Create and manage users

Completed

Every user who needs access to Azure resources needs an Azure user account. Your user account contains all the information needed to authenticate you during the sign-in process. Once authenticated, Microsoft Entra ID builds an access token to authorize you, determine what resources you can access, and determine what you can do with those resources.

The Microsoft Entra admin center is a web-based identity portal for Microsoft Entra products. It provides a unified administrative experience for organizations and administrators to configure and manage their Microsoft Entra solutions in a centralized location.

In this exercise, you'll use the Microsoft Entra admin center to work with user objects. Keep in mind that you can only work with a single directory at a time, but you can use the Directory + Subscription pane to switch directories.

View users

To view the Microsoft Entra users, select Users in the left pane, then select All users. The All Users pane appears. Notice the User type and Identities columns, as shown in the following screenshot:

Screenshot that depicts the All users pane, with the User type and Identities columns noted.

Typically, Microsoft Entra ID defines users in three ways:

  • Cloud identities: These users exist only in Microsoft Entra ID. Examples are administrator accounts and users that you manage yourself. Their source is Microsoft Entra ID or External Microsoft Entra ID if the user is defined in another Microsoft Entra instance, but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they're deleted.

  • Directory-synchronized identities: These users exist in an on-premises Active Directory. A synchronization activity that occurs via Microsoft Entra Connect brings these users in to Azure. Their source is Windows Server AD.

  • Guest users: These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts (such as an Xbox LIVE account). Their source is Invited user. This type of account is useful when external vendors or contractors need access to your Azure resources. Once their help is no longer necessary, you can remove the account and all of their access.

Add users

You can add cloud identities to Microsoft Entra ID in multiple ways:

  • Syncing an on-premises Windows Server Active Directory
  • Using the Microsoft Entra admin center
  • Using the Azure portal
  • Using the command line
  • Other options

Sync an on-premises Windows Server Active Directory

Microsoft Entra Connect is a separate service that allows you to synchronize a traditional Active Directory with your Microsoft Entra instance. This is how most enterprise customers add users to the directory. The advantage to this approach is users can use single sign-on (SSO) to access local and cloud-based resources.

Use the Microsoft Entra admin center

You can manually add new users through the Microsoft Entra admin center. This is the easiest way to add a small set of users. You need to be in the User Administrator role to perform this function.

  1. To add a new user, select New user in the top menu bar, then select Create new user.

    Screenshot showing the New User button highlighted in the Microsoft Entra admin center.

  2. In addition to Name and User name, you can add profile information, like Job Title and Department, on the Properties tab.

    Screenshot showing the New user dialog.

    The default behavior is to create a new user in the organization. The user will have a username with the default domain name assigned to the directory, such as alice@staracoustics.onmicrosoft.com.

  3. You can also invite a user into the directory. In this case, an email is sent to a known email address, and an account is created and associated with that email address if the user accepts the invitation.

    Screenshot showing the invite screen.

    The invited user will need to create an associated Microsoft account (MSA) if that specific email address isn't associated with one, and the account will be added to the Microsoft Entra ID as a guest user.

Use the command line

If you have a lot of users to add, a better option is to use a command-line tool. You can run the New-MgUser PowerShell command to add cloud-based users.

# Create a password profile value
$PasswordProfile = @{ Password = "<Password>" }

# Create the new user
New-MgUser -DisplayName "Abby Brown" -PasswordProfile $PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "AbbyB@contoso.com" -AccountEnabled 

The command will return the new user object you created.

DisplayName Id                                    UserPrincipalName
----------- --                                    -----------------
Abby Brown  f36634c8-8a93-4909-9248-0845548bc515  AbbyB@contoso.com

If you prefer a more standard command-line interface, you can use the Azure CLI:

az ad user create --display-name "Abby Brown" \
                  --password "<password>" \
                  --user-principal-name "AbbyB@contoso.com" \
                  --force-change-password-next-login true \
                  --mail-nickname "AbbyB"

Command-line tools allow you to add users in bulk through scripting. The most common approach for this is to use a comma-separated values (CSV) file. You can either manually create this file or export the file from an existing data source.

If you're planning to use a CSV, here are some things to think about:

  • Naming conventions: Establish or implement a naming convention for usernames, display names, and aliases. For example, a username might consist of the last name, followed by a period (.), followed by the first name; for example, Smith.John@contoso.com.

  • Passwords: Implement a convention for the initial password of a newly created user. Determine how new users will receive their passwords in a security-enhanced way. A commonly used method is generating a random password and then emailing it to the new user or their manager.

To use a CSV with Azure PowerShell:

  1. Run the Connect-MgGraph command to create a PowerShell connection to your directory. Connect with an admin account that has privileges on your directory.

  2. Create new password profiles for the new users. The passwords for the new users need to conform to the password-complexity rules you have set for your directory.

  3. Use Import-CSV to import the CSV. You need to specify the path and file name of the CSV.

  4. Loop through the users in the file, constructing the user parameters needed for each user. Example parameters are User Principal Name, Display Name, Given Name, Department, and Job Title.

  5. Run the New-MgUser command to create each user. Be sure to enable each account.

Other options

You can also add users to Microsoft Entra ID programmatically using the Microsoft Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you're sharing the same directory.