In Azure Active Directory, user accounts are granted a set of default permissions. A user account in Azure depends on one or all of the following, type of user, role assignments, and their ownership of individual objects. See this guide for reasons to deploy AAD and how to set up an Azure AD Tenant. There are different types of user accounts in Azure AD. Each type has a level of access specific to the scope of work expected to be done under each type of user account. Administrators have the highest level of access, followed by the member user accounts in the Azure AD organization. Guest users have the most restricted level of access. Also, see the following article on how to add a custom domain in the Azure Active directory. In this article, you will learn how to Add or delete users and set permissions in Azure AD.
Follow the below steps to add new users or delete existing users from your Azure Active Directory organisation. To add or delete users you must be a User administrator or Global administrator.
1: Add a new user in Azure Active Directory
You can create a new user using the Azure Active Directory portal. Sign in to the Azure portal as a User administrator for the organisation. Lastly, select Azure Active Directory as shown below
This will open all user’s windows. Click on Users, and then select New User.
Note: In this way, you can also create a guest user.
This will open the New User Creation Window as shown below. Populate the new user dialog box as shown below
You can decide to add the Job title and department if you wish. Latly, click on create as shown above.
Note: You can assign a role to this new user from the new user creation window as shown above. To do this, we will have to change the Role from user to what so ever role we want. This brings us to the next sub-topic, Permissions and roles.
Permissions and roles in Azure AD
Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Note: Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.
2 : Assign permission to a user in Azure AD
To assign a role to a user in Azure AD, follow the steps below.
- Click on Users
- then on All Users and
- Select the User you wish to assign permission to as shown below
This will open the user “tester” Profile. Scroll to the Assign role and click on it. Next, click on Add Assignment
This will open the directory roles as shown below. Select your desired role and click on add.
If the role assignment is successful, you will get a notification that it was successfully added.
In a similar fashion, you can also remove the role assignment for a user by clicking on the role and selecting “Remove Assignment”.
Note: In the Window above, you can also manage Azure User Group as well.
Three Popular roles in Azure Active Directory
Let's describe the popular three roles in Azure ADA: Administrator roles
Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organisation. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.
If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell.
B: Member users
A member user account is a native member of the Azure AD organisation that has a set of default permissions like being able to manage their profile information. When someone new joins your organisation, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type. A member user is meant for users who are considered internal to an organisation and are members of the Azure AD organisation.
C: Guest users
Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.
Your organization might need to work with an external partner. To collaborate with your organization, these partners often need to have a certain level of access to specific resources. For this sort of situation, it’s a good idea to use guest user accounts.
3: Delete a user in Azure AD
Follow the steps below in order to delete a user in Azure AD. Open the Azure Active Directory. Search for and select the user you want to delete from your Azure AD tenant. For example, Tester! Select delete user as shown below.
When the user is deleted, it does not appear on the Users – All Users page anymore. The user can be seen on the Deleted Users page for the next 30 days and can be restored during that time.
I hope you found this blog post helpful on how to Add or delete users and set permissions in Azure AD. If you have any questions, please let me know in the comment session.