Creating Users in Microsoft Entra ID
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Managing Microsoft Entra ID: Creating and Configuring Users
Introduction: The Foundation of Identity
In the modern cloud-first landscape, identity is the new perimeter. Gone are the days when firewalls and physical network boundaries were enough to protect corporate assets. Today, whether an employee is accessing a document in SharePoint, a virtual machine in Azure, or a third-party SaaS application, the gatekeeper for that access is their identity. Microsoft Entra ID (formerly Azure Active Directory) serves as the central directory service that governs these identities.
Creating and managing users is the most fundamental task for any IT administrator working within the Microsoft ecosystem. If you get the user creation process wrong—by assigning incorrect permissions, failing to enforce multi-factor authentication, or neglecting to implement a proper naming convention—you create immediate security vulnerabilities and long-term administrative debt. This lesson will guide you through the technical mechanics of creating users, the architectural considerations you must keep in mind, and the best practices that separate a functional directory from a secure, well-governed one.
Understanding the Identity Lifecycle
Before we dive into the "how-to" of clicking buttons or running scripts, we must understand the identity lifecycle. A user in Microsoft Entra ID is not just a username and password; it is a digital representation of a person or a service that has a specific set of permissions, attributes, and relationships with other resources.
The lifecycle generally consists of four stages:
- Provisioning: The creation of the identity and the initial assignment of attributes.
- Configuration: Setting up group memberships, licenses, and security settings.
- Maintenance: Updating attributes, managing password resets, and auditing activity.
- Deprovisioning: Disabling or deleting the account when the user leaves the organization.
By viewing user creation as a lifecycle process rather than a one-time task, you ensure that you are always thinking about the "end" (deprovisioning) while you are at the "beginning" (provisioning). This mindset is critical for maintaining a clean and secure directory.
Methods for Creating Users
In Microsoft Entra ID, there are three primary ways to create users: manual creation via the Azure Portal, bulk creation using CSV files, and programmatic creation using Microsoft Graph or PowerShell. Each method serves a different purpose and scales differently.
1. Manual Creation via the Azure Portal
The Azure Portal is the most common starting point for administrators. It provides a graphical interface that is intuitive for creating individual accounts, such as for a new hire or a temporary contractor.
Step-by-Step Instructions:
- Navigate to the Microsoft Entra admin center (entra.microsoft.com).
- Select Users in the left-hand navigation pane, then click All users.
- Click on New user and select Create new user.
- Fill in the User principal name (UPN). This is the email address the user will use to sign in. Ensure it follows your organization's domain naming convention (e.g.,
[email protected]). - Provide the Display name, which is how the user will appear in the Global Address List and other Microsoft 365 services.
- Choose between auto-generating a password or creating one manually. If you create it manually, ensure you enforce a change on the first sign-in.
- Under Account enabled, ensure "Yes" is selected unless you are creating a placeholder account for later use.
- Fill in the Properties tab, specifically the job title, department, and usage location. The Usage Location is critical; without it, you cannot assign licenses to the user.
- Click Review + create and then Create.
Tip: The Importance of Usage Location Many administrators forget to set the Usage Location attribute. If you attempt to assign an Office 365 or Microsoft 365 license to a user without a Usage Location defined, the assignment will fail. Always set this during the initial creation process to prevent support tickets later.
2. Bulk Creation via CSV
When you have a batch of new users—such as a new department joining or an acquisition—manual creation is inefficient and error-prone. The bulk creation feature allows you to upload a CSV file containing all user details.
To use this feature:
- Navigate to Users > All users in the Entra admin center.
- Click the Bulk create button.
- Download the provided template (a CSV file).
- Populate the template with the necessary user information. Be careful with the column headers; do not modify them, or the upload will fail.
- Upload the completed CSV file back into the portal.
- Monitor the status of the upload in the Bulk upload results area.
3. Programmatic Creation (PowerShell & Graph)
For organizations that prioritize infrastructure-as-code (IaC) or have strict provisioning workflows, using PowerShell or the Microsoft Graph API is the gold standard. It ensures consistency, as every user is created with the exact same attributes and security settings.
Example: Creating a User with PowerShell (Microsoft Graph Module)
First, ensure you have the Microsoft.Graph module installed and connected.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"
# Define user parameters
$params = @{
DisplayName = "Jane Doe"
UserPrincipalName = "[email protected]"
MailNickname = "janedoe"
PasswordProfile = @{
Password = "TemporaryPassword123!"
ForceChangePasswordNextSignIn = $true
}
AccountEnabled = $true
UsageLocation = "US"
}
# Create the user
New-MgUser @params
This method is highly recommended for larger organizations as it eliminates the "human factor" of clicking through a portal, which often leads to inconsistent attribute data.
Defining and Managing User Attributes
A user account is more than just a name; it is a collection of metadata. These attributes are what drive dynamic group memberships, conditional access policies, and directory filtering.
Key Attributes to Consider:
- Department and Job Title: Crucial for organizational mapping. You can use these to automatically add users to groups (Dynamic Groups).
- Usage Location: As mentioned, this is mandatory for licensing.
- Manager: Establishes the reporting hierarchy. This is essential for workflows like "Manager Approval" in self-service password reset or group access requests.
- Employee ID: A unique identifier that links the Entra ID user to your HR system (like Workday or SAP).
Callout: Static vs. Dynamic Attributes Static attributes are values you set once and rarely change (like Employee ID). Dynamic attributes are values that might change based on the user's role or status. By leveraging dynamic attributes in your groups, you can automate access management. For example, a group named "Finance Department" can automatically include everyone with the "Department" attribute set to "Finance."
Best Practices for User Governance
Governance is the practice of ensuring that your directory remains secure, compliant, and clean. Without governance, Entra ID becomes a "digital junkyard" of orphan accounts, inconsistent naming, and excessive permissions.
1. Enforce Consistent Naming Conventions
A consistent UPN format (e.g., [email protected]) is not just for aesthetics; it helps in troubleshooting and automation. If your UPNs are inconsistent, writing scripts to identify users or map them to external systems becomes significantly more difficult.
2. Standardize Attribute Population
Use a "Source of Truth." If you have an HR system, user data should flow from HR into Entra ID, not the other way around. If you manually edit attributes in the portal, those changes will likely be overwritten the next time your HR sync runs.
3. Implement Least Privilege
When creating a user, do not assign them administrative roles unless they absolutely need them. By default, a new user is a "Member" with no special permissions. Keep it that way. If a user needs to manage resources, use Azure Role-Based Access Control (RBAC) to grant access only to the specific resources required.
4. Require MFA at Creation
Do not wait for a user to "settle in" before enforcing Multi-Factor Authentication. Use Security Defaults or Conditional Access Policies to ensure that from the moment an account is enabled, it is protected by MFA.
5. Audit and Review
Regularly review your user list. Use the Access Reviews feature in Entra ID Governance to periodically ask managers if their subordinates still require access to specific groups or applications. This prevents "permission creep," where users accumulate access rights over time that they no longer need.
Common Pitfalls and How to Avoid Them
Pitfall 1: Creating "Guest" Users as "Members"
Sometimes, administrators create guest users (like external consultants) as internal members. This is dangerous because guest users can see much more of your directory than they should.
- The Fix: Always use the "Invite External User" workflow for guests. This ensures they are correctly tagged as "Guest" and limited by your external collaboration settings.
Pitfall 2: Neglecting the Password Policy
If you do not have a robust password policy, users will choose weak, easily guessable passwords.
- The Fix: Enable Password Protection in Entra ID. This blocks common, weak passwords globally across your organization, regardless of what the user tries to set.
Pitfall 3: Orphaned Accounts
When an employee leaves, simply deleting the account can sometimes cause issues with file ownership or email access.
- The Fix: Implement a formal "Offboarding" process. Disable the account, revoke refresh tokens, move the user to a specific "Terminated" organizational unit (if syncing from local AD), and only delete the account after a set retention period (e.g., 30 or 90 days).
Comparison: Cloud-Only vs. Hybrid Users
It is important to understand the difference between creating a user in the cloud versus syncing them from an on-premises environment.
| Feature | Cloud-Only User | Hybrid (Synced) User |
|---|---|---|
| Source of Authority | Microsoft Entra ID | On-premises Active Directory |
| Password Management | Managed in Entra ID | Managed on-premises (synced) |
| Attribute Edits | Editable in Entra ID | Read-only in Entra ID |
| Primary Use Case | Cloud-native organizations | Organizations with local servers |
Warning: The Hybrid Trap If you are using Microsoft Entra Connect (or Cloud Sync) to sync your on-premises Active Directory to Entra ID, you cannot edit most user attributes directly in the Azure Portal. Any changes you make will be overwritten during the next synchronization cycle. Always make your changes in the local Active Directory and let the sync process handle the update.
Advanced Considerations: Groups and Security
User creation is rarely the end of the story. Once a user exists, they need access to resources. This is almost always handled through Groups.
Assigning Users to Groups
Groups in Entra ID come in two main flavors:
- Security Groups: Used for granting access to resources like SharePoint sites or applications.
- Microsoft 365 Groups: Used for collaboration, providing a shared mailbox, calendar, and document library.
Best Practice: Group-Based Licensing Instead of assigning licenses to individual users, assign them to groups. When a user is added to the "Sales Team" group, they automatically receive the "Sales Pro" license. When they leave the group, the license is automatically reclaimed. This is a massive time-saver and ensures that you never pay for licenses for users who no longer need them.
Using Dynamic Groups
Dynamic groups use rules based on user attributes. For example, you can create a rule:
(user.department -eq "Marketing") -and (user.accountEnabled -eq True)
This group will automatically include all active marketing employees. As soon as a user's department changes in the HR system, they are automatically removed from this group and added to their new department's group. This is the epitome of identity automation.
Troubleshooting User Creation
Even with the best planning, things go wrong. Here are the most common issues you will encounter:
- "The domain is not verified": You are trying to create a user with a UPN suffix that hasn't been added to your Entra tenant. Go to Custom domain names and ensure your domain is verified.
- "License assignment failed": As mentioned, check the Usage Location. This is the number one cause of this error.
- "User already exists": You might be trying to create a user with a UPN that is already in use by a deleted object. Entra ID keeps deleted users in a "soft-deleted" state for 30 days. You must either restore the original user or permanently delete (purge) them before you can reuse the UPN.
- "Sync errors": If you are in a hybrid environment, check the Entra Connect health portal. Common errors include duplicate proxy addresses (two users having the same email address) or invalid characters in attributes.
Summary and Key Takeaways
Managing identities in Microsoft Entra ID is a high-stakes responsibility. By mastering the creation process, you set the standard for security and efficiency within your organization.
Key Takeaways:
- Identity is the perimeter: Treat every user account with the same level of security scrutiny as you would a physical server.
- Lifecycle Management: Always consider the entire lifecycle of an identity, from the moment of creation to the eventual deprovisioning, to avoid security gaps and orphaned accounts.
- Automation is King: Whether through CSV bulk uploads or the Microsoft Graph API, minimize manual entry to reduce errors and ensure consistency.
- Attributes Matter: Use attributes (Department, Job Title, Usage Location) effectively to drive automation and simplify licensing.
- Governance First: Implement group-based licensing and dynamic groups to ensure that permissions and access are always accurate and up to date.
- Hybrid Awareness: Understand your environment. If you are syncing from on-premises, respect the source of authority and avoid making manual changes in the cloud that will be overwritten.
- Default to Least Privilege: Start every user with the minimum permissions necessary and use RBAC to grant additional access only when required.
By following these principles, you will build a resilient and manageable identity infrastructure. Remember that your goal is not just to create users, but to create them in a way that aligns with your organization's security posture and long-term operational needs. Take the time to automate, document, and audit your processes, and you will find that identity management becomes a manageable, predictable part of your daily IT operations.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons