Manage your users with My Staff
My Staff enables you to delegate permissions to a figure of authority, such as a store manager or a team lead, ensuring that staff members are able to access their Microsoft Entra accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks such as resetting passwords or changing phone numbers to a local team manager. With My Staff, a user who can't access their account can regain access in just a couple of clicks, with no helpdesk or IT staff required.
Before you configure My Staff for your organization, we recommend that you review this documentation as well as the user documentation to ensure you understand how it works and how it impacts your users. You can leverage the user documentation to train and prepare your users for the new experience and help to ensure a successful rollout.
How My Staff works
My Staff is based on administrative units, which are a container of resources that can be used to restrict the scope of a role assignment's administrative control. For more information, see Administrative units management in Microsoft Entra ID. In My Staff, administrative units can be used to contain a group of users in a store or department. A team manager can then be assigned to an administrative role at a scope of one or more units.
Before you begin
To complete the steps in this article, you need the following resources and privileges:
An active Azure subscription.
- If you don't have an Azure subscription, create an account.
A Microsoft Entra tenant associated with your subscription.
You need Authentication Policy Administrator privileges in your Microsoft Entra tenant to enable SMS-based authentication.
Each user who's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Microsoft Entra ID or Microsoft 365 licenses:
How to enable My Staff
After configuring administrative units, you can apply this scope to your users who access My Staff. Only users who are assigned an administrative role can access My Staff. To enable My Staff, complete the following steps:
Sign in to the Microsoft Entra admin center as at least a User Administrator.
Browse to Identity > Users > User settings.
Under User feature, select Manage user feature settings.
Under Administrators can access My Staff, you can choose to enable for all users, selected users, or no user access.
Note
Only users who've been assigned an admin role can access My Staff. If you enable My Staff for a user who is not assigned an admin role, they won't be able to access My Staff.
Conditional Access
You can protect the My Staff portal using Microsoft Entra Conditional Access policy. Use it for tasks like requiring multifactor authentication before accessing My Staff.
We strongly recommend that you protect My Staff using Microsoft Entra Conditional Access policies. To apply a Conditional Access policy to My Staff, you must first visit the My Staff site once for a few minutes to automatically provision the service principal in your tenant for use by Conditional Access.
You'll see the service principal when you create a Conditional Access policy that applies to the My Staff cloud application.
Using My Staff
When a user selects My Staff, they are shown the names of the administrative units over which they have administrative permissions. In the My Staff user documentation, we use the term "location" to refer to administrative units. If an administrator's permissions don't have an administrative unit scope, then the permissions apply across the organization.
After My Staff has been enabled, the users who are enabled and have been assigned an administrative role can access it through https://mystaff.microsoft.com. They can select an administrative unit to view the users in that unit, and select a user to open their profile.
Limitations
My Staff shows up to 999 users per administrative unit.
Reset a user's password
Before you can reset passwords for on-premises users, you must fulfill the following prerequisite conditions. For detailed instructions, see Enable self-service password reset tutorial.
- Configure permissions for password writeback
- Enable password writeback in Microsoft Entra Connect
- Enable password writeback in Microsoft Entra self-service password reset (SSPR)
The following roles have permission to reset a user's password:
- Authentication Administrator
- Privileged Authentication Administrator
- Helpdesk Administrator
- User Administrator
- Password Administrator
From My Staff, open a user's profile. Select Reset password.
If the user is cloud-only, you can see a temporary password that you can give to the user.
If the user is synced from on-premises Active Directory, you can enter a password that meets your on-premises domain policies. You can then give that password to the user.
The user needs to change their password the next time they sign in.
Manage a phone number
From My Staff, open a user's profile.
- Select Add phone number section to add a phone number for the user
- Select Edit phone number to change the phone number
- Select Remove phone number to remove the phone number for the user
Depending on your settings, the user can then use the phone number you set up to sign in with SMS, perform multifactor authentication, and perform self-service password reset.
To manage a user's phone number, you must be assigned one of the following roles:
Manage QR code authentication
You can use My Staff to manage the QR code authentication method for users.
Add QR code authentication method for a user in My Staff
Sign in to the My Staff portal as a frontline manager. Select an administrative unit and a frontline worker.
Click Manage QR code authentication method.
Click Add QR code method.
Specify the expiration and activation date, and click Add to generate a QR code and PIN for the user.
Save the PIN, download or print the QR code, and then click Done. The QR code image download has the smallest optimum print size. If you reduce the size, the QR code is hard to scan. You can't regenerate the same QR code because it has a unique secret. If the QR code can't work for some reason, delete it. Create a new QR code for the user.
Edit the QR code authentication method for a user in My Staff
To edit the expiration date for a standard QR code, click Edit. Edit the expiration date and save the changes.
To delete a standard QR code, click Delete, and confirm the action.
To add a new standard QR code, click Add new next to the standard QR code.
Select the activation time and expiration date for the QR code, and click Add.
Download or print the QR code, and click Done.
To add a temporary QR code, click Add new next to the temporary QR code. Specify the Lifetime in hours and the Activation date, and click Add.
Download or print the QR code, and click Done.
To reset a PIN, click Reset PIN.
Click Copy PIN to copy the PIN to your clipboard.
Delete the QR code authentication method for a user in My Staff
To delete the QR code auth method itself, click Delete QR code method.
Click Delete to confirm the action.
Search
You can search for administrative units and users in your organization using the search bar in My Staff. You can search across all administrative units and users in your organization, but you can only make changes to users who are in an administrative unit over which you have been given admin permissions.
Audit logs
You can view audit logs for actions taken in My Staff in the Microsoft Entra admin center. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.
Next steps
My Staff user documentation Administrative units documentation