active Directory PowerShell Version 2 module.
For more information about Azure AD admin roles, see Assigning administrator roles in Azure Active Directory.
Required permissions
Connect to your Azure AD organization using a global administrator account to assign or remove roles.
Prepare PowerShell
Install the Azure AD PowerShell module from the PowerShell Gallery. Then import the Azure AD PowerShell
preview module, using the following command:
import-module azureadpreview
To verify that the module is ready to use, match the version returned by the following command to the one listed
here:
get-module azureadpreview
ModuleType Version Name ExportedCommands
---------- --------- ---- ----------------
Binary 2.0.0.115 azureadpreview {Add-AzureADMSAdministrati...}
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module,
see the online reference documentation for Azure AD preview module.
To assign the role to a service principal instead of a user, use the Get-AzureADMSServicePrincipal cmdlet.
Operations on RoleDefinition
Role definition objects contain the definition of the built-in or custom role, along with the permissions that are
granted by that role assignment. This resource displays both custom role definitions and built-in directoryRoles
(which are displayed in roleDefinition equivalent form). Today, an Azure AD organization can have a maximum of
30 unique custom RoleDefinitions defined.
Create Operations on RoleDefinition
# Basic information
$description = "Can manage credentials of application registrations"
$displayName = "Application Registration Credential Administrator"
$templateId = (New-Guid).Guid
Operations on RoleAssignment
Role assignments contain information linking a given security principal (a user or application service principal) to a
role definition. If required, you can add a scope of a single Azure AD resource for the assigned permissions.
Restricting the scope of permissions is supported for built-in and custom roles.
Create Operations on RoleAssignment
Next steps
Share with us on the Azure AD administrative roles forum.
For more about roles and azure AD administrator role assignments, see Assign administrator roles.
For default user permissions, see a comparison of default guest and member user permissions.
Application registration subtypes and permissions in
Azure Active Directory
9/7/2020 • 4 minutes to read • Edit Online
This article contains the currently available app registration permissions for custom role definitions in Azure Active
Directory (Azure AD).
Read
All member users in the organization can read app registration information by default. However, guest users and
application service principals can't. If you plan to assign a role to a guest user or application, you must include the
appropriate read permissions.
microsoft.directory/applications/allProperties/read
Ability to read all properties of single-tenant and multi-tenant applications outside of properties that cannot be
read in any situation like credentials.
microsoft.directory/applications.myOrganization/allProperties/read
Grants the same permissions as microsoft.directory/applications/allProperties/read, but only for single-tenant
applications.
microsoft.directory/applications/owners/read
Grants the ability to read owners property on single-tenant and multi-tenant applications. Grants access to all
fields on the application registration owners page:
microsoft.directory/applications/standard/read
Grants access to read standard application registration properties. This includes properties across application
registration pages.
microsoft.directory/applications.myOrganization/standard/read
Grants the same permissions as microsoft.directory/applications/standard/read, but for only single-tenant
applications.
Update
microsoft.directory/applications/allProperties/update
Ability to update all properties on single-directory and multi-directory applications.
microsoft.directory/applications.myOrganization/allProperties/update
Grants the same permissions as microsoft.directory/applications/allProperties/update, but only for single-tenant
applications.
microsoft.directory/applications/audience/update
Ability to update the supported account type (signInAudience) property on single-directory and multi-directory
applications.
microsoft.directory/applications.myOrganization/audience/update
Grants the same permissions as microsoft.directory/applications/audience/update, but only for single-tenant
applications.
microsoft.directory/applications/authentication/update
Ability to update the reply URL, sign-out URL, implicit flow, and publisher domain properties on single-tenant and
multi-tenant applications. Grants access to all fields on the application registration authentication page except
supported account types:
microsoft.directory/applications.myOrganization/authentication/update
Grants the same permissions as microsoft.directory/applications/authentication/update, but only for single-tenant
applications.
microsoft.directory/applications/basic/update
Ability to update the name, logo, homepage URL, terms of service URL, and privacy statement URL properties on
single-tenant and multi-tenant applications. Grants access to all fields on the application registration branding
page:
microsoft.directory/applications.myOrganization/basic/update
Grants the same permissions as microsoft.directory/applications/basic/update, but only for single-tenant
applications.
microsoft.directory/applications/credentials/update
Ability to update the certificates and client secrets properties on single-tenant and multi-tenant applications.
Grants access to all fields on the application registration certificates & secrets page:
microsoft.directory/applications.myOrganization/credentials/update
Grants the same permissions as microsoft.directory/applications/credentials/update, but only for single-directory
applications.
microsoft.directory/applications/owners/update
Ability to update the owner property on single-tenant and multi-tenant. Grants access to all fields on the
application registration owners page:
microsoft.directory/applications.myOrganization/owners/update
Grants the same permissions as microsoft.directory/applications/owners/update, but only for single-tenant
applications.
microsoft.directory/applications/permissions/update
Ability to update the delegated permissions, application permissions, authorized client applications, required
permissions, and grant consent properties on single-tenant and multi-tenant applications. Does not grant the
ability to perform consent. Grants access to all fields on the application registration API permissions and Expose an
API pages:
microsoft.directory/applications.myOrganization/permissions/update
Grants the same permissions as microsoft.directory/applications/permissions/update, but only for single-tenant
applications.
This article describes how to use permissions granted by custom roles in Azure Active Directory (Azure AD) to
address your application management needs. In Azure AD, you can delegate Application creation and management
permissions in the following ways:
Restricting who can create applications and manage the applications they create. By default in Azure AD, all
users can register application registrations and manage all aspects of applications they create. This can be
restricted to only allow selected people that permission.
Assigning one or more owners to an application. This is a simple way to grant someone the ability to manage all
aspects of Azure AD configuration for a specific application.
Assigning a built-in administrative role that grants access to manage configuration in Azure AD for all
applications. This is the recommended way to grant IT experts access to manage broad application configuration
permissions without granting access to manage other parts of Azure AD not related to application configuration.
Creating a custom role defining very specific permissions and assigning it to someone either to the scope of a
single application as a limited owner, or at the directory scope (all applications) as a limited administrator.
It's important to consider granting access using one of the above methods for two reasons. First, delegating the
ability to perform administrative tasks reduces global administrator overhead. Second, using limited permissions
improves your security posture and reduces the potential for unauthorized access. Delegation issues and general
guidelines are discussed in Delegate administration in Azure Active Directory.
IMPORTANT
Users and service principals can be owners of application registrations. Only users can be owners of enterprise applications.
Groups cannot be assigned as owners of either.
Owners can add credentials to an application and use those credentials to impersonate the application’s identity. The
application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has
access to as a user or service principal. An application owner could potentially create or update users or other objects while
impersonating the application, depending on the application's permissions.
IMPORTANT
Application Administrators and Cloud Application Administrators can add credentials to an application and use those
credentials to impersonate the application’s identity. The application may have permissions that are an elevation of privilege
over the admin role's permissions. An admin in this role could potentially create or update users or other objects while
impersonating the application, depending on the application's permissions. Neither role grants the ability to manage
Conditional Access settings.
Next steps
Application registration subtypes and permissions
Azure AD administrator role reference
Use cloud groups to manage role assignments in
Azure Active Directory (preview)
9/7/2020 • 5 minutes to read • Edit Online
Azure Active Directory (Azure AD) is introducing a public preview in which you can assign a cloud group to Azure
AD built-in roles. With this feature, you can use groups to grant admin access in Azure AD with minimal effort
from your Global and Privileged role admins.
Consider this example: Contoso has hired people across geographies to manage and reset passwords for
employees in its Azure AD organization. Instead of asking a Privileged role admin or Global admin to assign the
Helpdesk admin role to each person individually, they can create a Contoso_Helpdesk_Administrators group and
assign it to the role. When people join the group, they are assigned the role indirectly. Your existing governance
workflow can then take care of the approval process and auditing of the group’s membership to ensure that only
legitimate users are members of the group and are thus assigned to the Helpdesk admin role.
NOTE
You must be on updated version of Privileged Identity Management to be able to assign a group to Azure AD role via PIM.
You could be on older version of PIM because your Azure AD organization leverages the Privileged Identity Management
API. Please reach out to the alias [email protected] to move your organization and update your API. Learn more
at Azure AD roles and features in PIM.
Limitations
The following scenarios are not supported right now:
Assign cloud groups to Azure AD custom roles
Assign cloud groups to Azure AD roles (built-in or custom) over an administrative unit or application scope.
Assign on-premises groups to Azure AD roles (built-in or custom)
Known issues
You can't create or modify a dynamic group when the role is assigned via a group.
The Enable staged rollout for managed user sign-in feature doesn't support assignment via group.
Azure AD P2 licensed customers only: Don't assign a group as Active to a role through both Azure AD and
Privileged Identity Management (PIM). Specifically, don't assign a role to a role-assignable group when it's
being created and assign a role to the group using PIM later. This will lead to issues where users can’t see their
active role assignments in the PIM as well as the inability to remove that PIM assignment. Eligible assignments
are not affected in this scenario. If you do attempt to make this assignment, you might see unexpected behavior
such as:
End time for the role assignment might display incorrectly.
In the PIM portal, My Roles can show only one role assignment regardless of how many methods by
which the assignment is granted (through one or more groups and directly).
Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the
role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal.
Exchange Admin Center doesn't recognize role membership via group yet, but PowerShell cmdlet will work.
Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You
can migrate to the unified sensitivity labeling platform and then use the Office 365 Security & Compliance
center to use group assignments to manage roles.
We are fixing these issues.
Next steps
Create a role-assignable group
Assign a role to a role-assignable group
Create a role-assignable group in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
You can only assign a role to a group that was created with the ‘isAssignableToRole’ property set to True, or was
created in the Azure AD portal with Azure AD roles can be assigned to the group turned on. This group
attribute makes the group one that can be assigned to a role in Azure Active Directory (Azure AD). This article
describes how to create this special kind of group. Note: A group with isAssignableToRole property set to true
cannot be of dynamic membership type. For more information, see Using a group to manage Azure AD role
assignments.
3. On the New Group tab, provide group type, name and description.
4. Turn on Azure AD roles can be assigned to the group . This switch is visible to only Privileged Role
Administrators and Global Administrators because these are only two roles that can set the switch.
5. Select the members and owners for the group. You also have the option to assign roles to the group, but
assigning a role isn't required here.
Using PowerShell
Install the Azure AD preview module
install-module azureadpreview
import-module azureadpreview
To verify that the module is ready to use, issue the following command:
get-module azureadpreview
For this type of group, isPublic will always be false and isSecurityEnabled will always be true.
Copy one group's users and service principals into a role -assignable group
#Basic set up
install-module azureadpreview
import-module azureadpreview
get-module azureadpreview
#Connect to Azure AD. Sign in as Privileged Role Administrator or Global Administrator. Only these two roles
can create a role-assignable group.
Connect-AzureAD
#Create new security group which is a role assignable group. For creating O365 group, set GroupTypes="Unified"
and MailEnabled=$true
$roleAssignablegroup = New-AzureADMSGroup -DisplayName $groupName -Description $groupDescription -MailEnabled
$false -MailNickname $mailNickname -SecurityEnabled $true -IsAssignableToRole $true
#Copy users and service principals from existing group to new group
foreach($member in $membersOfExistingGroup){
if($member.ObjectType -eq 'User' -or $member.ObjectType -eq 'ServicePrincipal'){
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.ObjectId
}
}
POST https://graph.microsoft.com/beta/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}
For this type of group, isPublic will always be false and isSecurityEnabled will always be true.
Next steps
Assign a role to a cloud group
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Assign a role to a cloud group in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
This section describes how an IT admin can assign Azure Active Directory (Azure AD) role to an Azure AD group.
4. Select the group. Only the groups that can be assigned to Azure AD roles are displayed.
5. Select Add .
For more information on assigning role permissions, see Assign administrator and non-administrator roles to
users.
Using PowerShell
Create a group that can be assigned to role
Get the role definition for the role you want to assign
POST https://graph.microsoft.com/beta/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}
POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<ID of role definition>",
"directoryScopeId":"/"
}
Next steps
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Remove role assignments from a group in Azure
Active Directory
9/7/2020 • 2 minutes to read • Edit Online
This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Azure portal, you can
now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership,
remove the user from the group to remove the role assignment.
Using PowerShell
Create a group that can be assigned to role
POST https://graph.microsoft.com/beta/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}
POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<Id of role definition>",
"directoryScopeId":"/"
}
Next steps
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
View roles assigned to a group in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
This section describes how the roles assigned to a group can be viewed using Azure AD admin center. Viewing
groups and assigned roles are default user permissions.
1. Sign in to the Azure AD admin center with any non-admin or admin credentials.
2. Select the group that you are interested in.
3. Select Assigned roles . You can now see all the Azure AD roles assigned to this group.
Using PowerShell
Get object ID of the group
Next steps
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Assign a role to a group using Privileged Identity
Management
9/7/2020 • 2 minutes to read • Edit Online
This article describes how you can assign an Azure Active Directory (Azure AD) role to a group using Azure AD
Privileged Identity Management (PIM).
NOTE
You must be using the updated version of Privileged Identity Management to be able to assign a group to an Azure AD role
using PIM. You might be on older version of PIM if your Azure AD organization leverages the Privileged Identity
Management API. If so, please reach out to the alias [email protected] to move your organization and update
your API. Learn more at Azure AD roles and features in PIM.
To verify that the module is ready to use, use the following cmdlet:
get-module azureadpreview
"roleDefinitionId": {roleDefinitionId},
"resourceId": {tenantId},
"subjectId": {GroupId},
"assignmentState": "Eligible",
"type": "AdminAdd",
"schedule": {
"startDateTime": {DateTime},
"endDateTime": {DateTime},
"type": "Once"
Next steps
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Configure Azure AD admin role settings in Privileged Identity Management
Assign Azure resource roles in Privileged Identity Management
Troubleshooting roles assigned to cloud groups
9/7/2020 • 4 minutes to read • Edit Online
Here are some common questions and troubleshooting tips for assigning roles to groups in Azure Active
Directory (Azure AD).
Q: I'm a Groups Administrator but I can't see the Azure AD roles can be assigned to the group switch.
A: Only Privileged Role administrators or Global administrators can create a group that's eligible for role
assignment. Only users in those roles see this control.
Q: Who can modify the membership of groups that are assigned to Azure AD roles?
A: By default, only Privileged Role Administrator and Global Administrator manage the membership of a role-
assignable group, but you can delegate the management of role-assignable groups by adding group owners.
Q : I am a Helpdesk Administrator in my organization but I can't update password of a user who is a Directory
Reader. Why does that happen?
A : The user might have gotten Directory Reader by way of a role-assignable group. All members and owners of a
role-assignable groups are protected. Only users in the Privileged Authentication Administrator or Global
Administrator roles can reset credentials for a protected user.
Q: I can't update password of a user. They don't have any higher privileged role assigned. Why is it happening?
A: The user could be an owner of a role-assignable group. We protect owners of role-assignable groups to avoid
elevation of privilege. An example might be if a group Contoso_Security_Admins is assigned to Security
administrator role, where Bob is the group owner and Alice is Password administrator in the organization. If this
protection weren't present, Alice could reset Bob's credentials and take over his identity. After that, Alice could add
herself or anyone to the group Contoso_Security_Admins group to become a Security administrator in the
organization. To find out if a user is a group owner, get the list of owned objects of that user and see if any of the
groups have isAssignableToRole set to true. If yes, then that user is protected and the behavior is by design. Refer
to these documentations for getting owned objects:
Get-AzureADUserOwnedObject
List ownedObjects
Q: Can I create an access review on groups that can be assigned to Azure AD roles (specifically, groups with
isAssignableToRole property set to true)?
A: Yes, you can. If you are on newest version of Access Review, then your reviewers are directed to My Access by
default, and only Global administrators can create access reviews on role-assignable groups. However, if you are
on the older version of Access Review, then your reviewers are directed to the Access Panel by default, and both
Global administrators and User administrator can create access reviews on role-assignable groups. The new
experience will be rolled out to all customers on July 28, 2020 but if you’d like to upgrade sooner, make a request
to Azure AD Access Reviews - Updated reviewer experience in My Access Signup.
Q: Can I create an access package and put groups that can be assigned to Azure AD roles in it?
A: Yes, you can. Global Administrator and User Administrator have the power to put any group in an access
package. Nothing changes for Global Administrator, but there's a slight change in User administrator role
permissions. To put a role-assignable group into an access package, you must be a User Administrator and also
owner of the role-assignable group. Here's the full table showing who can create access package in Enterprise
License Management:
EN T IT L EM EN T C A N A DD C A N A DD C A N A DD
A Z URE A D M A N A GEM EN T SEC URIT Y M IC RO SO F T 365 SH A REP O IN T
DIREC TO RY RO L E RO L E GRO UP * GRO UP * C A N A DD A P P O N L IN E SIT E
Global n/a ️
✔ ️
✔ ️
✔ ️
✔
administrator
User n/a ️
✔ ️
✔ ️
✔
administrator
*Group isn't role-assignable; that is, isAssignableToRole = false. If a group is role-assignable, then the person
creating the access package must also be owner of the role-assignable group.
Q: I can't find "Remove assignment" option in "Assigned Roles". How do I delete role assignment to a user?
A: This answer is applicable only to Azure AD Premium P1 organizations.
1. Sign in to the Azure portal and open Azure Active Director y .
2. Select users and open a user profile.
3. Select Assigned roles .
4. Select the gear icon. A pane opens that can give this information. There's a "Remove" button beside direct
assignments. To remove indirect role assignment, remove the user from the group that has been assigned the
role.
Q: How do I see all groups that are role-assignable?
A: Follow these steps:
1. Sign in to the Azure portal and open Azure Active Director y .
2. Select Groups > All groups .
3. Select Add filters .
4. Filter to Role assignable .
Q: How do I know which role are assigned to a principal directly and indirectly?
A: Follow these steps:
1. Sign in to the Azure portal and open Azure Active Director y .
2. Select users and open a user profile.
3. Select Assigned roles , and then:
In Azure AD Premium P1 licensed organizations: Select the gear icon. A pane opens that can give this
information.
In Azure AD Premium P2 licensed organizations: You'll find direct and inherited license information in
the Membership column.
Q: Why do we enforce creating a new cloud group for assigning it to role?
A: If you assign an existing group to a role, the existing group owner could add other members to this group
without the new members realizing that they'll have the role. Because role-assignable groups are powerful, we're
putting lots of restrictions to protect them. You don't want changes to the group that would be surprising to the
person managing the group.
Next steps
Use cloud groups to manage role assignments
Create a role-assignable group
Administrator roles by admin task in Azure Active
Directory
9/7/2020 • 9 minutes to read • Edit Online
In this article, you can find the information needed to restrict a user's administrator permissions by assigning least
privileged roles in Azure Active Directory (Azure AD). You will find administrator tasks organized by feature area
and the least privileged role required to perform each task, along with additional non-Global Administrator roles
that can perform the task.
Application proxy
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
External Identities/B2C
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Create, read, update, and delete B2C B2C IEF Policy Administrator
policies
Create, read, update, and delete identity External Identity Provider Administrator
providers
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Create, read, update, and delete profile External ID User Flow Administrator
editing user flows
Create, read, update, and delete sign-in External ID User Flow Administrator
user flows
Create, read, update, and delete sign-up External ID User Flow Administrator
user flow
Create, read, update, and delete user External ID User Flow Attribute
attributes Administrator
NOTE
Azure AD B2C Global readers do not have the same permissions as Azure AD global administrators. If you have Azure AD
B2C global administrator privileges, make sure that you are in an Azure AD B2C directory and not an Azure AD directory.
Company branding
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Read all configuration Directory readers Default user role (see documentation)
Company properties
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Connect
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Connect Health
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
View sync service metrics and alerts Reader (see documentation) Contributor, Owner
Read all configuration Directory readers Default user role (see documentation)
Domain Services
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Devices
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Enterprise applications
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Update enterprise application Enterprise application owner (see Cloud application administrator,
assignments documentation) Application administrator
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Update enterprise application owners Enterprise application owner (see Cloud application administrator,
documentation) Application administrator
Update enterprise application Enterprise application owner (see Cloud application administrator,
properties documentation) Application administrator
Update enterprise application Enterprise application owner (see Cloud application administrator,
provisioning documentation) Application administrator
Update enterprise application self- Enterprise application owner (see Cloud application administrator,
service documentation) Application administrator
Update single sign-on properties Enterprise application owner (see Cloud application administrator,
documentation) Application administrator
Entitlement management
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Add resources to a catalog User administrator With entitlement management, you can
delegate this task to the catalog owner
(see documentation)
Groups
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Read all configuration (except hidden Directory readers Default user role (see documentation)
membership)
Read membership of groups with Helpdesk Administrator User administrator, Teams administrator
hidden membership
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Identity Protection
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Licenses
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Read all configuration Directory readers Default user role (see documentation)
Monitoring - Sign-ins
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Multi-factor authentication
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
MFA Server
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Organizational relationships
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Password reset
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Read access review of an Azure AD role Security Reader Security administrator, Privileged role
administrator
Users
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Support
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Next steps
How to assign or remove azure AD administrator roles
Azure AD administrator roles reference
Administrator roles for Microsoft 365 services
9/7/2020 • 2 minutes to read • Edit Online
All products in Microsoft 365 can be managed with administrative roles in Azure AD. Some products also provide
additional roles that are specific to that product. For information on the roles supported by each product, see the
table below. General discussions of delegation issues can be found in Role delegation planning in Azure Active
Directory.
Admin roles in Office 365 and Microsoft Office 365 admin roles Not available
365 business plans
Azure Active Directory (Azure AD) and Azure AD admin roles Graph API
Azure AD Identity Protection Fetch role assignments
Security & Compliance Center (Office Office 365 admin roles Exchange PowerShell
365 Advanced Threat Protection, Fetch role assignments
Exchange Online Protection,
Information Protection)
Azure Advanced Threat Protection Azure ATP role groups Not available
Windows Defender Advanced Threat Windows Defender ATP role-based Not available
Protection access control
Next steps
How to assign or remove Azure AD administrator roles
Azure AD administrator roles reference
Securing privileged access for hybrid and cloud
deployments in Azure AD
9/7/2020 • 23 minutes to read • Edit Online
The security of business assets depends on the integrity of the privileged accounts that administer your IT systems.
Cyber-attackers use credential theft attacks to target admin accounts and other privileged access to try to gain
access to sensitive data.
For cloud services, prevention and response are the joint responsibilities of the cloud service provider and the
customer. For more information about the latest threats to endpoints and the cloud, see the Microsoft Security
Intelligence Report. This article can help you develop a roadmap toward closing the gaps between your current
plans and the guidance described here.
NOTE
Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance.
Learn more about how the Microsoft global incident response team mitigates the effects of attacks against cloud services,
and how security is built into Microsoft business products and cloud services at Microsoft Trust Center - Security and
Microsoft compliance targets at Microsoft Trust Center - Compliance.
Traditionally, organizational security was focused on the entry and exit points of a network as the security
perimeter. However, SaaS apps and personal devices on the Internet have made this approach less effective. In
Azure AD, we replace the network security perimeter with authentication in your organization's identity layer, with
users assigned to privileged administrative roles in control. Their access must be protected, whether the
environment is on-premises, cloud, or a hybrid.
Securing privileged access requires changes to:
Processes, administrative practices, and knowledge management
Technical components such as host defenses, account protections, and identity management
Secure your privileged access in a way that is managed and reported in the Microsoft services you care about. If
you have on-premises admin accounts, see the guidance for on-premises and hybrid privileged access in Active
Directory at Securing Privileged Access.
NOTE
The guidance in this article refers primarily to features of Azure Active Directory that are included in Azure Active Directory
Premium plans P1 and P2. Azure Active Directory Premium P2 is included in the EMS E5 suite and Microsoft 365 E5 suite.
This guidance assumes your organization already has Azure AD Premium P2 licenses purchased for your users. If you do not
have these licenses, some of the guidance might not apply to your organization. Also, throughout this article, the term
global administrator (or global admin) means the same thing as "company administrator" or "tenant administrator."
Develop a roadmap
Microsoft recommends that you develop and follow a roadmap to secure privileged access against cyber attackers.
You can always adjust your roadmap to accommodate your existing capabilities and specific requirements within
your organization. Each stage of the roadmap should raise the cost and difficulty for adversaries to attack
privileged access for your on-premises, cloud, and hybrid assets. Microsoft recommends the following four
roadmap stages. Schedule the most effective and the quickest implementations first. This article can be your guide,
based on Microsoft's experiences with cyber-attack incident and response implementation. The timelines for this
roadmap are approximations.
Stage 1 (24-48 hours): Critical items that we recommend you do right away
Stage 2 (2-4 weeks): Mitigate the most frequently used attack techniques
Stage 3 (1-3 months): Build visibility and build full control of admin activity
Stage 4 (six months and beyond): Continue building defenses to further harden your security platform
This roadmap framework is designed to maximize the use of Microsoft technologies that you may have already
deployed. Consider tying in to any security tools from other vendors that you have already deployed or are
considering deploying.
Stage 1 of the roadmap is focused on critical tasks that are fast and easy to implement. We recommend that you
do these few items right away within the first 24-48 hours to ensure a basic level of secure privileged access. This
stage of the Secured Privileged Access roadmap includes the following actions:
General preparation
Turn on Azure AD Privileged Identity Management
We recommend that you turn on Azure AD Privileged Identity Management (PIM) in your Azure AD production
environment. After you turn on PIM, you'll receive notification email messages for privileged access role changes.
Notifications provide early warning when additional users are added to highly privileged roles.
Azure AD Privileged Identity Management is included in Azure AD Premium P2 or EMS E5. To help you protect
access to applications and resources on-premises and in the cloud, sign up for the Enterprise Mobility + Security
free 90-day trial. Azure AD Privileged Identity Management and Azure AD Identity Protection monitor security
activity using Azure AD reporting, auditing, and alerts.
After you turn on Azure AD Privileged Identity Management:
1. Sign in to the Azure portal with an account that is a global admin of your Azure AD production organization.
2. To select the Azure AD organization where you want to use Privileged Identity Management, select your
user name in the upper right-hand corner of the Azure portal.
3. On the Azure portal menu, select All ser vices and filter the list for Azure AD Privileged Identity
Management .
4. Open Privileged Identity Management from the All ser vices list and pin it to your dashboard.
Make sure the first person to use PIM in your organization is assigned to the Security administrator and
Privileged role administrator roles. Only privileged role administrators can manage the Azure AD directory
role assignments of users. The PIM security wizard walks you through the initial discovery and assignment
experience. You can exit the wizard without making any additional changes at this time.
Identify and categorize accounts that are in highly privileged roles
After turning on Azure AD Privileged Identity Management, view the users who are in the following Azure AD
roles:
Global administrator
Privileged role administrator
Exchange administrator
SharePoint administrator
If you don't have Azure AD Privileged Identity Management in your organization, you can use the PowerShell API.
Start with the global admin role because a global admin has the same permissions across all cloud services for
which your organization has subscribed. These permissions are granted no matter where they were assigned: in
the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell.
Remove any accounts that are no longer needed in those roles. Then, categorize the remaining accounts that are
assigned to admin roles:
Assigned to administrative users, but also used for non-administrative purposes (for example, personal email)
Assigned to administrative users and used for administrative purposes only
Shared across multiple users
For break-glass emergency access scenarios
For automated scripts
For external users
Define at least two emergency access accounts
It's possible for a user to be accidentally locked out of their role. For example, if a federated on-premises identity
provider isn't available, users can't sign in or activate an existing administrator account. You can prepare for
accidental lack of access by storing two or more emergency access accounts.
Emergency access accounts help restrict privileged access within an Azure AD organization. These accounts are
highly privileged and aren't assigned to specific individuals. Emergency access accounts are limited to emergency
for "break glass" scenarios where normal administrative accounts can't be used. Ensure that you control and
reduce the emergency account's usage to only that time for which it's necessary.
Evaluate the accounts that are assigned or eligible for the global admin role. If you don't see any cloud-only
accounts using the *.onmicrosoft.com domain (for "break glass" emergency access), create them. For more
information, see Managing emergency access administrative accounts in Azure AD.
Turn on multi-factor authentication and register all other highly privileged single-user non-federated admin accounts
Require Azure Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned
to one or more of the Azure AD admin roles: Global administrator, Privileged Role administrator, Exchange
administrator, and SharePoint administrator. Use the guide to enable Multi-factor Authentication (MFA) for your
admin accounts and ensure that all those users have registered at https://aka.ms/mfasetup. More information can
be found under step 2 and step 3 of the guide Protect access to data and services in Office 365.
Stage 2: Mitigate frequently used attacks
Stage 2 of the roadmap focuses on mitigating the most frequently used attack techniques of credential theft and
abuse and can be implemented in approximately 2-4 weeks. This stage of the Secured Privileged Access roadmap
includes the following actions.
General preparation
Conduct an inventory of services, owners, and admins
The increase in "bring your own device" and work from home policies and the growth of wireless connectivity
make it critical to monitor who is connecting to your network. A security audit can reveal devices, applications, and
programs on your network that your organization doesn't support and that represent high risk. For more
information, see Azure security management and monitoring overview. Ensure that you include all of the following
tasks in your inventory process.
Identify the users who have administrative roles and the services where they can manage.
Use Azure AD PIM to find out which users in your organization have admin access to Azure AD.
Beyond the roles defined in Azure AD, Office 365 comes with a set of admin roles that you can assign to
users in your organization. Each admin role maps to common business functions, and gives people in your
organization permissions to do specific tasks in the Microsoft 365 admin center. Use the Microsoft 365
admin center to find out which users in your organization have admin access to Office 365, including via
roles not managed in Azure AD. For more information, see About Office 365 admin roles and Security
practices for Office 365.
Do the inventory in services your organization relies on, such as Azure, Intune, or Dynamics 365.
Ensure that your accounts that are used for administration purposes:
Have working email addresses attached to them
Have registered for Azure Multi-Factor Authentication or use MFA on-premises
Ask users for their business justification for administrative access.
Remove admin access for those individuals and services that don't need it.
Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts
If your initial global administrators reuse their existing Microsoft account credentials when they began using Azure
AD, replace the Microsoft accounts with individual cloud-based or synchronized accounts.
Ensure separate user accounts and mail forwarding for global administrator accounts
Personal email accounts are regularly phished by cyber attackers, a risk that makes personal email addresses
unacceptable for global administrator accounts. To help separate internet risks from administrative privileges,
create dedicated accounts for each user with administrative privileges.
Be sure to create separate accounts for users to do global admin tasks
Make sure that your global admins don't accidentally open emails or run programs with their admin accounts
Be sure those accounts have their email forwarded to a working mailbox
Ensure the passwords of administrative accounts have recently changed
Ensure all users have signed into their administrative accounts and changed their passwords at least once in the
last 90 days. Also, verify that any shared accounts have had their passwords changed recently.
Turn on password hash synchronization
Azure AD Connect synchronizes a hash of the hash of a user's password from on-premises Active Directory to a
cloud-based Azure AD organization. You can use password hash synchronization as a backup if you use federation
with Active Directory Federation Services (AD FS). This backup can be useful if your on-premises Active Directory
or AD FS servers are temporarily unavailable.
Password hash sync enables users to sign in to a service by using the same password they use to sign in to their
on-premises Active Directory instance. Password hash sync allows Identity Protection to detect compromised
credentials by comparing password hashes with passwords known to be compromised. For more information, see
Implement password hash synchronization with Azure AD Connect sync.
Require multi-factor authentication for users in privileged roles and exposed users
Azure AD recommends that you require multi-factor authentication (MFA) for all of your users. Be sure to consider
users who would have a significant impact if their account were compromised (for example, financial officers). MFA
reduces the risk of an attack because of a compromised password.
Turn on:
MFA using Conditional Access policies for all users in your organization.
If you use Windows Hello for Business, the MFA requirement can be met using the Windows Hello sign-in
experience. For more information, see Windows Hello.
Configure Identity Protection
Azure AD Identity Protection is an algorithm-based monitoring and reporting tool that detects potential
vulnerabilities affecting your organization's identities. You can configure automated responses to those detected
suspicious activities, and take appropriate action to resolve them. For more information, see Azure Active Directory
Identity Protection.
Obtain your Office 365 Secure Score (if using Office 365)
Secure Score looks at your settings and activities for the Office 365 services you're using and compares them to a
baseline established by Microsoft. You'll get a score based on how aligned you are with security practices. Anyone
who has the admin permissions for an Office 365 Business Premium or Enterprise subscription can access the
Secure Score at https://securescore.office.com.
Review the Office 365 security and compliance guidance (if using Office 365)
The plan for security and compliance outlines the approach for an Office 365 customer to configure Office 365 and
enable other EMS capabilities. Then, review steps 3-6 of how to Protect access to data and services in Office 365
and the guide for how to monitor security and compliance in Office 365.
Configure Office 365 Activity Monitoring (if using Office 365)
Monitor your organization for users who are using Office 365 to identify staff who have an admin account but
might not need Office 365 access because they don't sign in to those portals. For more information, see Activity
reports in the Microsoft 365 admin center.
Establish incident/emergency response plan owners
Establishing a successful incident response capability requires considerable planning and resources. You must
continually monitor for cyber-attacks and establish priorities for incident handling. Collect, analyze, and report
incident data to build relationships and establish communication with other internal groups and plan owners. For
more information, see Microsoft Security Response Center.
Secure on-premises privileged administrative accounts, if not already done
If your Azure Active Directory organization is synchronized with on-premises Active Directory, then follow the
guidance in Security Privileged Access Roadmap: This stage includes:
Creating separate admin accounts for users who need to conduct on-premises administrative tasks
Deploying Privileged Access Workstations for Active Directory administrators
Creating unique local admin passwords for workstations and servers
Additional steps for organizations managing access to Azure
Complete an inventory of subscriptions
Use the Enterprise portal and the Azure portal to identify the subscriptions in your organization that host
production applications.
Remove Microsoft accounts from admin roles
Microsoft accounts from other programs, such as Xbox, Live, and Outlook, shouldn't be used as administrator
accounts for your organization's subscriptions. Remove admin status from all Microsoft accounts, and replace with
Azure AD (for example, [email protected]) work or school accounts. For admin purposes, depend on accounts
that are authenticated in Azure AD and not in other services.
Monitor Azure activity
The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who
created, updated, and deleted what resources, and when these events occurred. For more information, see Audit
and receive notifications about important actions in your Azure subscription.
Additional steps for organizations managing access to other cloud apps via Azure AD
Configure Conditional Access policies
Prepare Conditional Access policies for on-premises and cloud-hosted applications. If you have users workplace
joined devices, get more information from Setting up on-premises Conditional Access by using Azure Active
Directory device registration.
Stage 3 builds on the mitigations from Stage 2 and should be implemented in approximately 1-3 months. This
stage of the Secured Privileged Access roadmap includes the following components.
General preparation
Complete an access review of users in administrator roles
More corporate users are gaining privileged access through cloud services, which can lead to unmanaged access.
Users today can become global admins for Office 365, Azure subscription administrators, or have admin access to
VMs or via SaaS apps.
Your organization should have all employees handle ordinary business transactions as unprivileged users, and
then grant admin rights only as needed. Complete access reviews to identify and confirm the users who are
eligible to activate admin privileges.
We recommend that you:
1. Determine which users are Azure AD admins, enable on-demand, just-in-time admin access, and role-based
security controls.
2. Convert users who have no clear justification for admin privileged access to a different role (if no eligible role,
remove them).
Continue rollout of stronger authentication for all users
Require highly exposed users to have modern, strong authentication such as Azure MFA or Windows Hello.
Examples of highly exposed users include:
C-suite executives
High-level managers
Critical IT and security personnel
Use dedicated workstations for administration for Azure AD
Attackers might try to target privileged accounts so that they can disrupt the integrity and authenticity of data.
They often use malicious code that alters the program logic or snoops the admin entering a credential. Privileged
Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from
Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations
and devices provides strong protection from:
Phishing attacks
Application and operating system vulnerabilities
Impersonation attacks
Credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket
By deploying privileged access workstations, you can reduce the risk that admins enter their credentials in a
desktop environment that hasn't been hardened. For more information, see Privileged Access Workstations.
Review National Institute of Standards and Technology recommendations for handling incidents
The National Institute of Standards and Technology's (NIST) provides guidelines for incident handling, particularly
for analyzing incident-related data and determining the appropriate response to each incident. For more
information, see The (NIST) Computer Security Incident Handling Guide (SP 800-61, Revision 2).
Implement Privileged Identity Management (PIM) for JIT to additional administrative roles
For Azure Active Directory, use Azure AD Privileged Identity Management capability. Time-limited activation of
privileged roles works by enabling you to:
Activate admin privileges to do a specific task
Enforce MFA during the activation process
Use alerts to inform admins about out-of-band changes
Enable users to keep their privileged access for a pre-configured amount of time
Allow security admins to:
Discover all privileged identities
View audit reports
Create access reviews to identify every user who is eligible to activate admin privileges
If you're already using Azure AD Privileged Identity Management, adjust timeframes for time-bound privileges as
necessary (for example, maintenance windows).
Determine exposure to password-based sign-in protocols (if using Exchange Online)
We recommend you identify every potential user who could be catastrophic to the organization if their credentials
were compromised. For those users, put in place strong authentication requirements and use Azure AD
Conditional Access to keep them from signing in to their email using username and password. You can block
legacy authentication using Conditional Access, and you can block basic authentication through Exchange online.
Complete a roles review assessment for Office 365 roles (if using Office 365)
Assess whether all admins users are in the correct roles (delete and reassign according to this assessment).
Review the security incident management approach used in Office 365 and compare with your own organization
You can download this report from Security Incident Management in Microsoft Office 365.
Continue to secure on-premises privileged administrative accounts
If your Azure Active Directory is connected to on-premises Active Directory, then follow the guidance in the
Security Privileged Access Roadmap: Stage 2. In this stage, you:
Deploy Privileged Access Workstations for all administrators
Require MFA
Use Just Enough Admin for domain controller maintenance, lowering the attack surface of domains
Deploy Advanced Threat Assessment for attack detection
Additional steps for organizations managing access to Azure
Establish integrated monitoring
The Azure Security Center:
Provides integrated security monitoring and policy management across your Azure subscriptions
Helps detect threats that may otherwise go unnoticed
Works with a broad array of security solutions
Inventory your privileged accounts within hosted Virtual Machines
You don't usually need to give users unrestricted permissions to all your Azure subscriptions or resources. Use
Azure AD admin roles to grant only the access that your users who need to do their jobs. You can use Azure AD
administrator roles to let one admin manage only VMs in a subscription, while another can manage SQL databases
within the same subscription. For more information, see What is Azure role-based access control.
Implement PIM for Azure AD administrator roles
Use Privileged identity Management with Azure AD administrator roles to manage, control, and monitor access to
Azure resources. Using PIM protects by lowering the exposure time of privileges and increasing your visibility into
their use through reports and alerts. For more information, see What is Azure AD Privileged Identity Management.
Use Azure log integrations to send relevant Azure logs to your SIEM systems
Azure log integration enables you to integrate raw logs from your Azure resources to your organization's existing
Security Information and Event Management (SIEM) systems. Azure log integration collects Windows events from
Windows Event Viewer logs and Azure resources from:
Azure activity Logs
Azure Security Center alerts
Azure resource logs
Additional steps for organizations managing access to other cloud apps via Azure AD
Implement user provisioning for connected apps
Azure AD allows you to automate creating and maintaining user identities in cloud apps like Dropbox, Salesforce,
and ServiceNow. For more information, see Automate user provisioning and deprovisioning to SaaS applications
with Azure AD.
Integrate information protection
Microsoft Cloud App Security allows you to investigate files and set policies based on Azure Information Protection
classification labels, enabling greater visibility and control of your cloud data. Scan and classify files in the cloud
and apply Azure information protection labels. For more information, see Azure Information Protection integration.
Configure Conditional Access
Configure Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD
connected apps.
Monitor activity in connected cloud apps
We recommend using Microsoft Cloud App Security to ensure that user access is also protected in connected
applications. This feature secures the enterprise access to cloud apps and secures your admin accounts, allowing
you to:
Extend visibility and control to cloud apps
Create policies for access, activities, and data sharing
Automatically identify risky activities, abnormal behaviors, and threats
Prevent data leakage
Minimize risk and automated threat prevention and policy enforcement
The Cloud App Security SIEM agent integrates Cloud App Security with your SIEM server to enable centralized
monitoring of Office 365 alerts and activities. It runs on your server and pulls alerts and activities from Cloud App
Security and streams them into the SIEM server. For more information, see SIEM integration.
Stage 4 of the roadmap should be implemented at six months and beyond. Complete your roadmap to strengthen
your privileged access protections from potential attacks that are known today. For the security threats of
tomorrow, we recommend viewing security as an ongoing process to raise the costs and reduce the success rate of
adversaries targeting your environment.
Securing privileged access is important to establish security assurances for your business assets. However, it
should be part of a complete security program that provides ongoing security assurances. This program should
include elements such as:
Policy
Operations
Information security
Servers
Applications
PCs
Devices
Cloud fabric
We recommend the following practices when you're managing privileged access accounts:
Ensure that admins are doing their day-to-day business as unprivileged users
Grant privileged access only when needed, and remove it afterward ( just-in-time)
Keep audit activity logs relating to privileged accounts
For more information on building a complete security roadmap, see Microsoft cloud IT architecture resources. To
engage with Microsoft services to help you implement any part of your roadmap, contact your Microsoft
representative or see Build critical cyber defenses to protect your enterprise.
This final ongoing stage of the Secured Privileged Access roadmap includes the following components.
General preparation
Review admin roles in Azure AD
Determine if current built-in Azure AD admin roles are still up to date and ensure that users are in only the roles
they need. With Azure AD, you can assign separate administrators to serve different functions. For more
information, see Assigning administrator roles in Azure Active Directory.
Review users who have administration of Azure AD joined devices
For more information, see How to configure hybrid Azure Active Directory joined devices.
Review members of built-in Office 365 admin roles
Skip this step if you're not using Office 365.
Validate incident response plan
To improve upon your plan, Microsoft recommends you regularly validate that your plan operates as expected:
Go through your existing road map to see what was missed
Based on the postmortem analysis, revise existing or define new practices
Ensure that your updated incident response plan and practices are distributed throughout your organization
Additional steps for organizations managing access to Azure
Determine if you need to transfer ownership of an Azure subscription to another account.
1. Notify key managers and security officers with information about the incident.
2. Review your attack playbook.
3. Access your "break glass" account username and password combination to sign in to Azure AD.
4. Get help from Microsoft by opening an Azure support request.
5. Look at the Azure AD sign-in reports. There might be some time between an event occurring and when it's
included in the report.
6. For hybrid environments, if your on-premises infrastructure federated and your AD FS server aren't
available, you can temporarily switch from federated authentication to use password hash sync. This switch
reverts the domain federation back to managed authentication until the AD FS server becomes available.
7. Monitor email for privileged accounts.
8. Make sure you save backups of relevant logs for potential forensic and legal investigation.
For more information about how Microsoft Office 365 handles security incidents, see Security Incident
Management in Microsoft Office 365.
Next steps
Microsoft Trust Center for Product Security – Security features of Microsoft cloud products and services
Microsoft Trust Center - Compliance – Microsoft's comprehensive set of compliance offerings for cloud
services
Guidance on how to do a risk assessment - Manage security and compliance requirements for Microsoft
cloud services
Other Microsoft Online Services
Microsoft Intune Security – Intune provides mobile device management, mobile application management,
and PC management capabilities from the cloud.
Microsoft Dynamics 365 security – Dynamics 365 is the Microsoft cloud-based solution that unifies
customer relationship management (CRM) and enterprise resource planning (ERP) capabilities.
Manage emergency access accounts in Azure AD
9/7/2020 • 8 minutes to read • Edit Online
It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD)
organization because you can't sign in or activate another user's account as an administrator. You can mitigate the
impact of accidental lack of administrative access by creating two or more emergency access accounts in your
organization.
Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency
access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't
be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is
absolutely necessary.
This article provides guidelines for managing emergency access accounts in Azure AD.
Federation guidance
An additional option for organizations that use AD Domain Services and ADFS or similar identity provider to
federate to Azure AD, is to configure an emergency access account whose MFA claim could be supplied by that
identity provider. For example, the emergency access account could be backed by a certificate and key pair such as
one stored on a smartcard. When that user is authenticated to AD, ADFS can supply a claim to Azure AD indicating
that the user has met MFA requirements. Even with this approach, organizations must still have cloud-based
emergency access accounts in case federation cannot be established.
NOTE
For each additional break glass account you want to include, add another "or UserId == "ObjectGuid"" to the
query.
Next steps
Securing privileged access for hybrid and cloud deployments in Azure AD
Add users using Azure AD and assign the new user to the Global Administrator role
Sign up for Azure AD Premium, if you haven’t signed up already
How to require two-step verification for a user
Configure additional protections for Global Administrators in Microsoft 365, if you are using Microsoft 365
Start an access review of Global Administrators and transition existing Global Administrators to more specific
administrator roles
Administrative units management in Azure Active
Directory (preview)
9/7/2020 • 4 minutes to read • Edit Online
This article describes administrative units in Azure Active Directory (Azure AD). An administrative unit is an Azure
AD resource that can be a container for other Azure AD resources. In this preview release, an administrative unit
can contain only users and groups.
Administrative units allow you to grant admin permissions that are restricted to a department, region, or other
segment of your organization that you define. You can use administrative units to delegate permissions to
regional administrators or to set policy at a granular level. For example, a User account admin could update
profile information, reset passwords, and assign licenses for users only in their administrative unit.
For example, delegating to regional support specialists the Helpdesk Administrator role restricted to managing
just the users in the region they support.
Deployment scenario
Restricting administrative scope using administrative units can be useful in organizations that are made up of
independent divisions of any kind. Consider the example of a large university that is made up of many
autonomous schools (School of Business, School of Engineering, and so on) that each has a team of IT admins
who control access, manage users, and set policies for their school. A central administrator could:
Create a role with administrative permissions over only Azure AD users in the business school administrative
unit
Create an administrative unit for the School of Business
Populate the admin unit with only the business school students and staff
Add the Business school IT team to the role with their scope
License requirements
Using administrative units requires an Azure Active Directory Premium license for each administrative unit admin,
and Azure Active Directory Free licenses for administrative unit members. For more information, see Getting
started with Azure AD Premium.
User management
M IC RO SO F T 365 A DM IN
P ERM ISSIO N S M S GRA P H / P O W ERSH EL L A Z URE A D P O RTA L C EN T ER
Group management
M IC RO SO F T 365 A DM IN
P ERM ISSIO N S M S GRA P H / P O W ERSH EL L A Z URE A D P O RTA L C EN T ER
NOTE
Administrators with an administrative unit scope can't manage dynamic group membership rules.
Administrative units apply scope only to management permissions. They don't prevent members or
administrators from using their default user permissions to browse other users, groups, or resources outside of
the administrative unit. In the Microsoft 365 admin center, users outside of a scoped admin's administrative units
are filtered out, but you can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.
Next steps
Managing AUs
Manage users in AUs
Manage groups in AUs
Assign scoped roles to an AU
Manage administrative units in Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure
AD role with a scope that's limited to one or more administrative units (AUs).
Get started
1. To run queries from the following instructions via Graph Explorer, do the following:
a. In the Azure portal, go to Azure AD. In the applications list, select Graph Explorer , and then select Grant
admin consent to Graph Explorer .
2. Select Add and then enter the name of the administrative unit. Optionally, add a description of the
administrative unit.
Connect-AzureAD
New-AzureADAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"
You can modify the values that are enclosed in quotation marks, as required.
Use Microsoft Graph
Http Request
POST /administrativeUnits
Request body
{
"displayName": "North America Operations",
"description": "North America Operations administration"
}
Use PowerShell
$delau = Get-AzureADAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADAdministrativeUnit -ObjectId $delau.ObjectId
You can modify the values that are enclosed in quotation marks, as required for the specific environment.
Use the Graph API
HTTP request
DELETE /administrativeUnits/{Admin id}
Request body
{}
Next steps
Manage users in an administrative unit
Manage groups in an administrative unit
Add and manage users in an administrative unit in
Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
In Azure Active Directory (Azure AD), you can add users to an administrative unit (AU) for more granular
administrative scope of control.
For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.
Add users to an AU
Azure portal
You can assign users to administrative units in two ways.
1. Individual assignment
a. You can go to the Azure AD in the portal and select Users and select the user to be assigned to an
administrative unit. You can then select Administrative units in the left panel. The user can be
assigned to one or more administrative units by clicking on Assign to administrative unit and
selecting the administrative units where the user is to be assigned.
b. You can go to Azure AD in the portal and select Administrative units in the left pane and then select
the administrative unit where the users is to be assigned. Select All users on the left pane and then
select Add member. You can then go ahead and select one or more users to be assigned to the
administrative unit from the right pane.
2. Bulk assignment
Go to Azure AD in the portal and select Administrative units. Select the administrative unit where users are
to be added. Proceed by clicking on All users -> Add members from .csv file. You can then download the
CSV template and edit the file. The format is simple and needs a single UPN to be added in each line. Once
the file is ready, save it at an appropriate location and then upload it in step 3 as highlighted in the
snapshot.
PowerShell
$administrativeunitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$UserObj = Get-AzureADUser -Filter "UserPrincipalName eq '[email protected]'"
Add-AzureADAdministrativeUnitMember -ObjectId $administrativeunitObj.ObjectId -RefObjectId $UserObj.ObjectId
In the above example, the cmdlet Add-AzureADAdministrativeUnitMember is used to add the user to the
administrative unit. The object ID of the administrative unit where user is to be added and the object ID of the user
who is to be added are taken as argument. The highlighted section may be changed as required for the specific
environment.
Microsoft Graph
Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
"@odata.id":"https://graph.microsoft.com/beta/users/{id}"
}
Example:
{
"@odata.id":"https://graph.microsoft.com/beta/users/[email protected]"
}
Select Administrative units on the left panel to see the list of administrative units where the user has been
assigned.
PowerShell
Microsoft Graph
https://graph.microsoft.com/beta/users//memberOf/$/Microsoft.Graph.AdministrativeUnit
You can also remove a user in Azure AD > Administrative units by selecting the administrative unit you want
to remove users from. Select the user and select Remove member .
PowerShell
Microsoft Graph
https://graph.microsoft.com/beta/administrativeUnits//members//$ref
Once you have saved the entries in the file, upload the file, select Submit .
Next steps
Assign a role to an administrative unit
Add groups to an administrative unit
Add and manage groups in administrative units in
Azure Active Directory
9/7/2020 • 3 minutes to read • Edit Online
In Azure Active Directory (Azure AD), you can add groups to an administrative unit (AU) for more granular
administrative scope of control.
For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.
Add groups to an AU
Azure portal
In the preview, you can assign groups only individually to an administrative unit. There is no option of bulk
assignment of groups to an administrative unit. You can assign a group to an administrative unit in one of the two
ways in portal:
1. From the Azure AD > Groups page
Open the Groups overview page in Azure AD and select the group that needs to be assigned to the
administrative unit. On the left side, select Administrative units to list out the administrative units the
group is assigned to. On the top you will find the option Assign to administrative unit and clicking on it will
give a panel on right side to choose the administrative unit.
2. From the Azure AD > Administrative units > All Groups page
Open the All Groups blade in Azure AD > Administrative Units. If there are groups already assigned to the
administrative unit, they will be displayed on the right side. Select Add on the top and a right panel will
slide in listing the groups available in your Azure AD organization. Select one or more groups to be
assigned to the administrative units.
PowerShell
In this example, the cmdlet Add-AzureADAdministrativeUnitMember is used to add the group to the administrative
unit. The object ID of the administrative unit and the object ID of the group to be added are taken as argument. The
highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
"@odata.id":"https://graph.microsoft.com/beta/groups/{id}"
}
Example:
{
"@odata.id":"https://graph.microsoft.com/beta/groups/ 871d21ab-6b4e-4d56-b257-ba27827628f3"
}
List groups in an AU
Azure portal
Go to Azure AD > Administrative units in the portal. Select the administrative unit for which you want to list
the users. By default, All users is selected already on the left panel. Select All groups and on the right you will
find the list of groups that are members of the selected administrative unit.
PowerShell
This will help you get all the members of the administrative unit. If you want to display all the groups that are
members of the administrative unit, you can use the below code snippet:
Microsoft Graph
HTTP request
GET /administrativeUnits/{Admin id}/members/$/microsoft.graph.group
Request body
{}
Microsoft Graph
https://graph.microsoft.com/beta/groups/<group-id>/memberOf/$/Microsoft.Graph.AdministrativeUnit
Alternatively, you can go to Azure AD > Administrative units and select the administrative unit where the
group is a member. Select Groups in the left panel to list the member groups. Select the group to be removed
from the administrative unit and then select Remove groups .
PowerShell
Microsoft Graph
https://graph.microsoft.com/beta/administrativeUnits/<adminunit-id>/members/<group-id>/$ref
Next steps
Assign a role to an administrative unit
Manage users in an administrative unit
Assign scoped roles to an administrative unit
9/7/2020 • 2 minutes to read • Edit Online
In Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope limited to one or more
administrative units (AUs) for more granular administrative control.
For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.
Roles available
RO L E DESC RIP T IO N
Authentication Administrator Has access to view, set, and reset authentication method
information for any non-admin user in the assigned
administrative unit only.
Groups Administrator Can manage all aspects of groups and groups settings like
naming and expiration policies in the assigned administrative
unit only.
License Administrator Can assign, remove, and update license assignments within
the administrative unit only.
User Administrator Can manage all aspects of users and groups, including
resetting passwords for limited admins within the assigned
administrative unit only.
PowerShell
$AdminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"
$Role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Account Administrator"
$administrativeUnit = Get-AzureADAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
$RoleMember = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo
$RoleMember.ObjectId = $AdminUser.ObjectId
Add-AzureADScopedRoleMembership -ObjectId $administrativeUnit.ObjectId -RoleObjectId $Role.ObjectId -
RoleMemberInfo $RoleMember
The highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
POST /administrativeUnits/{id}/scopedRoleMembers
Request body
{
"roleId": "roleId-value",
"roleMemberInfo": {
"id": "id-value"
}
}
The highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
GET /administrativeUnits/{id}/scopedRoleMembers
Request body
{}
Next steps
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Azure AD administrative units: Troubleshooting and
FAQ
9/7/2020 • 3 minutes to read • Edit Online
For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD
role with a scope that's limited to one or more administrative units (AUs). For sample PowerShell scripts for
common tasks, see Work with administrative units.
Next steps
Restrict scope for roles by using administrative units
Manage administrative units
Add branding to your organization's Azure Active
Directory sign-in page
9/7/2020 • 7 minutes to read • Edit Online
Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active
Directory (Azure AD) sign-in pages. Your sign-in pages appear when users sign in to your organization's web-based
apps, such as Office 365, which uses Azure AD as your identity provider.
NOTE
Adding custom branding requires you to use Azure Active Directory Premium 1, Premium 2, or Basic editions, or to have an
Office 365 license. For more information about licensing and editions, see Sign up for Azure AD Premium.
Azure AD Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active
Directory. Azure AD Premium and Basic editions aren't currently supported in the Azure service operated by 21Vianet in
China. For more information, talk to us using the Azure Active Directory Forum.
Your custom branding won't immediately appear when your users go to sites such as, www.office.com. Instead, the
user has to sign-in before your customized branding appears. After the user has signed in, the branding may take
15 minutes or longer to appear.
NOTE
All branding elements are optional. For example, if you specify a banner logo with no background image, the sign-in page will
show your logo with a default background image from the destination site (for example, Office 365).
Additionally, sign-in page branding doesn't carry over to personal Microsoft accounts. If your users or business guests sign in
using a personal Microsoft account, the sign-in page won't reflect the branding of your organization.
IMPORTANT
All the custom images you add on this page have image size (pixels), and potentially file size (KB), restrictions. Because
of these restrictions, you'll most-likely need to use a photo editor to create the right-sized images.
General settings
Language. The language is automatically set as your default and can't be changed.
Sign-in page background image. Select a .png or .jpg image file to appear as the
background for your sign-in pages. The image will be anchored to the center of the browser,
and will scale to the size of the viewable space. You can't select an image larger than
1920x1080 pixels in size or that has a file size more than 300 KB.
It's recommended to use images without a strong subject focus, e.g., an opaque white box
appears in the center of the screen, and could cover any part of the image depending on the
dimensions of the viewable space.
Banner logo. Select a .png or .jpg version of your logo to appear on the sign-in page after the
user enters a username and on the My Apps portal page.
The image can't be taller than 60 pixels or wider than 280 pixels. We recommend using a
transparent image since the background might not match your logo background. We also
recommend not adding padding around the image or it might make your logo look small.
Username hint. Type the hint text that appears to users if they forget their username. This text
must be Unicode, without links or code, and can't exceed 64 characters. If guests sign in to your
app, we suggest not adding this hint.
Sign-in page text and formatting. Type the text that appears on the bottom of the sign-in
page. You can use this text to communicate additional information, such as the phone number
to your help desk or a legal statement. This text must be Unicode and not exceed 1024
characters.
You can customize the sign-in page text you entered. To begin a new paragraph, use the enter
key twice. You can also change text formatting to include bold, italics, an underline or clickable
link. Use the following syntax to add formatting to text:
Hyperlink: [text](link)
Underline: ++text++
Advanced settings
Sign-in page background color. Specify the hexadecimal color (for example, white is
#FFFFFF) that will appear in place of your background image in low-bandwidth connection
situations. We recommend using the primary color of your banner logo or your organization
color.
Square logo image. Select a .png (preferred) or .jpg image of your organization's logo to
appear to users during the setup process for new Windows 10 Enterprise devices. This image is
only used for Windows authentication and appears only on tenants that are using Windows
Autopilot for deployment or for password entry pages in other Windows 10 experiences. In
some cases it may also appear in the consent dialog.
The image can't be larger than 240x240 pixels in size and must have a file size of less than 10
KB. We recommend using a transparent image since the background might not match your
logo background. We also recommend not adding padding around the image or it might make
your logo look small.
Square logo image, dark theme. Same as the square logo image above. This logo image
takes the place of the square logo image when used with a dark background, such as with
Windows 10 Azure AD joined screens during the out-of-box experience (OOBE). If your logo
looks good on white, dark blue, and black backgrounds, you don't need to add this image.
Show option to remain signed in. You can choose to let your users remain signed in to
Azure AD until explicitly signing out. If you choose No , this option is hidden, and users must
sign in each time the browser is closed and reopened.
This capability is only available on the default branding object and not on any language-
specific object. To learn more about configuring and troubleshooting the option to remain
signed in, see Configure the 'Stay signed in?' prompt for Azure AD accounts
NOTE
Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain
signed in. If you set this option to No , your users may see additional and unexpected prompts to
sign-in.
IMPORTANT
To add more corporate branding configurations to your tenant, you must choose New language on the Contoso -
Company branding page. This opens the Configure company branding page, where you can follow the same
steps as above.
3. On the Configure company branding page, add, remove, or change any of the information, based on the
descriptions in the Customize your Azure AD sign-in page section of this article.
4. Select Save .
It can take up to an hour for any changes you made to the sign-in page branding to appear.
3. On the Configure company branding page, select your language (for example, French) and then add your
translated information, based on the descriptions in the Customize your Azure AD sign-in page section of
this article.
4. Select Save .
The Contoso – Company branding page updates to show your new French configuration.
The Microsoft 365 sign-in page for Azure Active Directory (Azure AD) supports work or school accounts and
Microsoft accounts, but depending on the user's situation, it could be one or the other or both. For example, the
Azure AD sign-in page supports:
Apps that accept sign-ins from both types of account
Organizations that accept guests
Identification
You can tell if the sign-in page your organization uses supports Microsoft accounts by looking at the hint text in the
username field. If the hint text says "Email, phone, or Skype", the sign-in page supports Microsoft accounts.
Additional sign-in options work only for personal Microsoft accounts but can't be used for signing in to work or
school account resources.
Next steps
Customize your sign-in branding
Home realm discovery for Azure Active Directory
sign-in pages
9/7/2020 • 2 minutes to read • Edit Online
We are changing our Azure Active Directory (Azure AD) sign-in behavior to make room for new authentication
methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD
makes intelligent decisions by reading organization and user settings for the username entered on the sign-in
page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0.
IMPORTANT
This feature might have an impact on federated domains relying on the old domain-level Home Realm Discovery to force
federation. For updates on when federated domain support will be added, see Home realm discovery during sign-in for
Microsoft 365 services. In the meantime, some organizations have trained their employees to sign in with a username that
doesn’t exist in Azure Active Directory but contains the proper domain name, because the domain names routes users
currently to their organization's domain endpoint. The new sign-in behavior doesn't allow this. The user is notified to correct
the user name, and they aren't allowed to sign in with a username that does not exist in Azure Active Directory.
If you or your organization have practices that depend on the old behavior, it is important for organization administrators to
update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory
username to sign in.
If you have concerns with the new behavior, leave your remarks in the Feedback section of this article.
Next steps
Customize your sign-in branding
Integrate LinkedIn account connections in Azure
Active Directory
9/7/2020 • 3 minutes to read • Edit Online
You can allow users in your organization to access their LinkedIn connections within some Microsoft apps. No data
is shared until users consent to connect their accounts. You can integrate your organization in the Azure Active
Directory (Azure AD) admin center.
IMPORTANT
The LinkedIn account connections setting is currently being rolled out to Azure AD organizations. When it is rolled out to
your organization, it is enabled by default.
Exceptions:
The setting is not available for customers using Microsoft Cloud for US Government, Microsoft Cloud Germany, or Azure
and Office 365 operated by 21Vianet in China.
The setting is off by default for Azure AD organizations provisioned in Germany. Note that the setting is not available for
customers using Microsoft Cloud Germany.
The setting is off by default for organizations provisioned in France.
Once LinkedIn account connections are enabled for your organization, the account connections work after users consent to
apps accessing company data on their behalf. For information about the user consent setting, see How to remove a user's
access to an application.
IMPORTANT
LinkedIn integration is not fully enabled for your users until they consent to connect their accounts. No data is shared when
you enable account connections for your users.
NOTE
Even if you don't move your currently selected individual users to a group, they can still see LinkedIn information in Microsoft
apps.
$users = Get-Content
Path to the CSV file
$i = 1
foreach($user in $users} { Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $user ; Write-Host $i Added
$user ; $i++ ; Start-Sleep -Milliseconds 10 }
To use the group from step two as the selected group in the LinkedIn account connections setting in the Azure AD
admin center, see Enable LinkedIn account connections in the Azure portal.
STAT E EF F EC T
This group policy affects only Office 2016 apps for a local computer. If users disable LinkedIn in their Office 2016
apps, they can still see LinkedIn features in Office 365.
Next steps
User consent and data sharing for LinkedIn
LinkedIn information and features in your Microsoft apps
LinkedIn help center
View your current LinkedIn integration setting in the Azure portal
LinkedIn account connections data sharing and
consent
9/7/2020 • 4 minutes to read • Edit Online
You can enable users in your Active Directory (Azure AD) organization to consent to connect their Microsoft work
or school account with their LinkedIn account. After a user connects their accounts, information and highlights
from LinkedIn are available in some Microsoft apps and services. Users can also expect their networking
experience on LinkedIn to be improved and enriched with information from Microsoft.
To see LinkedIn information in Microsoft apps and services, users must consent to connect their own Microsoft and
LinkedIn accounts. Users are prompted to connect their accounts the first time they click to see someone's LinkedIn
information on a profile card in Outlook, OneDrive or SharePoint Online. LinkedIn account connections are not
fully enabled for your users until they consent to the experience and to connect their accounts.
NOTE
If you’re interested in viewing or deleting personal data, please review Microsoft's guidance in the Windows Data Subject
Requests for the GDPR site. If you’re looking for general information about GDPR, see the GDPR section of the Service Trust
portal.
Next steps
LinkedIn in Microsoft applications with your work or school account
Find help and open a support ticket for Azure Active
Directory
9/7/2020 • 2 minutes to read • Edit Online
Microsoft provides global technical, pre-sales, billing, and subscription support for Azure Active Directory (Azure
AD). Support is available both online and by phone for Microsoft Azure paid and trial subscriptions. Phone support
and online billing support are available in additional languages.
NOTE
For billing or subscription issues, you must use the Microsoft 365 admin center.
NOTE
Support for Azure AD in the Microsoft 365 admin center is offered for administrators only.
1. Sign in to the Microsoft 365 admin center with an account that has an Enterprise Mobility + Security (EMS)
license.
2. On the Suppor t tile, select New ser vice request :
3. On the Suppor t Over view page, select Identity management or User and domain management :
4. For Feature , select the Azure AD feature for which you want support.
5. For Symptom , select an appropriate symptom, summarize your issue and provide relevant details, and then
select Next .
6. Select one of the offered self-help resources, or select Yes, continue or No, cancel request .
7. If you continue, you are asked for more details. You can attach any files you have that represent the problem,
and then select Next .
8. Provide your contact information and select Submit request .
I received a max groups allowed error when tr ying to create a Dynamic Group in Powershell
If you receive a message in Powershell indicating Dynamic group policies max allowed groups count reached, this
means you have reached the max limit for Dynamic groups in your organization. The max number of Dynamic
groups per organization is 5,000.
To create any new Dynamic groups, you'll first need to delete some existing Dynamic groups. There's no way to
increase the limit.
Error: Attribute not supported. (user.invalidProperty -eq "Value") (user.department -eq "value")
Error: Operator is not supported on (user.accountEnabled -contains true) (user.accountEnabled -eq true)
attribute.
The operator used is not supported for
the property type (in this example, -
contains cannot be used on type
boolean). Use the correct operators for
the property type.
Error: Query compilation error. 1. (user.department -eq "Sales") 1. Missing operator. Use -and or -or
(user.department -eq "Marketing") two join predicates
2. (user.userPrincipalName -match (user.department -eq "Sales") -or
"*@domain.ext") (user.department -eq "Marketing")
2. Error in regular expression used with
-match
(user.userPrincipalName -match
".*@domain.ext")
or alternatively: (user.userPrincipalName
-match "@domain.ext$")
Next steps
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Identify and resolve license assignment problems for
a group in Azure Active Directory
9/7/2020 • 11 minutes to read • Edit Online
Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error
state. In this article, we explain the reasons why users might end up in this state.
When you assign licenses directly to individual users, without using group-based licensing, the assignment
operation might fail. For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user
system, the cmdlet can fail for many reasons that are related to business logic. For example, there might be an
insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time.
The problem is immediately reported back to you.
When you're using group-based licensing, the same errors can occur, but they happen in the background while
the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal. The original intent
to license the user is never lost, but it's recorded in an error state for future investigation and resolution.
2. Select the notification to open a list of all affected users. You can select each user individually to see more
details.
3. To find all groups that contain at least one error, on the Azure Active Director y blade select Licenses ,
and then select Over view . An information box is displayed when groups require your attention.
4. Select the box to see a list of all groups with errors. You can select each group for more details.
The following sections give a description of each potential problem and the way to resolve it.
NOTE
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory.
We recommend that administrators set the correct usage location values on users before using group-based licensing to
comply with local laws and regulations.
TIP
To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:
For more information about this problem, see "Proxy address is already being used" error message in Exchange Online.
The article also includes information on how to connect to Exchange Online by using remote PowerShell.
After you resolve any proxy address problems for the affected users, make sure to force license processing on
the group to make sure that the licenses can now be applied.
TIP
You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1
and Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that
uses E1 as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without
consuming additional licenses.
Next steps
To learn more about other scenarios for license management through groups, see the following:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Azure AD service limits and restrictions
9/7/2020 • 4 minutes to read • Edit Online
This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD)
service. If you’re looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits,
Quotas, and Constraints.
Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.
C AT EGO RY L IM IT
Domains You can add no more than 900 managed domain names. If
you set up all of your domains for federation with on-
premises Active Directory, you can add no more than 450
domain names in each tenant.
Access Panel There's no limit to the number of applications that can be seen
in the Access Panel per user regardless of assigned licenses.
Next steps
Sign up for Azure as an organization
How Azure subscriptions are associated with Azure AD