Edit

Share via

Add users and grant administrative permission to Intune

  • Article

As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once added and enabled, users can enroll devices and access company resources. You can also give users more permissions including global administrator and service administrator permissions.

Add users to Intune

You can manually add users to your Intune subscription via the Microsoft 365 admin center, the Microsoft Entra admin center, or the Microsoft Intune admin center. In addition, an administrator can edit user accounts to assign Intune licenses. You can assign licenses in either the Microsoft 365 admin center or the Microsoft Intune admin center. For more information on using the Microsoft 365 admin center, see Add users individually or in bulk to the Microsoft 365 admin center. For more information on using the Microsoft Entra admin center, see How to create, invite, and delete users.

Add individual Intune users in the Microsoft Intune admin center

  1. In the Microsoft Intune admin center, choose Users > All users > New user > Create new user.

  2. On the Basics tab, add the following user details:

    • User principal name - Universal principle name (UPN) stored in Microsoft Entra ID used to access the service.
    • Mail nickname - If you need to enter an email nickname that is different from the user principal name you entered, uncheck the Derive from user principal name option, then enter the mail nickname..
    • Display name - The user's name, , such as Chris Green or Chris A. Green.
    • Password - Add a password for the new user or choose to have it autogenerated.
    • Account enabled - Choose to enable the account once it is created. If not checked, this user will be blocked from signing in. This can be updated after user creation.

    Either select the Review + create button to create the new user or Next: Properties to complete the next section.

  3. On the Properties tab, add the following details:

    • Identity:
      • FirstName
      • Last name
      • User type - Choose either Member or Guest. Both of these user types are internal to your organization. Members are commonly full-time employees in your organization. Guests have an account in your tenant, but have guest-level privileges. It's possible they were created within your tenant prior to the availability of B2B collaboration.
      • Authorization info - You can add up to 5 certificate user IDs. These are used as a part of Certificate Based Authentication and require a specific format. For more information, see Mapping to the certificateUserIds attribute in Microsoft Entra ID.
    • Job information: Add any job-related information, such as the user's job title, department, or manager.
    • Contact information: Add any relevant contact information for the user.
    • Parental controls: For organizations like K-12 school districts, the user's age group may need to be provided. Minors are 12 and under, Not adult are 13-18 years old, and Adults are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.
    • Settings: The Usage location specify the user's global location.

    Either select the Review + create button to create the new user or Next: Assignments to complete the next section.

  4. On the Assignments tab, add the following details: You can assign the user to an administrative unit, group, or Microsoft Entra role when the account is created. You can assign the user to up to 20 groups or roles. You can only assign the user to one administrative unit. Assignments can be added after the user is created.

    To assign a group to the new user:

    1. Select + Add group.
    2. From the menu that appears, choose up to 20 groups from the list and select the Select button.
    3. Select the Review + create button.

    To assign a role to the new user:

    1. Select + Add role.
    2. From the menu that appears, choose up to 20 roles from the list and select the Select button.
    3. Select the Review + create button.

    To add an administrative unit to the new user:

    1. Select + Add administrative unit.
    2. From the menu that appears, choose one administrative unit from the list and select the Select button.
    3. Select the Review + create button.

  5. On the Review + Create tab, review the details to be sure the information is correct and details passed validation. Review the details and select the Create button if everything looks good.

Note

If you're moving to Microsoft 365 from an Office 365 subscription, your users and groups are already in Microsoft Entra ID. Intune uses the same Microsoft Entra ID, and can use the existing users and groups.

You can also invite guest users to your Intune tenant. For more information, see Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center.

Add multiple Intune users in the Microsoft Intune admin center

You can add Intune users in bulk by uploading a csv file containing the full list of users. The following steps allow you to add multiple users to Intune:

  1. Sign in to the Microsoft Intune admin center as at least a User Administrator.
  2. Select Users > All users > Bulk operations > Bulk create. The Bulk create users pane is displayed.
  3. Download, edit, and upload a csv template containing a list of users that you want to add to Intune.

The csv file is a comma-separated value list that can be edited in Notepad or Excel. For more information about using a csv file to add Intune users, see Bulk create users in Microsoft Entra ID.

Note

You can also invite multiple guest users to your Intune tenant. For more information, see Tutorial: Bulk invite Microsoft Entra B2B collaboration users.

Delete user from Intune

When a user has left your organization, you can delete them from your Intune tenant. If needed, you can choose to delete multiple users using Bulk operations.

To delete an individual user from Intune:

  1. Sign in to the Microsoft Intune admin center as at least a User Administrator.
  2. Browse to Users > All users.
  3. Select the user you want to delete.
  4. Select Delete.

To delete multiple users from Intune:

  1. Sign in to the Microsoft Intune admin center as at least a User Administrator.
  2. Select Users > All users > Bulk operations > Bulk delete. The Bulk delete users pane is displayed.
  3. Download, edit, and upload a csv template containing a list of users that you want to delete from Intune.

For related information, see Bulk delete users in Microsoft Entra ID.

Grant admin permissions

After you've added users to your Intune subscription, we recommend that you grant a few users administrative permission. To grant admin permissions, follow these steps:

Give admin permissions in Microsoft 365

  1. Sign in to theMicrosoft Intune admin center with a global administrator account > select Users > Active users > choose the user to give admin permissions.
  2. In the user pane, choose Manage roles under Roles.
  3. In the Manage roles pane, choose the admin permission to grant from the list of available roles.
  4. Choose Save changes.

Give admin permissions in Microsoft Intune admin center

  1. Sign in to the Microsoft Intune admin center with a global administrator account > Users > then choose the user you want to give admin permissions.
  2. Select Assigned roles > Add assignments.
  3. In the Directory roles pane, select the roles you want to assign to the user > Add.

Types of administrators

Assign users one or more administrator permissions. These permissions define the administrative scope for users and the tasks they can manage. Administrator permissions are common between the different Microsoft cloud services, and some services might not support some permissions. Both the Azure portal and Microsoft 365 admin center list limited administrator roles that aren't used by Intune. Intune administrator permissions include the following options:

  • Global administrator - (Microsoft 365 and Intune) Accesses all administrative features in Intune. By default the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. As a best practice, we recommend that only a few people in your company have this role to reduce the risk to your business.
  • Password administrator - (Microsoft 365 and Intune) Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users.
  • Service support administrator - (Microsoft 365 and Intune) Opens support requests with Microsoft, and views the service dashboard and message center. They have "view only" permissions except for opening support tickets and reading them.
  • Billing administrator - (Microsoft 365 and Intune) Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • User administrator - (Microsoft 365 and Intune) Resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can't delete a global admin, create other admin roles, or reset passwords for other admins.
  • Intune administrator - All Intune Global administrator permissions except permission to create administrators with Directory Role options.

The account you use to create your Microsoft Intune subscription is a global administrator. As a best practice, don't use a global administrator for day-to-day management tasks. While an administrator doesn't require an Intune license to access the Intune on Azure portal, in order to perform certain management tasks, such as setting up the Exchange service Connector, an Intune license is required.

To access the Microsoft 365 admin center, your account must have a Sign-in allowed set. In the Azure portal under Profile, set Block sign in to No to allow access. This status is different from having a license to the subscription. By default, all user accounts are Allowed. Users without administrator permissions can use the Microsoft 365 admin center to reset Intune passwords.

Sync Active Directory and add users to Intune

You can configure directory synchronization to import user accounts from your on-premises Active Directory to Microsoft Entra which includes Intune users. Having your on-premises Active Directory service connected with all of your Microsoft Entra ID-based services makes managing user identity simpler. You can also configure single sign-on features to make the authentication experience for your users familiar and easy. When you link the same Microsoft Entra tenant with multiple services, the user accounts that you have previously synchronized are available to all cloud-based services.

Be sure your AD admins have access to your Microsoft Entra subscription, and are trained to complete common AD and Microsoft Entra tasks.

How to sync on-premises users with Microsoft Entra ID

  • To move existing users from on-premises Active Directory to Microsoft Entra ID, you can set up hybrid identity. Hybrid identities exist in both services - on-premises AD and Microsoft Entra ID.

  • You can also export Active Directory users using the UI or through script. An internet search can help you find the best option for your organization.

  • To synchronize your user accounts with Microsoft Entra ID, use the Microsoft Entra Connect wizard. The Microsoft Entra Connect wizard provides a simplified and guided experience for connecting your on-premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password hash sync, pass-through authentication, or federation). The wizard deploys and configures all components required to get your connection up and running. Including: sync services, Active Directory Federation Services (AD FS), and the Microsoft Graph PowerShell module.

Tip

Microsoft Entra Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about directory integration. To learn about syncing user accounts from a local directory to Microsoft Entra ID, see Similarities between Active Directory and Microsoft Entra ID.