Add new users or users with Microsoft accounts to Azure Active Directory
Add users to populate your directory. This article explains how to add new users in your organization, and how to add users who have Microsoft accounts. For more information about adding users from other directories in Azure Active Directory or adding users from partner companies, see Add users from other directories or partner companies in Azure Active Directory. Added users don't have administrator permissions by default, but you can assign roles to them at any time.
- Sign in to the Azure classic portal with an account that's a global admin for the directory.
- Select Active Directory, and then select the name of your organization directory.
- Select the Users tab, and then, in the command bar, select Add User.
On the Tell us about this user page, under Type of user, select either:
- New user in your organization – adds a new user account in your directory.
- User with an existing Microsoft account – adds an existing Microsoft consumer account to your directory (for example, an Outlook account)
Depending on Type of user, enter a user name (for new user) or an email address (for a user with a Microsoft account).
On the user Profile page, provide a first and last name, a user-friendly name, and a user role from the Roles list. For more information about user and administrator roles, see Assigning administrator roles in Azure AD. Specify whether to Enable Multi-Factor Authentication for the user.
On the Get temporary password page, select Create.
If your organization uses more than one domain, you should know about the following issues when you add a user account:
- TO add user accounts with the same user principal name (UPN) across domains, first add, for example, firstname.lastname@example.org, followed by email@example.com.
- Don't add firstname.lastname@example.org before you add email@example.com. This order is important, and can be cumbersome to undo.
You can change any user attribute except for the object ID.
- Open your directory.
- Select the Users tab, and then select the display name of the user you want to change.
- Complete your changes, and then click Save.
If the user that you're changing is synchronized with your on-premises Active Directory service, you can't change the user information using this procedure. To change the user, use your on-premises Active Directory management tools.
Guest accounts are users from other directories who were invited to your directory to access SharePoint documents, applications, or other Azure resources. A guest account in your directory has its underlying UserType attribute set to "Guest." Regular users (specifically, members of your directory) have the UserType attribute "Member."
Guests have a limited set of rights in the directory. These rights limit the ability for Guests to discover information about other users in the directory. However, guest users can still interact with the users and groups associated with the resources they're working on. Guest users can:
- See other users and groups associated with an Azure subscription to which they're assigned
- See the members of groups to which they belong
- Look up other users in the directory, if they know the full email address of the user
- See only a limited set of attributes of the users they look up--limited to display name, email address, user principal name (UPN), and thumbnail photo
- Get a list of verified domains in the directory
- Consent to applications, granting them the same access that Members have in your directory
The Configure tab of a directory includes options to control access for guest users. These options can be changed only in Azure classic portal by a directory global administrator. Currently, there's no PowerShell or API method.
To open the Configure tab in the Azure classic portal, select Active Directory, and then select the name of the directory.
Then you can edit the options to control access for guest users.