Office 365 – Provision and manage users, groups, and domains

Office 365 Identities

Office 365 identities can be either based either in the cloud or federated from Active Directory Directory Services (ADDS).

Cloud identities are authenticated within the cloud and are subject to the password policy stored within the cloud whereas federated identities are authenticated against the on-premises ADDS, once verified a token is passed to the cloud to authenticate the user in the cloud.

Office 365 identities fall under three usage scenarios:

  1. Cloud identities
    1. Primarily used by small organisations with no on-premises ADDS.
    2. No single sign-on possible.
    3. No two factor authentication possible.
    4. Two sets of credentials depending on whether local credentials are required to logon to the local workstation.
  2. Cloud identities with Directory Sync (DirSync)
    1. Primarily used by medium sized organisations with an on-premises ADDS.
    2. Allows for co-existence of Exchange and Lync.
    3. No single sign-on.
    4. No two factor authentication.
    5. Two sets of credentials but as of the latest release of DirSync passwords are now synchronised.
    6. Password policies are defined within ADDS; DirSync requires passwords be at least eight characters.
  3. Federated identities
    1. Primarily large organisations.
    2. Requires a minimum of:
      1. ADDS – should be more than one.
      2. Federation server – should be load balanced.
      3. Federation proxy in the DMZ (if using Outlook)  – should be load balanced and will be a member of a workgroup not the domain.
      4. DirSync server.
    3. Enables single sign-on.
    4. Enables two factor authentication.
    5. Password policies are defined within ADDS; DirSync requires passwords be at least eight characters.
    6. Allows for co-existence of Exchange and Lync.

Creating users

Via the Office 365 portal

Login to the Office 365 portal > users and groups > add > Display Name (mandatory) >  Login name (mandatory) > Assign a location (mandatory) and role (optional) > Assign licenses > next > create (optionally you can have the password sent to you or another email address).

Via PowerShell


  • Microsoft Online Services Sign-in Assistant – here
  • Windows 7 or Windows Server 2008 R2
  • Microsoft .NET 3.5.1
  • Microsoft Online Services Module for Windows PowerShell

Open the Microsoft Online Services Module for Windows PowerShell or just open Microsoft Windows PowerShell and just import the Online module using Import-Module MSOnline.

Once in PowerShell get the Office 365 credentials

  • $Cred = Get-Credential

Connect to Office 365

  • Connect-MsolService -Credential $Cred

List of available licenses

  • Get-MsolAccountSku

Create the user

  • New-MsolUser – UserPrincipalName -DisplayName “Joe User” -UsageLocation [Country e.g. “GB”] -LicenseAssignment [AccountSkuId from the previous command]

If you want to specify a password use the -Password parameter.

Via the bulk import wizard

The bulk wizard can be used from within the Office 365 portal. The bulk wizard simply takes a csv file with the following headers:

  • User Name
  • First Name
  • Last Name
  • Display Name
  • Job Title
  • Department
  • Office Number
  • Office Phone
  • Mobile Phone
  • Fax
  • Address
  • City
  • State
  • Postal Code
  • Country

Username and Display Name are mandatory.

You can also bulk import using PowerShell using a csv file and ForEach-Object loop.

If you wish to set a different password for each user consider omitting the password parameter and using Export-Csv to capture the newly created account details.

Via DirSync

Directory Sync can be used to create users in the cloud from users already defined within ADDS. Directory Sync can also synchronised user password but the passwords must be greater than eight characters. Directory Sync must be activated first within the Office 365 portal; users and groups > AD sync > Activate.

Directory Sync must be installed on a domain computer and requires an enterprise administrator account for the on-premises ADDS; the enterprise administrator credentials are used to create the MSOL_… user account. This is the account which will be used to export information from Active Directory.

The ADDS accounts UPN must be publicly resolvable e.g.

User and Group Properties

User and Group properties can be edited via:

Office 365 console

User properties such as Details, Settings and licenses can be edited here e.g.{Guid}

You can also bulk edit users Domains, Department, Office number, Office phone, Fax number, Street, City, State, Zip / Post Code, Country e.g

User admin page

This page is used to reset user passwords e.g. select the checkbox next to the user.


You can use PowerShell to set basic user properties using Set-MsolUser e.g


Other useful PowerShell commands are Set-MsolUserPassword to reset the password; use Set-MsolUser to set the PasswordNeverExpiresFlag.

To assign a licence to a user you would use Set-MsolUserLicense.

Creating a Office 365 domain

The default domain you’re assigned when you sign up for a portal has appended to the tenant name e.g.

To assign the companies actual public domain sign into the Office 365 portal > domains > Add domain > [to prove you own the domain you’re adding you’ll need to add a txt or mx record to the DNS zone file of the domain you’re adding to Office 365].


The record you’re required to create is only needed for the verification process and is completely random.

Licenses and Subscriptions

Licences can be managed and assigned to users via the Office 365 portal and Windows PowerShell.

Before a user can use Exchange they must be granted a licence from the licenses available in the subscription. This can be accomplished via the Office 365 portal or PowerShell; Edit users within the portal or Set-MsolUserLicense within PowerShell. Set-MsolUserLicense can be used in conjunction with New-MsolLicenseOptions. The Licence options allow you to divvy up specifics of the subscription in a granular fashion.

In the Office 365 portal you can add new subscriptions; using the purchase services link.

Licences can be assigned to users with either all licence components or a subset of components.

Recovering Identities and users

Administrators can reset their own passwords, or a global administrator can reset it for you.

If users are deleted they are stored in the deleted view for 30 days. If you need to restore a user from the deleted view you can use Restore-MsolUser or browse to

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.