Managing devices with Microsoft Endpoint Manager – Part 03

User management is always the difficult part in any environment. Most people think that an “user” object is just an “user object” but it is must more. The “user” is the core of the identity, licenses, groups, applications and roles.

When a poor user management exist, many problems arrise, such as:

  • User account compromise due to weak passwords
  • User is member of a group that he/she should not. Added incorrectly or not removed when his/her role changed
  • User does not have the correct license and/or application
  • User is member of a role that gives him/her more access just because it is “easy” this way. How many of you have administrator access to your workstation?! (now imagine in Azure AD, how many have global admin because it is “easy”?!)

When we think about User management, we are thinking of:

  • Adding a new user (or multiple users at some time)
  • Changing existing user (i.e. Change user license or resetting user’s password)
  • Deleting Users
  • Recovering deleted users

Before we start managing users to Azure Active Directory, there are many ways and locations to achieve this. We can head to Azure Portal (https://portal.azure.com/) or use the Office Admin Center (https://admin.microsoft.com/). We can also perform the tasks manually, via PowerShell script (or any other script language to be honest) and synchronise with an existing on-premises Active Directory Environment via Azure AD Connect and have a hybrid identity management (https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/whatis-hybrid-identity).

Adding a Single user

To add a single user, perform the following steps on a computer connected to the internet:

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Active Users
  • On Active Users, click Add a user
  • On Add a user, Set up the basics, fill up the details form and click Next
  • On Assign product licenses, select Enterprise Mobility + Security E5 and Office 365 E3 and click Next

Note that you can select to add/remove individual applications from the license. Imagine tht you do not want a user to have access to “Flow for Office 365”, after you assign the Office 365 E3 license, you can expand Apps and untick the box for “Flow for Office 365”. The Apps node will show all apps that the user will be able to use based on the assigned licenses.

  • Under Optional settings, you can add the user to an administrative role if require and fill up more information about the user. Once completed, click Next
  • Under Review and finish, review all the settings and if correct, click Finish Adding
  • Under User added to active users, click Close

Note that you can save all the settings you selected under a template. To do this, fill up the Name your template and add a description and click Save as template.

  • Returning to the Active users list, confirm that the new user has been created

Adding Multiple Users

To add multiple users, perform the following steps on a computer connected to the internet:

  • Create a text file with extension .csv where the 1st line contain header and the following lines contain the user information.

Note that a example file can be downloaded from the Upload a CSV file with user info screen

For more information on how to create the csv file and what headers are required, go to navigate to “Add several users at the same time to Microsoft 365 – Admin Help” at https://docs.microsoft.com/en-GB/microsoft-365/enterprise/add-several-users-at-the-same-time?view=o365-worldwide

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Active Users
  • On Active Users, click Add multiple users
  • On Upload a CSV file with user info, click browse and select the file created before. Once done, click Next

Note: if there is any problem with the CSV file (i.e. incorrect domain name) an error message will be shown

  • On Assign product licenses, select Enterprise Mobility + Security E5 and Office 365 E3 and click Next

Note that you can select to add/remove individual applications from the license. Imagine tht you do not want the users to have access to “Flow for Office 365”, after you assign the Office 365 E3 license, you can expand Apps and untick the box for “Flow for Office 365”. The Apps node will show all apps that the users will be able to use based on the assigned licenses.

  • Under Review and finish adding multiple users, review all the settings and if correct, click Add users
  • Under You added X user, click Close

Note that you can download or e-mail the results to analyse offline. To do this, use the Download results or Email results link.

  • Returning to the Active users list, confirm that the new users have been created

Resetting User Password

Resetting a user’s password is probably the most common task in IT and it can manually be reset by an IT personal following the steps below on a computer connected to the internet:

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Active Users
  • On Active Users, select the user that a password reset is required

Note that you can filter/search the user list using the Filter and Search boxes on the top right of the screen

  • When the informtion about the user open, click on the Reset password

Note that you can perform the reset password for multiple users, to achieve that, select multiple users and then click on Reset password, however, you cannot reset your own password from this screen

  • On Reset password, select the options for password reset and click Reset password
  • Once the reset password has been completed, click Close

Note that you can send the password by e-mail if you select the Send password in email. Once done, add the recipients and click Send email and close

Deleting Users

When user leaves the company, you may want to delete its information (if not, at least block the sign-in and remove the reassign its license).

To delete a user, perform the following steps on a computer connected to the internet:

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Active Users
  • On Active Users, select the user that you want to delete

Note that you can filter/search the user list using the Filter and Search boxes on the top right of the screen

  • When the informtion about the user open, click on the Delete user

Note that you can perform the deletion for multiple users, to achieve that, select multiple users and then click on Delete user, however, you cannot delete your own user from this screen

  • On Delete user, review the information in the screen and click Delete user

Note that if required to give another user access to the user’s email, select the “Give another user access to <user’s name> email” checkbox

Note that If you have selected more than one user, the Delete users screen will not show additional options for deletion

  • Once the user has been deleted, click click Close
  • Returning to the Active users list, confirm that the deleted users is no longer visible

Recovering Deleted Users

From time to time, we all make mistakes. When you delete a user from Microsoft Azure Active Directory, the deleted user’s account is kept in the “recycle bin” for 30 days where it can be recoverable. After 30-days, the account gets deleted permanently.

To recover a deleted user, perform the following steps on a computer connected to the internet:

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Deleted users
  • On Deleted users, select the user that you want to delete

Note that you can search the user list using the Search box on the top right of the screen

  • When the informtion about the user open, click on the Restore user
  • On Restore user, select the options for new password and click Restore

Note that if the restored user will not have any licenses assigned to him/her

  • Once the user has been restored, click Close

Note that you can send the new password by e-mail if you select the Send password in email. Once done, add the recipients and click Send email and close

  • Returning to the Deleted users list, confirm that the restored users is no longer visible
  • Navigate to the Active users list, confirm the restored user is visible

Managing product licenses

We all been there, the company buy more licenses, a user account was deleted and restored and a new license is required, and many other things happen that we need to manage the user’s licenses.

To manage product licenses, perform the following steps on a computer connected to the internet:

  • Open a browser and navigate to https://admin.microsoft.com/
  • On the Left hand side, expand Users and click Active Users
  • On Active Users, select the user that you want to manage the product licenses

Note that you can filter/search the user list using the Filter and Search boxes on the top right of the screen

  • When the informtion about the user open, click on the Licenses and apps, select Enterprise Mobility + Security E5 and Office 365 E3 and click Save changes

Note that you can perform the manage product licenses for multiple users, to achieve that, select multiple users and then click on Manage product licenses and on the Manage product licenses, select what you would like to do with the licenses

Note that you can select to add/remove individual applications from the license. Imagine tht you do not want a user to have access to “Flow for Office 365”, after you assign the Office 365 E3 license, you can expand Apps and untick the box for “Flow for Office 365”. The Apps node will show all apps that the user will be able to use based on the assigned licenses.

  • Once the changes have been saved, click on the X on the right top of the screen

Article originally published on LinkedIn.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *