Manage Microsoft 365 user accounts
You can manage Microsoft 365 user accounts in several different ways, depending on your configuration. You can manage user accounts in the Microsoft 365 admin center, PowerShell, in Active Directory Domain Services (AD DS), or in the Azure Active Directory (Azure AD) admin portal.
As soon as you purchase Microsoft 365, the Microsoft 365 admin center and PowerShell can be used to manage accounts. When managing cloud identities, every person in your organization has a separate user account name and password. If you want to integrate with your on-premises infrastructure and have user accounts synchronized with Microsoft 365, you can use Azure AD Connect to provide synchronization of identities and passwords for single sign-on (SSO) functionality.
Plan for where and how you will manage your user accounts
Where and how you can manage your user accounts depends on the identity model you want to use for your Microsoft 365. The two overall models are cloud-only and hybrid.
You create and manage users in the Microsoft 365 admin center. You can also use PowerShell or the Azure AD admin center.
User accounts are synchronized with Microsoft 365 from AD DS, so you must use on-premises AD DS tools to manage user accounts.
When deciding which way your organization will create and manage accounts, consider the following requirements:
The directory synchronization software needs to be installed on servers within your on-premises environment to connect the identities between Microsoft 365 and your AD DS.
Any directory synchronization option, including SSO options, requires that your AD DS attributes meet standards. The specifics of what attributes are used in your directory and what cleanup (if any) is needed are described in Prepare for directory synchronization to Microsoft 365.
Plan how you are going to create Microsoft 365 accounts.
The following table lists the different account management tools.
|Microsoft 365 admin center
||Add users individually or in bulk
Provides a simple web interface to add and change user accounts.
Can't be used to change users if directory synchronization is enabled (location and license assignment can be set).
Can't be used with SSO options.
||Manage Microsoft 365 with Windows PowerShell
Allows you to add users in bulk users by using a Windows PowerShell script.
Can be used to assign location and licenses to accounts, regardless of how the accounts are created.
||Add several users at the same time
Allows you to import a CSV file to add a group of users to Microsoft 365.
Can't be used with SSO options.
||You get a free edition of Azure AD with your Microsoft 365 subscription. You can perform functions like self-service password reset for cloud users, and customization of the Sign-in and Access Panel pages by using the free edition. To get enhanced functionality, you can upgrade to the basic edition, Azure AD Premium P1, or Azure AD Premium P2. See Azure AD editions for the list of supported features.
||Integrating your on-premises identities with Azure AD
For directory synchronization with or without password synchronization, use Azure AD Connect with express settings.
For multiple forests and SSO options, use Custom Installation of Azure AD Connect.
Provides the infrastructure that's necessary to enable SSO.
Required for many hybrid scenarios such as staged migration and hybrid Exchange
Synchronizes security and mail-enabled groups from your AD DS.
Regardless of how you intend to add the user accounts to Microsoft 365, you need to manage several account features, such as assigning licenses, specifying location, and so on. These features can be managed long-term from the Microsoft 365 admin center or you can also create user accounts with PowerShell.
If you choose to add and manage all your users through the admin center, you will specify the location and assign licenses at the same time as creating the Microsoft 365 account. As a result, not much planning is required.
Creating accounts in Microsoft 365 without assigning a license (to SharePoint Online, for example) means that the account owner can view the Microsoft 365 center but can't access any of the services within your company's subscription. After you assign a location and the license, the account is replicated to the service or services that you assigned. The user can sign in to their account and use the services that you assigned to them.