Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreSet up Microsoft 365 for frontline workers
To set up Microsoft 365 for frontline workers, follow this overall process:
- Identify your scenarios: Which scenarios do you want to implement for your frontline workers? After you determine which scenarios you want, use the following table to identify the apps and services for each scenario that you want to implement.
- Set up your environment and core Microsoft 365: You can use the deployment guides in the Microsoft 365 admin center to help you set up Microsoft 365. Keep reading to learn how to access these guides.
- Provision users, configure groups, and assign licenses: Provision users and create groups in Microsoft Entra ID, then assign frontline licenses to your users.
- Set up and configure devices: Set up shared and personal devices to work with Microsoft 365 and Microsoft Teams and to allow your frontline workers to communicate more securely within your organization.
- Deploy Teams: Deploy your frontline teams.
- Set up any other services needed for your scenario: Set up services including Exchange, Outlook, SharePoint, and Microsoft Viva.
- Configure apps: Follow the guidance for your scenarios to further configure the apps you need for each scenario.
The following table lists the scenarios for your frontline workers. You can read a summary of each scenario in choose your scenarios, and find out what you need to configure by following the links to each scenario and to each app or service that's required.
Some services are only included with F3 licenses, such as email and the Power Platform. Check out Understand frontline worker user types and licensing to determine the type of licenses you need for your users.
The Microsoft 365 admin center has a set of deployment guides that walk you through the steps to set up the products, services, security features, and collaboration tools in Microsoft 365. You can access these guides from the Advanced deployment guides & assistance page in the Microsoft 365 admin center.
- Use the Prepare your environment guide to prepare your organization's environment for Microsoft 365 and Office 365 services.
- Use the Microsoft 365 setup guide to set up productivity tools, security policies, and device management capabilities. You can also use this advisor to set up and configure your organization's devices.
Note
Much of this information is also in the downloadable technical planning guide for deploying frontline solutions.
Before you provision frontline users, consider creating new administrator accounts or review and update your existing administrator accounts in Microsoft Entra ID. Learn more about what Microsoft Entra admin roles you might need for Microsoft 365.
Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for delivering and securing all apps and resources. Users must have an identity that exists in Microsoft Entra ID to access Microsoft 365 apps.
If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, you need to federate these identities to Microsoft Entra ID. You can import users in the following ways:
- Integrate Microsoft Entra ID with an existing Active Directory instance: Microsoft Entra Connect replicates Active Directory user accounts to Microsoft Entra ID, allowing a user to have a single identity capable of accessing both local and cloud-based resources.
- Integrate Microsoft Entra ID with a third-party identity solution: Microsoft Entra ID supports integration with some third-party providers through federation.
- Import users from your organization's HR systems: Microsoft Entra user provisioning service automates the creation, maintenance, and removal of user identities based on rules set by your organization.
- On-premises HR systems: You can use Microsoft Identity Manager to provision users from your on-premises HR systems to Active Directory or directly to Microsoft Entra ID.
- Cloud-based HR systems: Learn how to connect SAP SuccessFactors and Workday to Microsoft Entra ID.
Use this table to validate your HR-driven user provisioning.
| Test scenario | Expected results |
|---|---|
| New employee is created in the cloud HR app | The user account is provisioned in Microsoft Entra ID and can access assigned cloud resources. If Microsoft Entra Connect Sync is configured, the user account also gets created in Active Directory. The user can sign into Active Directory domain apps and perform their desired actions. |
| User is terminated in the cloud HR app | The user account is disabled in Microsoft Entra ID, and, if applicable, Active Directory. The user can’t sign into cloud or on-premises apps and resources assigned to them. |
| Supervisor is updated in the cloud HR app | User remains active with the new mapping. |
| HR rehires an employee into a new role. | The results depend on how the cloud HR app is configured to generate employee IDs. If the old employee ID is reused for a rehire, the connector enables the existing Active Directory account for the user. If the rehire gets a new employee ID, the connector creates a new Active Directory account for the user. |
| HR converts the employee to a contract worker or vice-versa | A new Active Directory account is created for the new persona and the old account is disabled on the effective date of the conversion. |
Learn more about Microsoft Entra deployment.
Configuring groups in Microsoft Entra allows you to create and manage policies and license assignments at scale.
- Assign a unique attribute to frontline workers: The ability to identify all frontline workers is useful when applying groups to the frontline workforce or for validating that integrations between Microsoft Entra ID and HR systems are functioning properly. Organizations frequently use the Job ID attribute for this purpose. Depending on your organization's structure, you might also need custom security attributes or directory extension attributes.
- Create Microsoft Entra groups and assign frontline users: With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.
The following table includes recommendations for applying groups in frontline implementations. For more information on group types, membership types, and assignment, see the Microsoft Entra documentation for groups and membership and managing groups. For more information on security group limits and other Microsoft Entra service limits, see Microsoft Entra service limits and restrictions.
| Use case | Group type |
|---|---|
| Assign licenses, policies, and permissions automatically. If a member’s attributes change, the system looks at dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rule requirements (is removed). | Security group (limit 5,000 groups) dynamic user |
| Manage access for users without automatic assignment to groups. | Security groups or distribution list (no limit applies) |
| Create an email alias to distribute groups messages to groups of users without automatic user management. | Distribution list or assigned Microsoft 365 group |
| Create an email alias or team in Microsoft Teams and manage membership automatically. | Microsoft 365 groups, dynamic user |
| Use My Staff to delegate permissions to frontline managers to view employee profiles, change phone numbers, and reset passwords. | Administrative unit |
Learn more about the different types of groups you can create in the Microsoft 365 admin center.
You can add licenses to individual users or to groups of users in Microsoft Entra ID. Group assignment is the most scalable way to assign licenses to your frontline workers. You can assign one or more product licenses to a group.
Learn more about group-based licensing and assigning licenses to groups.
You might need to unassign licenses if you're changing some users from E to F licenses. Learn more about how to switch specific users from E to F licenses.
Managing the devices that frontline workers use is a key fundamental. It's important to set a secure, compliant baseline to manage devices for your workforce, whether they're shared devices or workers' personal devices. For more information, see the following guidance:
Frontline teams are a collection of people, content, and tools within an organization for different frontline worker locations. When deploying Teams to your frontline workforce, you have different options for how you can manage team membership. You can choose between dynamic team membership, static team membership, or a combination of both.
To learn more, see the following guidance:
- Learn where to start with a frontline deployment
- Deploy frontline dynamic teams at scale
- Deploy frontline static teams at scale with PowerShell for frontline workers
Depending on your scenarios, you'll need to configure additional Microsoft 365 services, such as Exchange and Outlook for email or Microsoft Viva to expand your employee experience. Read on for information about each service.
If you want your frontline managers and workers to have access to email, you need to set up email in Microsoft 365. Users must have an F3 license to get access to email. Follow the Email setup guide in the Microsoft 365 admin center to set it up.
Your users can also install the Outlook app to use for their email, so make sure to share information about where to download the Outlook app.
For Outlook, using dynamic group backed shared mailboxes based on attributes such as Location, Department, and Role enables your organization to send targeted communications to dynamic groups that don’t require administrator intervention.
SharePoint lets you share documents and create sites. Use the SharePoint setup guide in the Microsoft 365 admin center to set it up.
Microsoft Viva helps connect employees with an integrated employee experience that brings together communications, knowledge, learning, resources, and insights into the flow of work. Microsoft Viva has several modules that can be used with Microsoft Teams to create employee experiences.
Use Viva Connections to create a dashboard that helps engage and inform your frontline workers. Viva Connections is a customizable app in Microsoft Teams that gives everyone a personalized destination to discover relevant news, conversations, and the tools they need to succeed.
Follow the Deploy employee experience with Microsoft Viva guide in the Microsoft 365 admin center to set it up. Learn more about setting up Viva Connections.
Viva Engage helps connect your workforce across your company. Learn how to Set up Viva Engage.
Viva Learning is an app in Microsoft Teams that empowers employees to make learning a natural part of the day by bringing learning into the flow of work within the tools and platforms they already use. See Set up Microsoft Viva Learning in the Teams admin center to learn how to set up Viva Learning.
You can use all of these apps within Microsoft Teams. For more information about how to set them up, see:
- Power Apps and Microsoft Teams integration
- Power Automate - use flows in Microsoft Teams
- Collaborate in Microsoft Teams with Power BI
- Power Virtual Agents app in Microsoft Teams
- Power Apps
Follow the guidance for your scenarios to further configure the apps you need for each scenario.
Users with an F license get the tailored frontline app experience, which pins the following apps to Teams out of the box.
- Teams mobile: Viva Connections, Planner, Walkie Talkie, Shifts, Approvals
- Teams desktop: Viva Connections, Planner, Shifts, Approvals