Open in app

Sign in

Write

Sign in

Azure AD User Management

Alan Arley
5 min readAug 17, 2021

--

Now that we know the Azure AD basics, the next step is to learn about users, an AAD user account contains all the information needed to be authenticated on internal apps, external services like Azure portal, Azure DevOps, Azure AD gallery apps or many third-part applications.

To view the azure AD users, you have to log into your Azure account and search “Azure Active Directory”.

You’ll be redirected to your tenant, then you have to select the “Users” option.

If you just created the tenant, you will be the first and only existing user and you will be assigned the Global Administrator role.

Keep in mind that you can work with a single directory at a time — but you can use the Directory + Subscription pane to switch directories if you have more than one.

User Types

Azure AD defines users in three categories according to their origin:

Cloud Identities: This user type only is created and only exist in Azure AD, their source is “Azure Active Directory” or “External Azure Active Directory” if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory.

Directory-Synchronized identities: These user type exist in an on-premises Active Directory and their source is “Windows Server AD”, is synchronized via Azure AD Connect to Azure AD.

Guest users: You can invite users through Email or send a direct link to an app you want to share with them, this user type signs in with their own work, school, or social identities (Google, Facebook, Microsoft, etc). Their source is “Invited user”.

Authentication Methods

According to Microsoft docs, the next table outlines the security considerations for the authentication methods, Usability represents how easy is the process for the user while Availability is an indication of the user being able to use the authentication method. This table does not necessarily represent the authentication methods available in Azure AD.

For Azure AD the following methods are available, some of them could be primary while others may require MFA (Multi-Factor Authentication), the recommendation here is to use passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app because they provide the most secure sign-in experience.

If you want to get more detail about authentication methods and how they work, please go to this link.

Create new user

You can add or invite users via the Azure Portal, using PowerShell or Azure CLI. Keep in mind that you need to have assigned the Global Administrator or the User Administrator role to perform this task, for this example let’s do it through the Azure portal.

The first step is going to your tenant, you have 2 options, create from the overview screen or from the “Users” option.

No matter what option you choose, you’ll be redirected to this form where you have to provide information about the new user like their complete name, job information, groups and roles that will be assigned and some basic settings.

Here we also have 2 options, create or invite a user, the only difference between both is when you select the “Invite User” option, you can add a personal message.

While in the “Create User” option you have to create their username to sign in to Azure AD and assign a password.

For this example, I’m going to use the “Create User” option, when you fill all the form just click on the “Create” button.

You’ll see a notification on the portal showing the operation status and the new user listed.

If you selected the “Create User” option as me, you’ll have to provide the credentials to the person to sign in, if you selected the “Invite User” option an email will be sent to the user with the steps to sign in.
We have other options to create new users, here are some examples.

Create user with PowerShell

We can also invite multiple users at the same time using PowerShell, a CSV file and the following script:

Create user with Azure CLI

You can find these example scritps a my github DevOps repo.

User management options

If we go to any user detail, we’ll see their information and the management options we have.

Some of these options are:
1. Update user information.
2. Delete the user.
3. Reset user password.
4. Assign defined or custom roles.

5. Add or remove administrative units.
6. Add or remove from groups.

7. Link devices to user.
8. Assign Azure roles.
9. Define how the user will be authenticated.

10. Sign-in and Audit logs{ Sign-in logs in Azure Active Directory | Microsoft Docs} to know user patterns, login history and status, user location, app management, passwords changed history and many more information.

Azure AD has other management options but that ones are the most common, so that’s all you need to know to start adding your users to Azure AD.

I hope you liked my post 😊 if you have any comments or suggestions we can get in touch through LinkedIn.

thanks for reading me.

Azure
DevOps
Technology
Azure Active Directory

--

--

Alan Arley

Written by Alan Arley

20 Followers

Hello, it all started at 15, I worked and bought a computer, I learned programming on my own and currently I work as DevOps.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams