In Azure Active Directory, user accounts are granted a set of default permissions. A user account in Azure depends on one or all of the following, type of user, role assignments, and their ownership of individual objects. See this guide for reasons to deploy AAD and how to set up an Azure AD Tenant.
There are different types of user accounts in Azure AD. Each type has a level of access specific to the scope of work expected to be done under each type of user account. Administrators have the highest level of access, followed by the member user accounts in the Azure AD organisation. Guest users have the most restricted level of access. Also, see the following article on how to add a custom domain in Azure Active directory.
Follow the below steps to add new users or delete existing users from your Azure Active Directory organisation. To add or delete users you must be a User administrator or Global administrator.
1 – Add a new user: You can create a new user using the Azure Active Directory portal
– Sign in to the Azure portal as a User administrator for the organisation.
– Select Azure Active Directory as shown below
This will open the all users window. Click on Users, and then select New user.
– Note: In this way, you can also create a guest user.
This will open the New User Creation Window as shown below. Populate the new user dialog box as shown below
You can decide to add the Job title and department if you wish. When you are done,
– Click on create as shown above.
Note: You can assign a role to this new user from the new user creation window as shown above. To do this, we will have to change the Role from user to what so ever role we want. This brings us to the next sub-topic, Permissions and roles.
Permissions and roles: Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Note: Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.
2 – Assign permission to a user in Azure AD: To assign a role to a user in Azure AD, follow the steps below.
– Click on Users
– then on All Users and
– Select the User you wish to assign permission to as shown below
This will open the user “tester” Profile
– Scroll to the Assign role and click on it.
– Next, click on Add assignment
This will open the directory roles as shown below
– Select your desired role and click on add.
If the role assignment is successful, you will get a notification that it was successfully added.
In a similar fashion, you can also remove the role assignment for a user by clicking on the role and
– Selecting “Remove Assignment”.
Note: In the Window above, you can also manage Azure User Group as well.
Lets describe the popular three roles in Azure AD
- Administrator roles: Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organisation. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.
If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell.
- Member users: A member user account is a native member of the Azure AD organisation that has a set of default permissions like being able to manage their profile information. When someone new joins your organisation, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type. A member user is meant for users who are considered internal to an organisation and are members of the Azure AD organisation.
- Guest users: Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.
Your organization might need to work with an external partner. To collaborate with your organization, these partners often need to have a certain level of access to specific resources. For this sort of situation, it’s a good idea to use guest user accounts.
3 – Delete a user: Follow the steps below in order to delete a user in Azure AD
– Open the Azure Active Directory.
– Search for and select the user you want to delete from your Azure AD tenant. For example, Tester
– And select delete user as shown below
When the user is deleted, it does not appears on the Users – All users page anymore. The user can be seen on the Deleted users page for the next 30 days and can be restored during that time.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.