Enterprise User Management Documentation - Azure AD

Contents
User management documentation

Overview
Azure AD users, groups, licensing, and roles
Quickstarts
Add users to Azure AD
Assign licenses to users
Grant permission for unlimited app registrations
Set groups expiration
Set groups naming policy
Tutorials
Create a dynamic group
Concepts
Delegate Azure AD admin roles
Compare default user permissions
Compare Azure and Azure AD roles
Group-based licensing basics
Manage access with groups
How-to guides
Manage users
Create users
Bulk create users
Manage user profiles
My Staff delegation
Download user info
Share user accounts
Assign users to admin roles
User management enhancements
Bulk delete users
Restore a deleted user
Bulk restore users
Revoke a user's access
Close an account in an unmanaged directory
Add guest users
Assign role to guest user
Restrict guest user access
Dynamic groups and guests
Manage your directory
Azure AD organizations
Manage domain names
Delete a directory
Multiple directories
Self-service signup
Take over a directory
Azure AD Connect
Manage groups
Manage access with groups
Create a group (Azure portal)
Manage groups PowerShell for Graph (v2)
Manage groups with PowerShell MSOnline
Search group and member lists
Add or remove group members
Dynamic groups
Create a dynamic group
Dynamic group rule syntax
Validate a membership rule
Change group membership type
Bulk add members
Bulk remove members
Bulk download member list
Bulk download groups list
Restore deleted groups
Manage group settings
Manage group owners
Manage groups in groups
Add group access to SaaS apps
Set group naming policy
Set group expiration policy
Set up group self-service
Assign sensitivity labels
Assign licenses
Assign licenses to users
Assign licenses to a group
Resolve group license problems
Change users to group licensing
Change licenses for a user or group
Additional scenarios
Group licensing with PowerShell and Graph
Service plan IDs for licensing
Azure AD administrator roles
Roles and permissions
View and assign roles
Custom roles
Custom roles
Create a custom role
View custom role assignments
Assign roles in Azure AD admin center
Assign custom roles in PowerShell
Custom role permissions
Delegate app admin permissions
Use groups to manage role assignments
Group-based role assignment preview
Create a role-assignable group
Assign roles to a group
Remove role assignments from a group
View a group's role assignments
Make a group eligible for a role in PIM
FAQ and troubleshooting
Least-privileged roles by task
Microsoft 365 roles
Role security
Role security planning
Create emergency accounts
Administrative units
Administrative units overview
Add and manage AUs
Add and manage users in AUs
Add and manage groups in AUs
Assign a role with AU scope
FAQ and troubleshooting
Manage sign-in
Customize company branding
Sign-in options
Home Realm Discovery
Integrate services with Azure AD
Integrate LinkedIn with Azure AD
LinkedIn data sharing
Troubleshoot
Get support for Azure AD
Troubleshoot groups
Troubleshoot group licensing
Reference
Graph API
Azure AD CLI
Azure AD PowerShell for Graph
Azure AD service limits
What is enterprise user management?
9/7/2020 • 3 minutes to read • Edit Online
This article introduces the Azure AD administrator to the relationship between top identity management tasks for
users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization
grows, you can use Azure AD groups and administrator roles to:
Assign licenses to groups instead of to individually
Delegate permissions to distribute the work of Azure AD management to less-privileged roles
Assign enterprise app access to groups
Assign users to groups

You can use groups in Azure AD to assign licenses to large numbers of users, or to assign user access to deployed
enterprise apps. You can use groups to assign all administrator roles except for Global Administrator in Azure AD,
or you can grant access to resources that are external, such as SaaS applications or SharePoint sites.
For additional flexibility and to reduce the work of managing group membership, you can use dynamic groups in
Azure AD to expand and contract group membership automatically. You'll need an Azure AD Premium P1 license for
each unique user that is a member of one or more dynamic groups.
Assign licenses to groups

Assigning or removing licenses from users individually can demand time and attention. If you assign licenses to
groups instead, you can make your large-scale license management easier.
In Azure AD, when users join a licensed group, they're automatically assigned the appropriate licenses. When users
leave the group, Azure AD removes their license assignments. Without Azure AD groups, you'd have to write a
PowerShell script or use Graph API to bulk add or remove user licenses for users joining or leaving the
organization.
If there are not enough available licenses, or an issue occurs like service plans that can't be assigned at the same
time, you can see status of any licensing issue for the group in the Azure portal.
NOTE
The group-based licensing feature currently is in public preview. During the preview, the feature is available with any paid
Azure Active Directory (Azure AD) license plan or trial.
Delegate administrator roles

Many large organizations want options for their users to obtain sufficient permissions for their work tasks without
assigning the powerful Global Administrator role to, for example, users who must register applications. Here's an
example of new Azure AD administrator roles to help you distribute the work of application management with
more granularity:
RO L E N A M E P ERM ISSIO N S SUM M A RY

RO L E N A M E P ERM ISSIO N S SUM M A RY
Application Administrator Can add and manage enterprise applications and application
registrations, and configure proxy application settings.
Application Administrators can view Conditional Access
policies and devices, but not manage them.
Cloud Application Administrator Can add and manage enterprise applications and enterprise
app registrations. This role has all of the permissions of the
Application Administrator, except it can't manage application
proxy settings.
Application Developer Can add and update application registrations, but can't
manage enterprise applications or configure an application
proxy.
New Azure AD administrator roles are being added. Check the Azure portal or the administrator role permission
reference for current available roles.
Assign app access

You can use Azure AD to assign group access to the enterprise apps that are deployed in your Azure AD
organization. If you combine dynamic groups with group assignment to apps, you can automate your user app
access assignments as your organization grows. You'll need an Azure Active Directory Premium P1 or Premium P2
license to assign access to enterprise apps.
Azure AD also gives you granular control of the data that flows between the app and the groups to whom you
assign access. In Enterprise Applications, open an app and select Provisioning to:
Set up automatic provisioning for apps that support it
Provide credentials to connect to the app's user management API
Set up the mappings that control which user attributes flow between Azure AD and the app when user accounts
are provisioned or updated
Start and stop the Azure AD provisioning service for an app, clear the provisioning cache, or restart the service
View the Provisioning activity repor t that provides a log of all users and groups created, updated, and
removed between Azure AD and the app, and the Provisioning error repor t that provides more detailed
error messages
Next steps
If you're a beginning Azure AD administrator, get the basics down in Azure Active Directory Fundamentals.
Or you can start creating groups, assigning licenses, assigning app access or assigning administrator roles.
Add or delete users using Azure Active Directory
Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or delete
users you must be a User administrator or Global administrator.
Add a new user

You can create a new user using the Azure Active Directory portal.
To add a new user, follow these steps:
1. Sign in to the Azure portal as a User administrator for the organization.
2. Search for and select Azure Active Directory from any page.
3. Select Users , and then select New user .
4. On the User page, enter information for this user:

Name . Required. The first and last name of the new user. For example, Mary Parker.
User name . Required. The user name of the new user. For example, mary@contoso.com .
The domain part of the user name must use either the initial default domain name,
<yourdomainname>.onmicrosoft.com, or a custom domain name, such as contoso.com. For more
information about how to create a custom domain name, see Add your custom domain name using
the Azure Active Directory portal.
Groups . Optionally, you can add the user to one or more existing groups. You can also add the user to
groups at a later time. For more information about adding users to groups, see Create a basic group
and add members using Azure Active Directory.
Director y role : If you require Azure AD administrative permissions for the user, you can add them to
an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited
administrator roles in Azure AD. For more information about assigning roles, see How to assign roles
to users.
Job info : You can add more information about the user here, or do it later. For more information
about adding user info, see How to add or change user profile information.
5. Copy the autogenerated password provided in the Password box. You'll need to give this password to the
user to sign in for the first time.
6. Select Create .
The user is created and added to your Azure AD organization.
Add a new guest user

You can also invite new guest user to collaborate with your organization by selecting Invite user from the New
user page. If your organization's external collaboration settings are configured such that you're allowed to invite
guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more information
about inviting B2B collaboration users, see Invite B2B users to Azure Active Directory
Add a consumer user

There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory
B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see Create and delete
consumer users in Azure AD B2C.
Add a new user within a hybrid environment

If you have an environment with both Azure Active Directory (cloud) and Windows Server Active Directory (on-
premises), you can add new users by syncing the existing user account data. For more information about hybrid
environments and users, see Integrate your on-premises directories with Azure Active Directory.
Delete a user
You can delete an existing user using Azure Active Directory portal.
To delete a user, follow these steps:
1. Sign in to the Azure portal using a User administrator account for the organization.
3. Search for and select the user you want to delete from your Azure AD tenant. For example, Mary Parker.
4. Select Delete user .
The user is deleted and no longer appears on the Users - All users page. The user can be seen on the Deleted
users page for the next 30 days and can be restored during that time. For more information about restoring a user,
see Restore or remove a recently deleted user using Azure Active Directory.
When a user is deleted, any licenses consumed by the user are made available for other users.
NOTE
You must use Windows Server Active Directory to update the identity, contact information, or job information for users whose
source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
synchronization cycle to complete before you'll see the changes.
Next steps
After you've added your users, you can do the following basic processes:
Add or change profile information
Assign roles to users
Create a basic group and add members
Work with dynamic groups and users
Or you can do other user management tasks, such as adding guest users from another directory or restoring a
deleted user. For more information about other available actions, see Azure Active Directory user management
documentation.
Assign or remove licenses in the Azure Active
Directory portal
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and
associated members) for that service. Only users with active licenses will be able to access and use the licensed
Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.
Available license plans

There are several license plans available for the Azure AD service, including:
Azure AD Free
Azure AD Premium P1
Azure AD Premium P2
For specific information about each license plan and the associated licensing details, see What license do I need?. To
sign up for Azure AD premium license plans see here.
Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify
the Usage location for all members. You can set this value in the Azure Active Director y > Users > Profile >
Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD
organization.
View license plans and plan details

You can view your available service plans, including the individual licenses, check pending expiration dates, and
view the number of available assignments.
To find your service plan and plan details
1. Sign in to the Azure portal using a License administrator account in your Azure AD organization.
2. Select Azure Active Director y , and then select Licenses .
3. Select the Purchased link to view the Products page and to see the Assigned , Available , and Expiring
soon numbers for your license plans.
4. Select a plan name to see its licensed users and groups.
Assign licenses to users or groups

Make sure that anyone needing to use a licensed Azure AD service has the appropriate license. You can add the
licensing rights to users or to an entire group.
To assign a license to a user
1. On the Products page, select the name of the license plan you want to assign to the user.
2. On the license plan overview page, select Assign .
3. On the Assign page, select Users and groups , and then search for and select the user you're assigning the
license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then select
OK .
The Assign license page updates to show that a user is selected and that the assignments are configured.
NOTE
Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the
Usage location . You can set this value in the Azure Active Director y > Users > Profile > Settings area in
Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
5. Select Assign .
The user is added to the list of licensed users and has access to the included Azure AD services.
NOTE
Licenses can also be assigned directly to a user from the user's Licenses page. If a user has a license assigned
through a group membership and you want to assign the same license to the user directly, it can be done only from
the Products page mentioned in step 1 only.
To assign a license to a group

2. On the Azure Active Director y Premium Plan 2 page, select Assign .
3. On the Assign page, select Users and groups , and then search for and select the group you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then select
OK .
5. Select Assign .
The group is added to the list of licensed groups and all of the members have access to the included Azure
AD services.
Remove a license
You can remove a license from a user's Azure AD user page, from the group overview page for a group assignment,
or starting from the Azure AD Licenses page to see the users and groups for a license.
To remove a license from a user
1. On the Licensed users page for the service plan, select the user that should no longer have the license. For
example, Alain Charon.
2. Select Remove license .
IMPORTANT
Licenses that a user inherits from a group can't be removed directly. Instead, you have to remove the user from the group
from which they're inheriting the license.
To remove a license from a group

1. On the Licensed groups page for the license plan, select the group that should no longer have the license.
NOTE
When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed,
the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based
licensing will be marked as suspended rather than deleted .
Next steps
After you've assigned your licenses, you can perform the following processes:
Identify and resolve license assignment problems
Add licensed users to a group for licensing
Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory
Quickstart: Grant permission to create unlimited app
registrations
In this quick start guide, you will create a custom role with permission to create an unlimited number of app
registrations, and then assign that role to a user. The assigned user can then use the Azure AD portal, Azure AD
PowerShell, or Microsoft Graph API to create application registrations. Unlike the built-in Application Developer
role, this custom role grants the ability to create an unlimited number of application registrations. The Application
Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting the
directory-wide object quota. The least privileged role required to create and assign Azure AD custom roles is the
Privileged Role administrator.
If you don't have an Azure subscription, create a free account before you begin.
Create a custom role using the Azure AD portal

1. Sign in to the Azure AD admin center with Privileged Role administrator or Global administrator permissions
in the Azure AD organization.
2. Select Azure Active Director y , select Roles and administrators , and then select New custom role .
3. On the Basics tab, provide "Application Registration Creator" for the name of the role and "Can create an
unlimited number of application registrations" for the role description, and then select Next .
4. On the Permissions tab, enter "microsoft.directory/applications/create" in the search box, and then select
the checkboxes next to the desired permissions, and then select Next .
5. On the Review + create tab, review the permissions and select Create .
Assign the role in the Azure AD portal
1. Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions in
your Azure AD organization.
2. Select Azure Active Director y and then select Roles and administrators .
3. Select the Application Registration Creator role and select Add assignment .
4. Select the desired user and click Select to add the user to the role.
Done! In this quickstart, you successfully created a custom role with permission to create an unlimited number of
app registrations, and then assign that role to a user.
TIP
To assign the role to an application using the Azure AD portal, enter the name of the application into the search box of the
assignment page. Applications are not shown in the list by default, but are returned in search results.
App registration permissions

There are two permissions available for granting the ability to create application registrations, each with different
behavior.
microsoft.directory/applications/createAsOwner: Assigning this permission results in the creator being added as
the first owner of the created app registration, and the created app registration will count against the creator's
250 created objects quota.
microsoft.directory/applicationPolicies/create: Assigning this permission results in the creator not being added
as the first owner of the created app registration, and the created app registration will not count against the
creator's 250 created objects quota. Use this permission carefully, because there is nothing preventing the
assignee from creating app registrations until the directory-level quota is hit. If both permissions are assigned,
this permission takes precedence.
Create a custom role in Azure AD PowerShell

Prepare PowerShell
First, install the Azure AD PowerShell module from the PowerShell Gallery. Then import the Azure AD PowerShell
preview module, using the following command:
import-module azureadpreview
To verify that the module is ready to use, match the version returned by the following command to the one listed
here:
get-module azureadpreview
ModuleType Version Name ExportedCommands
---------- --------- ---- ----------------
Binary 2.0.0.115 azureadpreview {Add-AzureADAdministrati...}
Create the custom role in Azure AD PowerShell

Create a new role using the following PowerShell script:
# Basic role information
$displayName = "Application Registration Creator"
$description = "Can create an unlimited number of application registrations."
$templateId = (New-Guid).Guid
# Set of permissions to grant

$allowedResourceAction =
@(
"microsoft.directory/applications/create"
"microsoft.directory/applications/createAsOwner"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
# Create new custom admin role

$customRole = New-AzureAdMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -
Description $description -TemplateId $templateId -IsEnabled $true
Assign the role in Azure AD PowerShell

Assign the role using the following PowerShell script:
# Get the user and role definition you want to link

$user = Get-AzureADUser -Filter "userPrincipalName eq 'Adam@contoso.com'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Application Registration Creator'"
# Get resource scope for assignment

$resourceScope = '/'
# Create a scoped role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId
$roleDefinition.Id -PrincipalId $user.objectId
Create a custom role in the Microsoft Graph API

HTTP request to create the custom role.
POST
https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Body
{
"description":"Can create an unlimited number of application registrations.",
"displayName":"Application Registration Creator",
"isEnabled":true,
"rolePermissions":
[
{
"resourceActions":
{
"allowedResourceActions":
[
"microsoft.directory/applications/create"
"microsoft.directory/applications/createAsOwner"
]
},
"condition":null
}
],
"templateId":"<PROVIDE NEW GUID HERE>",
"version":"1"
}
Assign the role in the Microsoft Graph API

The role assignment combines a security principal ID (which can be a user or service principal), a role definition
(role) ID, and an Azure AD resource scope.
HTTP request to assign a custom role.
POST
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Body
{
"principalId":"<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
"roleDefinitionId":"<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
"resourceScopes":["/"]
}
Next steps
Feel free to share with us on the Azure AD administrative roles forum.
For more about Azure AD role assignments, see Assign administrator roles.
For more about default user permissions, see comparison of default guest and member user permissions.
Quickstart: Set Microsoft 365 groups to expire in
Azure Active Directory
In this quickstart, you set the expiration policy for your Microsoft 365 groups. When users can set up their own
groups, unused groups can multiply. One way to manage unused groups is to set those groups to expire, to reduce
the maintenance of manually deleting groups.
Expiration policy is simple:
Groups with user activities are automatically renewed as the expiration nears
Group owners are notified to renew an expiring group
A group that is not renewed is deleted
A deleted Microsoft 365 group can be restored within 30 days by a group owner or by an Azure AD
administrator
NOTE
Groups now use Azure AD intelligence to automatically renewed based on whether they have been in recent use. This
renewal decision is based on user activity in groups across Office 365 services like Outlook, SharePoint, Teams, Yammer, and
others.
Prerequisite
The least-privileged role required to set up group expiration is User administrator in the organization.
Turn on user creation for groups

1. Sign in to the Azure portal with a User administrator account.
2. Select Groups , and then select General .
3. Set Users can create Microsoft 365 groups to Yes .
4. Select Save to save the groups settings when you're done.
Set group expiration

1. Sign in to the Azure portal, select Azure Active Director y > Groups > Expiration to open the expiration
settings.
2. Set the expiration interval. Select a preset value or enter a custom value over 31 days.
3. Provide an email address where expiration notifications should be sent when a group has no owner.
4. For this quickstart, set Enable expiration for these Microsoft 365 groups to All .
5. Select Save to save the expiration settings when you're done.
That's it! In this quickstart, you successfully set the expiration policy for the selected Microsoft 365 groups.
Clean up resources
To remove the expiration policy
1. Ensure that you are signed in to the Azure portal with an account that is the Global Administrator for your Azure
AD organization.
2. Select Azure Active Director y > Groups > Expiration .
3. Set Enable expiration for these Microsoft 365 groups to None .
To turn off user creation for groups
1. Select Azure Active Director y > Groups > General .
2. Set Users can create Microsoft 365 groups in Azure por tals to No .
Next steps
For more information about expiration including PowerShell instructions and technical constraints, see the
following article:
Expiration policy PowerShell
Quickstart: Naming policy for groups in Azure Active
Directory
In this quickstart, you will set up naming policy in your Azure Active Directory (Azure AD) organization for user-
created Microsoft 365 groups, to help you sort and search your organization’s groups. For example, you could use
the naming policy to:
Communicate the function of a group, membership, geographic region, or who created the group.
Help categorize groups in the address book.
Block specific words from being used in group names and aliases.
Configure the group naming policy in the Azure portal

1. Sign in to the Azure AD admin center with a User administrator account.
2. Select Groups , then select Naming policy to open the Naming policy page.
View or edit the Prefix-suffix naming policy

1. On the Naming policy page, select Group naming policy .
2. You can view or edit the current prefix or suffix naming policies individually by selecting the attributes or strings
you want to enforce as part of the naming policy.
3. To remove a prefix or suffix from the list, select the prefix or suffix, then select Delete . Multiple items can be
deleted at the same time.
4. Select Save for your changes to the policy to go into effect.
View or edit the custom blocked words
1. On the Naming policy page, select Blocked words .
2. View or edit the current list of custom blocked words by selecting Download .
3. Upload the new list of custom blocked words by selecting the file icon.
4. Select Save for your changes to the policy to go into effect.
That's it. You've set your naming policy and added your custom blocked words.
Clean up resources
Remove the naming policy using Azure portal
1. On the Naming policy page, select Delete policy .
2. After you confirm the deletion, the naming policy is removed, including all prefix-suffix naming policy and any
custom blocked words.
Next steps
In this quickstart, you’ve learned how to set the naming policy for your Azure AD organization through the Azure
portal.
Advance to the next article for more information including the PowerShell cmdlets for naming policy, technical
constraints, adding a list of custom blocked words, and the end user experiences across Office 365 apps.
Naming policy PowerShell
Tutorial: Add or remove group members
automatically
In Azure Active Directory (Azure AD), you can automatically add or remove users to security groups or Office 365
groups, so you don't always have to do it manually. Whenever any properties of a user or device change, Azure AD
evaluates all dynamic group rules in your Azure AD organization to see if the change should add or remove
members.
In this tutorial, you learn how to:
Create an automatically populated group of guest users from a partner company
Assign licenses to the group for the partner-specific features for guest users to access
Bonus: secure the All users group by removing guest users so that, for example, you can give your member
users access to internal-only sites
Prerequisites
This feature requires one Azure AD Premium license for you as the global administrator of the organization. If you
don't have one, in Azure AD, select Licenses > Products > Tr y/Buy .
You're not required to assign licenses to the users for them to be members in dynamic groups. You only need the
minimum number of available Azure AD Premium P1 licenses in the organization to cover all such users.
Create a group of guest users

First, you'll create a group for your guest users who all are from a single partner company. They need special
licensing, so it's often more efficient to create a group for this purpose.
1. Sign in to the Azure portal (https://portal.azure.com) with an account that is the global administrator for
your organization.
2. Select Azure Active Director y > Groups > New group .
3. On the Group blade:
Select Security as the group type.
Enter Guest users Contoso as the name and description for the group.
Change Membership type to Dynamic User .
4. Select Owners and in the Add Owners blade search for any desired owners. Click on the desired owners to
add to the selection.
5. Click Select to close the Add Owners blade.
6. Select Edit dynamic quer y in the Dynamic user members box.
7. On the Dynamic membership rules blade:
In the Proper ty field, click on the existing value and select userType .
Verify that the Operator field has Equals selected.
Select the Value field and enter Guest .
Click the Add Expression hyperlink to add another line.
In the And/Or field, select And .
In the Proper ty field, select companyName .
Verify that the Operator field has Equals selected.
In the Value field, enter Contoso .
Click Save to close the Dynamic membership rules blade.
8. On the Group blade, select Create to create the group.
Assign licenses
Now that you have your new group, you can apply the licenses that these partner users need.
1. In Azure AD, select Licenses , select one or more licenses, and then select Assign .
2. Select Users and groups , and select the Guest users Contoso group, and save your changes.
3. Assignment options allow you to turn on or off the service plans included the licenses that you selected.
When you make a change, be sure to click OK to save your changes.
4. To complete the assignment, on the Assign license pane, click Assign at the bottom of the pane.
Remove guests from All users group

Perhaps your ultimate administrative plan is to assign all of your guest users to their own groups by company. You
can also now change the All users group so that it is reserved for only members users in your organization. Then
you can use it to assign apps and licenses that are specific to your home organization.
Clean up resources
To remove the guest users group
1. Sign in to the Azure portal with an account that is the Global Administrator for your organization.
2. Select Azure Active Director y > Groups . Select the Guest users Contoso group, select the ellipsis (...), and
then select Delete . When you delete the group, any assigned licenses are removed.
To restore the All Users group
1. Select Azure Active Director y > Groups . Select the name of the All users group to open the group.
2. Select Dynamic membership rules , clear all the text in the rule, and select Save .
Next steps
In this tutorial, you learned how to:
Create a group of guest users
Assign licenses to your new group
Change All users group to members only
Advance to the next article to learn more group-based licensing basics
Group licensing basics
Delegate administration in Azure Active Directory
With organizational growth comes complexity. One common response is to reduce some of the workload of access
management with Azure Active Directory (AD) admin roles. You can assign the least possible privilege to users to
access their apps and perform their tasks. Even if you don't assign the Global Administrator role to every
application owner, you're placing application management responsibilities on the existing Global Administrators.
There are many reasons for an organization move toward a more decentralized administration. This article can
help you plan for delegation in your organization.
Centralized versus delegated permissions

As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee
has administrator rights they shouldn’t, your organization can be more susceptible to security breaches. Generally,
how many administrators you support and how granular their permissions are depends on the size and complexity
of your deployment.
In small or proof-of-concept deployments, one or a few administrators do everything; there's no delegation. In
this case, create each administrator with the Global Administrator role.
In larger deployments with more machines, applications, and desktops, more delegation is needed. Several
administrators might have more specific functional responsibilities (roles). For example, some might be
Privileged Identity Administrators, and others might be Application Administrators. Additionally, an
administrator might manage only certain groups of objects such as devices.
Even larger deployments might require even more granular permissions, plus possibly administrators with
unconventional or hybrid roles.
In the Azure AD portal, you can view all the members of any role, which can help you quickly check your
deployment and delegate permissions.
If you’re interested in delegating access to Azure resources instead of administrative access in Azure AD, see Assign
an Azure role.
Delegation planning
It's work to develop a delegation model that fits your needs. Developing a delegation model is an iterative design
process, and we suggest you follow these steps:
Define the roles you need
Delegate app administration
Grant the ability to register applications
Delegate app ownership
Develop a security plan
Establish emergency accounts
Secure your administrator roles
Make privileged elevation temporary
Define roles
Determine the Active Directory tasks that are carried out by administrators and how they map to roles. You can
view detailed role descriptions in the Azure portal.
Each task should be evaluated for frequency, importance, and difficulty. These criteria are vital aspects of task
definition because they govern whether a permission should be delegated:
Tasks that you do routinely, have limited risk, and are trivial to complete are excellent candidates for delegation.
Tasks that you do rarely but have great impact across the organization and require high skill levels should be
considered very carefully before delegating. Instead, you can temporarily elevate an account to the required role
or reassign the task.
Delegate app administration

The proliferation of apps within your organization can strain your delegation model. If it places the burden for
application access management on the Global Administrator, it's likely that model increases its overhead as time
goes on. If you have granted people the Global Administrator role for things like configuring enterprise
applications, you can now offload them to the following less-privileged roles. Doing so helps to improve your
security posture and reduces the potential for unfortunate mistakes. The most-privileged application administrator
roles are:
The Application Administrator role, which grants the ability to manage all applications in the directory,
including registrations, single sign-on settings, user and group assignments and licensing, Application Proxy
settings, and consent. It doesn't grant the ability to manage Conditional Access.
The Cloud Application Administrator role, which grants all the abilities of the Application Administrator,
except it doesn't grant access to Application Proxy settings (because it has no on-premises permission).
Delegate app registration

By default, all users can create application registrations. To selectively grant the ability to create application
registrations:
Set Users can register applications to No in User settings
Assign the user to the Application Developer role
To selectively grant the ability to consent to allow an application to access data:
Set Users can consent to applications accessing company data on their behalf To No in User settings
Assign the user to the Application Developer role
When an Application Developer creates a new application registration, they are automatically added as the first
owner.
Delegate app ownership

For even finer-grained app access delegation, you can assign ownership to individual enterprise applications. This
complements the existing support for assigning application registration owners. Ownership is assigned on a per-
enterprise application basis in the Enterprise Applications blade. The benefit is owners can manage only the
enterprise applications they own. For example, you can assign an owner for the Salesforce application, and that
owner can manage access to and configuration for Salesforce, and no other applications. An enterprise application
can have many owners, and a user can be the owner for many enterprise applications. There are two app owner
roles:
The Enterprise Application Owner role grants the ability to manage the ‘enterprise applications that the user
owns, including single sign-on settings, user and group assignments, and adding additional owners. It doesn't
grant the ability to manage Application Proxy settings or Conditional Access.
The Application Registration Owner role grants the ability to manage application registrations for app that
the user owns, including the application manifest and adding additional owners.
Develop a security plan
Azure AD provides an extensive guide to planning and executing a security plan on your Azure AD admin roles,
Securing privileged access for hybrid and cloud deployments.
Establish emergency accounts

To maintain access to your identity management store when issue arises, prepare emergency access accounts
according to Create emergency-access administrative accounts.
Secure your administrator roles

Attackers who get control of privileged accounts can do tremendous damage, so protect these accounts first, using
the baseline access policy that is available by default to all Azure AD organizations (in public preview). The policy
enforces multi-factor authentication on privileged Azure AD accounts. The following Azure AD roles are covered by
the Azure AD baseline policy:
Global administrator
SharePoint administrator
Exchange administrator
Conditional Access administrator
Security administrator
Elevate privilege temporarily

For most day-to-day activities, not all users need global administrator rights, and not all of them should be
permanently assigned to the Global Administrator role. When users need the permissions of a Global
Administrator, they should activate the role assignment in Azure AD Privileged Identity Management on either their
own account or an alternate administrative account.
Next steps
For a reference to the Azure AD role descriptions, see Assign admin roles in Azure AD
What are the default user permissions in Azure
Active Directory?
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists
of the type of user, their role assignments, and their ownership of individual objects. This article describes
those default permissions and contains a comparison of the member and guest user defaults. The default user
permissions can be changed only in user settings in Azure AD.
Member and guest users

The set of default permissions received depends on whether the user is a native member of the tenant
(member user) or if the user is brought over from another directory as a B2B collaboration guest (guest user).
See What is Azure AD B2B collaboration? for more information about adding guest users.
Member users can register applications, manage their own profile photo and mobile phone number,
change their own password, and invite B2B guests. In addition, users can read all directory information
(with a few exceptions).
Guest users have restricted directory permissions. They can manage their own profile, change their own
password and retrieve some information about other users, groups and apps, however, they cannot read all
directory information. For example, guest users cannot enumerate users, groups and other directory
objects. Guests can be added to administrator roles, which grant them full read and write permissions
contained in the role. Guests can also invite other guests.
Compare member and guest default permissions

M EM B ER USER DEFA ULT GUEST USER REST RIC T ED GUEST USER
A REA P ERM ISSIO N S P ERM ISSIO N S P ERM ISSIO N S ( P REVIEW )
Users and contacts Read all public Read own Read own
properties of users properties properties
and contacts Read display name, Change own
Invite guests email, sign in name, password
Change own photo, user
password principal name, and
Manage own user type properties
mobile phone of other users and
number contacts
Manage own photo Change own
Invalidate own password
refresh tokens Search for another
user by Display
Name, User
Principal Name or
ObjectId (if allowed)
Read manager and
direct report
information of other
users
Groups Create security Read properties of No permissions

groups all non-hidden
Create Office 365 groups, including
groups membership and
Read all properties ownership (even
of groups non-joined groups)
Read non-hidden Read hidden Office
group memberships 365 group
Read hidden Office memberships for
365 group joined groups
memberships for Search for groups
joined group by Display Name or
Manage properties, ObjectId (if allowed)
ownership, and
membership of
groups the user
owns
Add guests to
owned groups
Manage dynamic
membership
settings
Delete owned
groups
Restore owned
Office 365 groups
Applications Register (create) Read properties of Read properties of

new application registered and registered and
Read properties of enterprise enterprise
registered and applications applications
enterprise
applications
Manage application
properties,
assignments, and
credentials for
owned applications
Create or delete
application
password for user
Delete owned
applications
Restore owned
applications
Devices Read all properties No permissions No permissions

of devices
Manage all
properties of owned
devices
Directory Read all company Read display name Read display name
information and verified and verified
Read all domains domains domains
Read all partner
contracts
Roles and Scopes Read all No permissions No permissions

administrative roles
and memberships
Read all properties
and membership of
administrative units
Subscriptions Read all No permissions No permissions

subscriptions
Enable Service Plan
Member
Policies Read all properties No permissions No permissions

of policies
Manage all
properties of owned
policy
To restrict the default permissions for member users

Default permissions for member users can be restricted in the following ways:
P ERM ISSIO N SET T IN G EXP L A N AT IO N
Users can register application Setting this option to No prevents users from creating
application registrations. The ability can then be granted
back to specific individuals by adding them to the
Application Developer role.
Allow users to connect work or school account with Setting this option to No prevents users from connecting
LinkedIn their work or school account with their LinkedIn account.
For more information, see LinkedIn account connections
data sharing and consent.
Ability to create security groups Setting this option to No prevents users from creating
security groups. Global administrators and User
administrators can still create security groups. See Azure
Active Directory cmdlets for configuring group settings to
learn how.
Ability to create Office 365 groups Setting this option to No prevents users from creating
Office 365 groups. Setting this option to Some allows a
select set of users to create Office 365 groups. Global
administrators and User administrators will still be able to
create Office 365 groups. See Azure Active Directory
cmdlets for configuring group settings to learn how.
Restrict access to Azure AD administration portal Setting this option to No lets non-administrators use the
Azure AD administration portal to read and manage Azure
AD resources. Yes restricts all non-administrators from
accessing any Azure AD data in the administration portal.
Note : this setting does not restrict access to Azure AD
data using PowerShell or other clients such as Visual
Studio.When set to Yes, to grant a specific non-admin
user the ability to use the Azure AD administration
portal assign any administrative role such as the
Directory Readers role.
This role allows reading basic directory information,
which member users have by default (guests and
service principals do not).
Ability to read other users This setting is available in PowerShell only. Setting this flag
to $false prevents all non-admins from reading user
information from the directory. This flag does not prevent
reading user information in other Microsoft services like
Exchange Online. This setting is meant for special
circumstances, and setting this flag to $false is not
recommended.
To restrict the default permissions for guest users

Default permissions for guest users can be restricted in the following ways:
NOTE
The guests user access restrictions setting replaced the Guest users permissions are limited setting. For guidance
on using this feature, see Restrict guest access permissions (preview) in Azure Active Directory.
Guests user access restrictions (Preview) Setting this option to Guest users have the same access as
members grants all member user permissions to guest
users by default.
Setting this option to Guest user access is restricted to
properties and memberships of their own directory
objects restricts guest access to only their own user
profile by default. Access to other users are no longer
allowed even when searching by User Principal Name or
objectId. Access to groups including groups
memberships is also no longer allowed. This setting
does not prevent access to groups in other Microsoft
services like Microsoft Teams. See to learn more.
Microsof t Teams Guest access
Guest users can still be added to administrator roles

regardless of this permission settings.
Guests can invite Setting this option to Yes allows guests to invite other
guests. See Delegate invitations for B2B collaboration to
learn more.
Members can invite Members can invite Setting this option to Yes allows non-
admin members of your directory to invite guests. See
Delegate invitations for B2B collaboration to learn more.
Admins and users in the guest inviter role can invite Setting this option to Yes allows admins and users in the
"Guest Inviter" role to invite guests. When set to Yes, users
in the Guest inviter role will still be able to invite guests,
regardless of the Members can invite setting. See Delegate
invitations for B2B collaboration to learn more.
Object ownership
Application registration owner permissions
When a user registers an application, they are automatically added as an owner for the application. As an
owner, they can manage the metadata of the application, such as the name and permissions the app requests.
They can also manage the tenant-specific configuration of the application, such as the SSO configuration and
user assignments. An owner can also add or remove other owners. Unlike Global Administrators, owners can
only manage applications they own.
Enterprise application owner permissions
When a user adds a new enterprise application, they are automatically added as an owner. As an owner, they
can manage the tenant-specific configuration of the application, such as the SSO configuration, provisioning,
and user assignments. An owner can also add or remove other owners. Unlike Global Administrators, owners
can manage only the applications they own.
Group owner permissions
When a user creates a group, they are automatically added as an owner for that group. As an owner, they can
manage properties of the group such as the name, as well as manage group membership. An owner can also
add or remove other owners. Unlike Global administrators and User administrators, owners can only manage
groups they own. To assign a group owner, see Managing owners for a group.
Ownership Permissions
The following tables describe the specific permissions in Azure Active Directory member users have over
owned objects. The user only has these permissions on objects they own.
Owned application registrations
Users can perform the following actions on owned application registrations.
A C T IO N S DESC RIP T IO N
microsoft.directory/applications/audience/update Update applications.audience property in Azure Active

Directory.
microsoft.directory/applications/authentication/update Update applications.authentication property in Azure Active

Directory.
microsoft.directory/applications/basic/update Update basic properties on applications in Azure Active

Directory.
microsoft.directory/applications/credentials/update Update applications.credentials property in Azure Active

Directory.
microsoft.directory/applications/delete Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/update Update applications.owners property in Azure Active

Directory.
microsoft.directory/applications/permissions/update Update applications.permissions property in Azure Active

Directory.
microsoft.directory/applications/policies/update Update applications.policies property in Azure Active

Directory.
microsoft.directory/applications/restore Restore applications in Azure Active Directory.
Owned enterprise applications

Users can perform the following actions on owned enterprise applications. An enterprise application is made
up of service principal, one or more application policies, and sometimes an application object in the same
tenant as the service principal.
microsoft.directory/auditLogs/allProperties/read Read all properties (including privileged properties) on

auditLogs in Azure Active Directory.
microsoft.directory/policies/basic/update Update basic properties on policies in Azure Active

Directory.
microsoft.directory/policies/delete Delete policies in Azure Active Directory.
microsoft.directory/policies/owners/update Update policies.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/up Update servicePrincipals.appRoleAssignedTo property in

date Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/u Update users.appRoleAssignments property in Azure Active

pdate Directory.
microsoft.directory/servicePrincipals/audience/update Update servicePrincipals.audience property in Azure Active

Directory.
microsoft.directory/servicePrincipals/authentication/update Update servicePrincipals.authentication property in Azure

Active Directory.
microsoft.directory/servicePrincipals/basic/update Update basic properties on servicePrincipals in Azure Active

Directory.
microsoft.directory/servicePrincipals/credentials/update Update servicePrincipals.credentials property in Azure

Active Directory.
microsoft.directory/servicePrincipals/delete Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/update Update servicePrincipals.owners property in Azure Active

Directory.
microsoft.directory/servicePrincipals/permissions/update Update servicePrincipals.permissions property in Azure

Active Directory.
microsoft.directory/servicePrincipals/policies/update Update servicePrincipals.policies property in Azure Active

Directory.
microsoft.directory/signInReports/allProperties/read Read all properties (including privileged properties) on

signInReports in Azure Active Directory.
Owned devices
Users can perform the following actions on owned devices.
microsoft.directory/devices/bitLockerRecoveryKeys/read Read devices.bitLockerRecoveryKeys property in Azure

Active Directory.
microsoft.directory/devices/disable Disable devices in Azure Active Directory.
Owned groups
Users can perform the following actions on owned groups.
microsoft.directory/groups/appRoleAssignments/update Update groups.appRoleAssignments property in Azure

Active Directory.
microsoft.directory/groups/basic/update Update basic properties on groups in Azure Active

Directory.
microsoft.directory/groups/delete Delete groups in Azure Active Directory.
microsoft.directory/groups/dynamicMembershipRule/updat Update groups.dynamicMembershipRule property in Azure

e Active Directory.
microsoft.directory/groups/members/update Update groups.members property in Azure Active

Directory.
microsoft.directory/groups/owners/update Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restore Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/update Update groups.settings property in Azure Active Directory.
Next steps
To learn more about the guests user access restrictions setting, see Restrict guest access permissions
(preview) in Azure Active Directory.
To learn more about how to assign Azure AD administrator roles, see Assign a user to administrator roles
in Azure Active Directory
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource
access in Azure
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
Manage users
Classic subscription administrator roles, Azure roles,
and Azure AD roles
If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. This
article helps explain the following roles and when you would use each:
Classic subscription administrator roles
Azure roles
Azure Active Directory (Azure AD) roles
How the roles are related

To better understand roles in Azure, it helps to know some of the history. When Azure was initially released, access
to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and
Co-Administrator. Later, Azure role-based access control (Azure RBAC) was added. Azure RBAC is a newer
authorization system that provides fine-grained access management to Azure resources. Azure RBAC includes
many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. To
manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD roles.
The following diagram is a high-level view of how the classic subscription administrator roles, Azure roles, and
Azure AD roles are related.
Classic subscription administrator roles

Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription
administrator roles in Azure. Classic subscription administrators have full access to the Azure subscription. They
can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model
APIs. The account that is used to sign up for Azure is automatically set as both the Account Administrator and
Service Administrator. Then, additional Co-Administrators can be added. The Service Administrator and the Co-
Administrators have the equivalent access of users who have been assigned the Owner role (an Azure role) at the
subscription scope. The following table describes the differences between these three classic subscription
administrative roles.
C L A SSIC SUB SC RIP T IO N

A DM IN IST RATO R L IM IT P ERM ISSIO N S N OT ES
Account Administrator 1 per Azure account Access the Azure Conceptually, the billing
Account Center owner of the subscription.
Manage all The Account Administrator
subscriptions in an has no access to the Azure
account portal.
Create new
subscriptions
Cancel subscriptions
Change the billing
for a subscription
Change the Service
Administrator
Service Administrator 1 per Azure subscription Manage services in By default, for a new
the Azure portal subscription, the Account
Cancel the Administrator is also the
subscription Service Administrator.
Assign users to the The Service Administrator
Co-Administrator has the equivalent access of
role a user who is assigned the
Owner role at the
subscription scope.
The Service Administrator
has full access to the Azure
portal.
Co-Administrator 200 per subscription Same access The Co-Administrator has

privileges as the the equivalent access of a
Service user who is assigned the
Administrator, but Owner role at the
can’t change the subscription scope.
association of
subscriptions to
Azure directories
Assign users to the
Co-Administrator
role, but cannot
change the Service
Administrator
In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic
administrators tab.
In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the
properties blade of your subscription.
For more information, see Azure classic subscription administrators.

Azure account and Azure subscriptions
An Azure account represents a billing relationship. An Azure account is a user identity, one or more Azure
subscriptions, and an associated set of Azure resources. The person who creates the account is the Account
Administrator for all subscriptions created in that account. That person is also the default Service Administrator
for the subscription.
Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage
is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have
different subscriptions and different plans by office, department, project, and so on. Every service belongs to a
subscription, and the subscription ID may be required for programmatic operations.
Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated
with, open Subscriptions in the Azure portal and then select a subscription to see the directory.
Accounts and subscriptions are managed in the Azure Account Center.
Azure roles
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access
management to Azure resources, such as compute and storage. Azure RBAC includes over 70 built-in roles. There
are four fundamental Azure roles. The first three apply to all resource types:
A Z URE RO L E P ERM ISSIO N S N OT ES
Owner Full access to all resources The Service Administrator and Co-
Delegate access to others Administrators are assigned the Owner
role at the subscription scope
Applies to all resource types.
Contributor Create and manage all of types Applies to all resource types.
of Azure resources
Create a new tenant in Azure
Active Directory
Cannot grant access to others
Reader View Azure resources Applies to all resource types.
User Access Administrator Manage user access to Azure

resources
The rest of the built-in roles allow management of specific Azure resources. For example, the Virtual Machine
Contributor role allows the user to create and manage virtual machines. For a list of all the built-in roles, see Azure
built-in roles.
Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users, groups, and applications
that are assigned Azure roles cannot use the Azure classic deployment model APIs.
In the Azure portal, role assignments using Azure RBAC appear on the Access control (IAM) blade. This blade
can be found throughout the portal, such as management groups, subscriptions, resource groups, and various
resources.
When you click the Roles tab, you will see the list of built-in and custom roles.
For more information, see Add or remove Azure role assignments using the Azure portal.
Azure AD roles
Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign
administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following
table describes a few of the more important Azure AD roles.
A Z URE A D RO L E P ERM ISSIO N S N OT ES
Global Administrator Manage access to all The person who signs up for the Azure
administrative features in Azure Active Directory tenant becomes a
Active Directory, as well as Global Administrator.
services that federate to Azure
Active Directory
Assign administrator roles to
others
Reset the password for any user
and all other administrators
User Administrator Create and manage all aspects

of users and groups
Manage support tickets
Monitor service health
Change passwords for users,
Helpdesk administrators, and
other User Administrators
Billing Administrator Make purchases

Manage subscriptions
Manage support tickets
Monitors service health
In the Azure portal, you can see the list of Azure AD roles on the Roles and administrators blade. For a list of all
the Azure AD roles, see Administrator role permissions in Azure Active Directory.
Differences between Azure roles and Azure AD roles
At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control
permissions to manage Azure Active Directory resources. The following table compares some of the differences.
A Z URE RO L ES A Z URE A D RO L ES
Manage access to Azure resources Manage access to Azure Active Directory resources
Supports custom roles Supports custom roles
Scope can be specified at multiple levels (management group, Scope is at the tenant level
subscription, resource group, resource)
Role information can be accessed in Azure portal, Azure CLI, Role information can be accessed in Azure admin portal,
Azure PowerShell, Azure Resource Manager templates, REST Microsoft 365 admin center, Microsoft Graph, AzureAD
API PowerShell
Do Azure roles and Azure AD roles overlap?

By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator
elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the
Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a
particular tenant. The User Access Administrator role enables the user to grant other users access to Azure
resources. This switch can be helpful to regain access to a subscription. For more information, see Elevate access
to manage all Azure subscriptions and management groups.
Several Azure AD roles span Azure AD and Microsoft Office 365, such as the Global Administrator and User
Administrator roles. For example, if you are a member of the Global Administrator role, you have global
administrator capabilities in Azure AD and Office 365, such as making changes to Microsoft Exchange and
Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.
Next steps
What is Azure role-based access control (Azure RBAC)?
Administrator role permissions in Azure Active Directory
Azure classic subscription administrators
What is group-based licensing in Azure Active
Directory?
Microsoft paid cloud services, such as Office 365, Enterprise Mobility + Security, Dynamics 365, and other similar
products, require licenses. These licenses are assigned to each user who needs access to these services. To manage
licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure
Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Microsoft
cloud services. Azure AD stores information about license assignment states for users.
Until now, licenses could only be assigned at the individual user level, which can make large-scale management
difficult. For example, to add or remove user licenses based on organizational changes, such as users joining or
leaving the organization or a department, an administrator often must write a complex PowerShell script. This
script makes individual calls to the cloud service.
To address those challenges, Azure AD now includes group-based licensing. You can assign one or more product
licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new
members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are
removed. This licensing management eliminates the need for automating license management via PowerShell to
reflect changes in the organization and departmental structure on a per-user basis.
Licensing requirements
You must have one of the following licenses to use group-based licensing:
Paid or trial subscription for Azure AD Premium P1 and above
Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for
GCCH or Office 365 E3 for DOD and above
Required number of licenses
For any groups assigned a license, you must also have a license for each unique member. While you don't have to
assign each member of the group a license, you must have at least enough licenses to include all of the members.
For example, if you have 1,000 unique members who are part of licensed groups in your tenant, you must have at
least 1,000 licenses to meet the licensing agreement.
Features
Here are the main features of group-based licensing:
Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-
premises, by using Azure AD Connect. You can also create security groups directly in Azure AD (also called
cloud-only groups), or automatically via the Azure AD dynamic group feature.
When a product license is assigned to a group, the administrator can disable one or more service plans in
the product. Typically, this assignment is done when the organization is not yet ready to start using a
service included in a product. For example, the administrator might assign Office 365 to a department, but
temporarily disable the Yammer service.
All Microsoft cloud services that require user-level licensing are supported. This support includes all Office
365 products, Enterprise Mobility + Security, and Dynamics 365.
Group-based licensing is currently available only through the Azure portal. If you primarily use other
management portals for user and group management, such as the Microsoft 365 admin center, you can
continue to do so. But you should use the Azure portal to manage licenses at group level.
Azure AD automatically manages license modifications that result from group membership changes.
Typically, license modifications are effective within minutes of a membership change.
A user can be a member of multiple groups with license policies specified. A user can also have some
licenses that were directly assigned, outside of any groups. The resulting user state is a combination of all
assigned product and service licenses. If a user is assigned same license from multiple sources, the license
will be consumed only once.
In some cases, licenses cannot be assigned to a user. For example, there might not be enough available
licenses in the tenant, or conflicting services might have been assigned at the same time. Administrators
have access to information about users for whom Azure AD could not fully process group licenses. They
can then take corrective action based on that information.
Your feedback is welcome!

If you have feedback or feature requests, share them with us using the Azure AD admin forum.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
How to migrate users between product licenses using group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Manage app and resource access using Azure Active
Directory groups
Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises
apps, and your resources. Your resources can be part of the Azure AD organization, such as permissions to manage
objects through roles in Azure AD, or external to the organization, such as for Software as a Service (SaaS) apps,
Azure services, SharePoint sites, and on-premises resources.
NOTE
In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:
Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin center
or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage
these groups.
How access management in Azure AD works

Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an
entire Azure AD group. Using groups lets the resource owner (or Azure AD directory owner), assign a set of access
permissions to all the members of the group, instead of having to provide the rights one-by-one. The resource or
directory owner can also give management rights for the member list to someone else, such as a department
manager or a Helpdesk administrator, letting that person add and remove members, as needed. For more
information about how to manage group owners, see Manage group owners
Ways to assign access rights

There are four ways to assign resource access rights to your users:
Direct assignment. The resource owner directly assigns the user to the resource.
Group assignment. The resource owner assigns an Azure AD group to the resource, which automatically
gives all of the group members access to the resource. Group membership is managed by both the group
owner and the resource owner, letting either owner add or remove members from the group. For more
information about adding or removing group membership, see How to: Add or remove a group from
another group using the Azure Active Directory portal.
Rule-based assignment. The resource owner creates a group and uses a rule to define which users are
assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The
resource owner manages the rule, determining which attributes and values are required to allow access the
resource. For more information, see Create a dynamic group and check status.
You can also Watch this short video for a quick explanation about creating and using dynamic groups:
External authority assignment. Access comes from an external source, such as an on-premises directory
or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and
then the external source manages the group members.
Can users join groups without being assigned?

The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up
the group to automatically accept all users that join or to require approval.
After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can
approve the request and the user is notified of the group membership. However, if you have multiple owners and
one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions
about how to let your users request to join groups, see Set up Azure AD so users can request to join groups
Next steps
Now that you have a bit of an introduction to access management using groups, you start to manage your
resources and apps.
Create a new group using Azure Active Directory or Create and manage a new group using PowerShell
cmdlets
Use groups to assign access to an integrated SaaS app
Sync an on-premises group to Azure using Azure AD Connect
Add or delete users using Azure Active Directory
Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or
delete users you must be a User administrator or Global administrator.
Add a new user

You can create a new user using the Azure Active Directory portal.
To add a new user, follow these steps:
3. Select Users , and then select New user .
4. On the User page, enter information for this user:

Name . Required. The first and last name of the new user. For example, Mary Parker.
User name . Required. The user name of the new user. For example, mary@contoso.com .
The domain part of the user name must use either the initial default domain name,
<yourdomainname>.onmicrosoft.com, or a custom domain name, such as contoso.com. For more
information about how to create a custom domain name, see Add your custom domain name using
the Azure Active Directory portal.
Groups . Optionally, you can add the user to one or more existing groups. You can also add the user
to groups at a later time. For more information about adding users to groups, see Create a basic
group and add members using Azure Active Directory.
Director y role : If you require Azure AD administrative permissions for the user, you can add them
to an Azure AD role. You can assign the user to be a Global administrator or one or more of the
limited administrator roles in Azure AD. For more information about assigning roles, see How to
assign roles to users.
Job info : You can add more information about the user here, or do it later. For more information
about adding user info, see How to add or change user profile information.
5. Copy the autogenerated password provided in the Password box. You'll need to give this password to the
user to sign in for the first time.
6. Select Create .
The user is created and added to your Azure AD organization.
Add a new guest user

You can also invite new guest user to collaborate with your organization by selecting Invite user from the New
user page. If your organization's external collaboration settings are configured such that you're allowed to invite
guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more
information about inviting B2B collaboration users, see Invite B2B users to Azure Active Directory
Add a consumer user

There might be scenarios in which you want to manually create consumer accounts in your Azure Active
Directory B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see Create and
delete consumer users in Azure AD B2C.
Add a new user within a hybrid environment

If you have an environment with both Azure Active Directory (cloud) and Windows Server Active Directory (on-
premises), you can add new users by syncing the existing user account data. For more information about hybrid
environments and users, see Integrate your on-premises directories with Azure Active Directory.
Delete a user
You can delete an existing user using Azure Active Directory portal.
To delete a user, follow these steps:
1. Sign in to the Azure portal using a User administrator account for the organization.
3. Search for and select the user you want to delete from your Azure AD tenant. For example, Mary Parker.
4. Select Delete user .
The user is deleted and no longer appears on the Users - All users page. The user can be seen on the Deleted
users page for the next 30 days and can be restored during that time. For more information about restoring a
user, see Restore or remove a recently deleted user using Azure Active Directory.
When a user is deleted, any licenses consumed by the user are made available for other users.
NOTE
You must use Windows Server Active Directory to update the identity, contact information, or job information for users
whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
Next steps
After you've added your users, you can do the following basic processes:
Work with dynamic groups and users
Or you can do other user management tasks, such as adding guest users from another directory or restoring a
deleted user. For more information about other available actions, see Azure Active Directory user management
documentation.
Bulk create users in Azure Active Directory
Azure Active Directory (Azure AD) supports bulk user create and delete operations and supports downloading lists
of users. Just fill out comma-separated values (CSV) template you can download from the Azure AD portal.
Required permissions
In order to bulk create users in the administration portal, you must be signed in as a Global administrator or User
administrator.
Understand the CSV template

Download and fill in the bulk upload CSV template to help you successfully create Azure AD users in bulk. The CSV
template you download might look like this example:
WARNING
If you are adding only one entry using the CSV template, you must preserve row 3 and add your new entry to row 4.
CSV template structure

The rows in a downloaded CSV template are as follows:
Version number : The first row containing the version number must be included in the upload CSV.
Column headings : The format of the column headings is <Item name> [PropertyName] <Required or blank>.
For example, Name [displayName] Required . Some older versions of the template might have slight variations.
Examples row : We have included in the template a row of examples of acceptable values for each column. You
must remove the examples row and replace it with your own entries.
Additional guidance
The first two rows of the upload template must not be removed or modified, or the upload can't be processed.
The required columns are listed first.
We don't recommend adding new columns to the template. Any additional columns you add are ignored and
not processed.
We recommend that you download the latest version of the CSV template as often as possible.
Make sure to check there is no unintended whitespace before/after any field. For User principal name , having
such whitespace would cause import failure.
To create users in bulk
1. Sign in to your Azure AD organization with an account that is a User administrator in the organization.
2. In Azure AD, select Users > Bulk create .
3. On the Bulk create user page, select Download to receive a valid comma-separated values (CSV) file of
user properties, and then add add users you want to create.
4. Open the CSV file and add a line for each user you want to create. The only required values are Name , User
principal name , Initial password and Block sign in (Yes/No) . Then save the file.
5. On the Bulk create user page, under Upload your CSV file, browse to the file. When you select the file and
click Submit , validation of the CSV file starts.
6. After the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must fix
them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that imports the new
users.
8. When the import operation completes, you'll see a notification of the bulk operation job status.
If there are errors, you can download and view the results file on the Bulk operation results page. The file
contains the reason for each error. The file submission must match the provided template and include the exact
column names.
Check status
You can see the status of all of your pending bulk requests in the Bulk operation results page.
Next, you can check to see that the users you created exist in the Azure AD organization either in the Azure portal
or by using PowerShell.
Verify users in the Azure portal

1. Sign in to the Azure AD admin center with an account that is a User administrator in the organization.
2. In the navigation pane, select Azure Active Director y .
3. Under Manage , select Users .
4. Under Show , select All users and verify that the users you created are listed.
Verify users with PowerShell
Run the following command:
Get-AzureADUser -Filter "UserType eq 'Member'"
You should see that the users that you created are listed.
Bulk import service limits

Each bulk activity to create users can run for up to one hour. This enables bulk creation of at least 50,000 users.
Next steps
Bulk delete users
Download list of users
Bulk restore users
Add or update a user's profile information using
Add user profile information, including a profile picture, job-specific information, and some settings using Azure
Active Directory (Azure AD). For more information about adding new users, see How to add or delete users in
Azure Active Directory.

As you'll see, there's more information available in a user's profile than what you're able to add during the user's
creation. All this additional information is optional and can be added as needed by your organization.
To add or change profile information

2. Select Azure Active Director y , select Users , and then select a user. For example, Alain Charon.
The Alain Charon - Profile page appears.
3. Select Edit to optionally add or update the information included in each of the available sections.
Profile picture. Select a thumbnail image for the user's account. This picture appears in Azure
Active Directory and on the user's personal pages, such as the myapps.microsoft.com page.
Identity. Add or update an additional identity value for the user, such as a married last name. You
can set this name independently from the values of First name and Last name. For example, you
could use it to include initials, a company name, or to change the sequence of names shown. In
another example, for two users whose names are ‘Chris Green’ you could use the Identity string to
set their names to 'Chris B. Green' 'Chris R. Green (Contoso).'
Job info. Add any job-related information, such as the user's job title, department, or manager.
Settings. Decide whether the user can sign in to Azure Active Directory tenant. You can also specify
the user's global location.
Contact info. Add any relevant contact information for the user, except for some user's phone or
mobile contact info (only a global administrator can update for users in administrator roles).
Authentication contact info. Verify this information to make sure there's an active phone
number and email address for the user. This information is used by Azure Active Directory to make
sure the user is really the user during sign-in. Authentication contact info can be updated only by a
global administrator.
4. Select Save .
All your changes are saved for the user.
NOTE
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose
source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next
Next steps
After you've updated your users' profiles, you can perform the following basic processes:
Add or delete users
Or you can perform other user management tasks, such as assigning delegates, using policies, and sharing user
accounts. For more information about other available actions, see Azure Active Directory user management
documentation.
Manage your users with My Staff (preview)
My Staff enables you to delegate to a figure of authority, such as a store manager or a team lead, the permissions to
ensure that their staff members are able access to their Azure AD accounts. Instead of relying on a central helpdesk,
organizations can delegate common tasks such as resetting passwords or changing phone numbers to a team
manager. With My Staff, a user who can't access their account can regain access in just a couple of clicks, with no
helpdesk or IT staff required.
Before you configure My Staff for your organization, we recommend that you review this documentation as well as
the user documentation to ensure you understand the functionality and impact of this feature on your users. You
can leverage the user documentation to train and prepare your users for the new experience and help to ensure a
successful rollout.
SMS-based authentication for users is a public preview feature of Azure Active Directory. For more information
about previews, see Supplemental Terms of Use for Microsoft Azure Previews
How My Staff works

My Staff is based on administrative units (AUs), which are a container of resources which can be used to restrict the
scope of a role assignment's administrative control. In My Staff, AUs are used to define a subset of an organization's
users such as a store or department. Then, for example, a team manager could be assigned to a role whose scope is
one or more AUs. In the example below, the user has been granted the Authentication Administrative role, and the
three AUs are the scope of the role. For more information about administrative units, see Administrative units
management in Azure Active Directory.
Before you begin

To complete this article, you need the following resources and privileges:
An active Azure subscription.
If you don't have an Azure subscription, create an account.
An Azure Active Directory tenant associated with your subscription.
If needed, create an Azure Active Directory tenant or associate an Azure subscription with your account.
You need Global administrator privileges in your Azure AD tenant to enable SMS-based authentication.
Each user that's enabled in the text message authentication method policy must be licensed, even if they
don't use it. Each enabled user must have one of the following Azure AD or Microsoft 365 licenses:
Azure AD Premium P1 or P2
Microsoft 365 (M365) F1 or F3
Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 (M365) E3 or E5
How to enable My Staff

Once you have configured AUs, you can apply this scope to your users who access My Staff. Only users who are
assigned an administrative role can access My Staff. To enable My Staff, complete the following steps:
1. Sign into the Azure portal as a User administrator.
2. Browse to Azure Active Director y > User settings > User feature previews > Manage user feature
preview settings .
3. Under Administrators can access My Staff , you can choose to enable for all users, selected users, or no user
access.
NOTE
Only users who've been assigned an admin role can access My Staff. If you enable My Staff for a user who is not assigned an
admin role, they won't be able to access My Staff.
Conditional access
You can protect the My Staff portal using Azure AD Conditional Access policy. Use it for tasks like requiring multi-
factor authentication before accessing My Staff.
We strongly recommend that you protect My Staff using Azure AD Conditional Access policies. To apply a
Conditional Access policy to My Staff, you must manually create the My Staff service principal using PowerShell.
Apply a Conditional Access policy to My Staff
1. Install the Microsoft Graph Beta PowerShell cmdlets.
2. Run the following commands:
Connect-Graph -Scopes "Directory.AccessAsUser.All"

New-MgServicePrincipal -DisplayName "My Staff" -AppId "ba9ff945-a723-4ab5-a977-bd8c9044fe61"
3. Create a Conditional Access policy that applies to the My Staff cloud application.
Using My Staff
When a user goes to My Staff, they are shown the names of the administrative units over which they have
administrative permissions. In the My Staff user documentation, we use the term "location" to refer to
administrative units. If an administrator's permissions do not have an AU scope, the permissions apply across the
organization. After My Staff has been enabled, the users who are enabled and have been assigned an administrative
role can access it through https://mystaff.microsoft.com. They can select an AU to view the users in that AU, and
select a user to open their profile.
Reset a user's password

The following roles have permission to reset a user's password:
Authentication administrator
Privileged authentication administrator
Helpdesk administrator
User administrator
Password administrator
From My Staff , open a user's profile. Select Reset password .
If the user is cloud-only, you can see a temporary password that you can give to the user.
If the user is synced from on-premises Active Directory, you can enter a password that meets your on-
premises AD policies. You can then give that password to the user.
The user is required to change their password the next time they sign in.
Manage a phone number

From My Staff , open a user's profile.
Select Add phone number section to add a phone number for the user
Select Edit phone number to change the phone number
Select Remove phone number to remove the phone number for the user
Depending on your settings, the user can then use the phone number you set up to sign in with SMS, perform
multi-factor authentication, and perform self-service password reset.
To manage a user's phone number, you must be assigned one of the following roles:
Authentication administrator
Privileged authentication administrator
Search
You can search for AUs and users in your organization using the search bar in My Staff. You can search across all
AUs and users in your organization, but you can only make changes to users who are in a AU over which you have
been given admin permissions.
You can also search for a user within an AU. To do this, use the search bar at the top of the user list.
Audit logs
You can view audit logs for actions taken in My Staff in the Azure Active Directory portal. If an audit log was
generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.
Next steps
My Staff user documentation Administrative units documentation
Download a list of users in Azure Active Directory
portal
Azure Active Directory (Azure AD) supports bulk user import (create) operations.
To download the list of users from the Azure AD admin center, you must be signed in with a user assigned to one
or more organization-level administrator roles in Azure AD (User Administrator is the minimum role required).
Guest inviter and application developer are not considered administrator roles.
To download a list of users

1. Sign in to your Azure AD organization with a User administrator account in the organization.
2. Navigate to Azure Active Directory > Users. Then select the users you wish to include in the download by
ticking the box in the left column next to each user. Note: At this time, there is no way to select all users for
export. Each one must be individually selected.
3. In Azure AD, select Users > Download users .
4. On the Download users page, select Star t to receive a CSV file listing user profile properties. If there are
errors, you can download and view the results file on the Bulk operation results page. The file contains the
reason for each error.
The download file will contain the filtered list of users.

The following user attributes are included:
userPrincipalName
displayName
surname
mail
givenName
objectId
userType
jobTitle
department
accountEnabled
usageLocation
streetAddress
state
country
physicalDeliveryOfficeName
city
postalCode
telephoneNumber
mobile
authenticationPhoneNumber
authenticationAlternativePhoneNumber
authenticationEmail
alternateEmailAddress
ageGroup
consentProvidedForMinor
legalAgeGroupClassification
Check status
You can see the status of your pending bulk requests in the Bulk operation results page.
Bulk download service limits

Each bulk activity to create a list of users can run for up to one hour. This enables creation and download of a list of
at least 500,000 users.
Next steps
Bulk add users
Bulk delete users
Bulk restore users
Sharing accounts with Azure AD
Overview
Sometimes organizations need to use a single username and password for multiple people, which typically
happens in two cases:
When accessing applications that require a unique sign in and password for each user, whether on-premises
apps or consumer cloud services (for example, corporate social media accounts).
When creating multi-user environments. You might have a single, local account that has elevated privileges and
is used to do core setup, administration, and recovery activities. For example, the local "global administrator"
account for Office 365 or the root account in Salesforce.
Traditionally, these accounts are shared by distributing the credentials (username and password) to the right
individuals or storing them in a shared location where multiple trusted agents can access them.
The traditional sharing model has several drawbacks:
Enabling access to new applications requires you to distribute credentials to everyone that needs access.
Each shared application may require its own unique set of shared credentials, requiring users to remember
multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort
to risky practices. (for example, writing down passwords).
You can't tell who has access to an application.
You can't tell who has accessed an application.
When you want to remove access to an application, you have to update the credentials and redistribute them to
everyone that needs access to that application.
Azure Active Directory account sharing

Azure AD provides a new approach to using shared accounts that eliminates these drawbacks.
The Azure AD administrator configures which applications a user can access by using the Access Panel and
choosing the type of single sign-on best suited for that application. One of those types, password-based single-sign
on, lets Azure AD act as a kind of "broker" during the sign-on process for that app.
Users sign in once with their organizational account. This account is the same one they regularly use to access their
desktop or email. They can discover and access only those applications that they are assigned to. With shared
accounts, this list of applications can include any number of shared credentials. The end-user doesn't need to
remember or write down the various accounts they might be using.
Shared accounts not only increase oversight and improve usability, they also enhance your security. Users with
permissions to use the credentials don't see the shared password, but rather get permissions to use the password
as part of an orchestrated authentication flow. Further, some password SSO applications give you the option of
using Azure AD to periodically rollover (update) passwords. The system uses large, complex passwords, which
increases account security. The administrator can easily grant or revoke access to an application, knows who has
access to the account, and who has accessed it in the past.
Azure AD supports shared accounts for any Enterprise Mobility Suite (EMS) or Azure AD Premium license plan,
across all types of password single sign-on applications. You can share accounts for any of thousands of pre-
integrated applications in the application gallery and can add your own password-authenticating application with
custom SSO apps.
Azure AD features that enable account sharing include:
Password single sign-on
Password single sign-on agent
Group assignment
Custom Password apps
App usage dashboard/reports
End-user access portals
App proxy
Active Directory Marketplace
Sharing an account
To use Azure AD to share an account, you need to:
Add an application app gallery or custom application
Configure the application for password Single Sign-On (SSO)
Use group-based assignment and select the option to enter a shared credential
You can also make your shared account more secure with Multi-Factor Authentication (MFA) (learn more about
securing applications with Azure AD) and you can delegate the ability to manage who has access to the application
using Azure AD self-service group management.
Next steps
Application Management in Azure Active Directory
Protecting apps with Conditional Access
Self-service group management/SSAA
Assign administrator and non-administrator roles to
users with Azure Active Directory
In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you
must assign them to a role that provides the permissions they need. For info on which roles manage Azure
resources and which roles manage Azure AD resources, see Classic subscription administrator roles, Azure roles,
and Azure AD roles.
For more information about the available Azure AD roles, see Assigning administrator roles in Azure Active
Directory. To add users, see Add new users to Azure Active Directory.
Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also configure
the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more
information about how to use PIM, see Privileged Identity Management.
NOTE
If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the
Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't
currently select multiple roles and assign them to a user all at once.
Assign a role to a user

1. Go to the Azure portal and sign in using a Global administrator account for the directory.
2. Search for and select Azure Active Director y .
3. Select Users .
4. Search for and select the user getting the role assignment. For example, Alain Charon.
5. On the Alain Charon - Profile page, select Assigned roles .

The Alain Charon - Administrative roles page appears.
6. Select Add assignments , select the role to assign to Alain (for example, Application administrator), and then
choose Select .
The Application administrator role is assigned to Alain Charon and it appears on the Alain Charon -
Administrative roles page.
Remove a role assignment

If you need to remove the role assignment from a user, you can also do that from the Alain Charon -
To remove a role assignment from a user
1. Select Azure Active Director y , select Users , and then search for and select the user getting the role
assignment removed. For example, Alain Charon.
2. Select Assigned roles , select Application administrator , and then select Remove assignment .
The Application administrator role is removed from Alain Charon and it no longer appears on the Alain
Charon - Administrative roles page.
Next steps
Add or delete users
Add guest users from another directory
Other user management tasks you can check out are available in Azure Active Directory user management
documentation.
User management enhancements (preview) in Azure
Active Directory
This article describes how to use the enhanced user management preview in the Azure Active Directory (Azure AD)
portal. The All users and Deleted users pages have been updated to provide more information and make it
easier to find users. For more information about previews, see Supplemental Terms of Use for Microsoft Azure
Previews.
Changes in the preview include:
More visible user properties including object ID, directory sync status, creation type, and identity issuer
Search now allows combined search of names, emails, and object IDs
Enhanced filtering by user type (member and guest), directory sync status, and creation type
NOTE
This preview is currently not available for Azure AD B2C tenants.
Find the preview

The preview is turned on by default, so you can use it right away. You can check out the latest features and
improvements by selecting Preview features on the All users page. All pages that have been updated as part of
this preview will display a preview tag. If you are having any issues, you can switch back to the legacy experience:
1. Sign in to the Azure AD admin center and select Users .
2. From the Users – All users page, select the banner at the top of the page.
3. In the Preview features pane, turn Enhanced user management off.
We appreciate your feedback so that we can improve our experience.
More user properties

We’ve made some changes to the columns available on the All users and Deleted users pages. In addition to the
existing columns we provide for managing your list of users, we've added a few more columns.
All users page
The following are the displayed user properties on the All users page:
Name: The display name of the user.
User principal name: The user principal name (UPN) of the user.
User Type: The user type of the user, either Member or Guest.
Directory synced: Indicates whether the user is synced from an on-premises directory.
Identity issuer: The issuers of the identity used to sign into a user account.
Object ID: The object ID of the user.
Creation type: Indicates how the user account was created.
Company name: The company name which the user is associated.
Invitation state: The status of the invitation for a guest user.
Mail: The email of the user.
Deleted users page

The Deleted users page includes all the columns that are available on the All users page, and a few additional
columns, namely:
Deletion date: The date the user was first deleted from the organization (the user is restorable).
Permanent deletion date: The date the user was permanently deleted from the organization.
Some columns are displayed by default. To add other columns, select Columns on the page, select the column
names you’d like to add, and select OK to save your preferences.
Identity issuers
Select an entry in the Identity issuer column for any user to view additional details about the issuer including the
sign-in type and the issuer assigned ID. The entries in the Identity issuer column can be multi-valued. If there are
multiple issuers of the user's identity, you'll see the word Multiple in the Identity issuer column on All users and
Deleted users pages, and the details pane list all issuers.
NOTE
The Source column is replaced by multiple columns including Creation type , Director y synced , and Identity issuer for
more granular filtering.
User list search

When you enter a search string, the search uses "starts with" search that can now match names, emails, or object
IDs in a single search. You can enter any of these attributes into search box, and the search will automatically look
across all these properties to return any matching results. You can perform the same search on both the All users
and Deleted users pages.
User list filtering

Filtering capabilities have been enhanced to provide more filtering options for the All users and Deleted users
pages. You can now filter by multiple properties simultaneously, and can filter by more properties.
Filtering All users list
The following are the filterable properties on the All users page:
User type - Member or guest
Directory synced status - Yes
Creation type - Invitation, Email verified, Local account
Invitation state – Pending acceptance, Accepted
Administrative unit - Select this option to restrict the scope of the users you view to a single administrative unit.
For more information, see Administrative units management preview.
Filtering Deleted users list

The Deleted users page has additional filters not in the All users page. The following are the filterable properties
on the Deleted users page:
User type - Member or guest
Directory synced status - Yes
Creation type - Invitation, Email verified, Local account
Invitation state – Pending acceptance, Accepted
Deletion date - Last 7, 14, or 30 days
Permanent deletion date - Last 7, 14, or 30 days
Frequently Asked Questions (FAQ)

Q UEST IO N A N SW ER
What happen to the bulk capabilities for users and guests? The bulk operations are all still available for users and guests,
including bulk create, bulk invite, bulk delete, and download
users. We’ve just merged them into a menu called Bulk
operations . You can find the Bulk operations options at
the top of the All users page.
What happened to the Source column? The Source column has been replaced with other columns
that provide similar information, while allowing you to filter on
those values independently. Examples include Creation type ,
Director y synced and Identity issuer .
What happened to the User Name column? The User Name column is still there, but it’s been renamed to
User Principal Name . This better reflects the information
contained in that column. You’ll also notice that the full User
Principal Name is now displayed for B2B guests. This matches
what you’d get in MS Graph.
Why can I only perform a "starts with" search and not a There are some limitations that prevent us from allowing you
"contains" search? to perform a "contains" search. We’ve heard the feedback, so
stay tuned.
Why can’t I sort the columns? There are some limitations that prevent us from allowing you
to sort the columns. We’ve heard the feedback, so stay tuned.
Why can I only filter the Director y synced column by Yes? There are some limitations that prevent us from allowing you
to filter this property by the No value. We’ve heard the
feedback, so stay tuned.
Next steps
User operations
Add or delete users
Bulk operations
Bulk add users
Bulk delete users
Bulk restore users
Bulk delete users in Azure Active Directory
Using Azure Active Directory (Azure AD) portal, you can remove a large number of members to a group by using a
comma-separated values (CSV) file to bulk delete users.

Download and fill in the CSV template to help you successfully delete Azure AD users in bulk. The CSV template
you download might look like this example:

Column headings : The format of the column headings is <Item name> [PropertyName] <Required or
blank>. For example, User name [userPrincipalName] Required . Some older versions of the template might have
slight variations.
Additional guidance
not processed.
To bulk delete users

1. Sign in to your Azure AD organization with an account that is a User administrator in the organization.
2. In Azure AD, select Users > Bulk delete .
3. On the Bulk delete user page, select Download to receive a valid CSV file of user properties.
4. Open the CSV file and add a line for each user you want to delete. The only required value is User
principal name . Then save the file.
5. On the Bulk delete user page, under Upload your csv file , browse to the file. When you select the file
and click submit, validation of the CSV file starts.
6. When the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must
fix them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that deletes the users.
8. When the deletion operation completes, you'll see a notification that the bulk operation succeeded.
contains the reason for each error.
Check status
Next, you can check to see that the users you deleted exist in the Azure AD organization either in the Azure portal
Verify deleted users in the Azure portal

1. Sign in to the Azure portal with an account that is a User administrator in the organization.
4. Under Show , select All users only and verify that the users you deleted are no longer listed.
Verify deleted users with PowerShell
Verify that the users that you deleted are no longer listed.
Next steps
Bulk add users
Bulk restore users
Restore or remove a recently deleted user using
After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user
account can be restored, along with all its properties. After that 30-day window passes, the user is automatically,
and permanently, deleted.
You can view your restorable users, restore a deleted user, or permanently delete a user using Azure Active
Directory (Azure AD) in the Azure portal.
IMPORTANT
Neither you nor Microsoft customer support can restore a permanently deleted user.
You must have one of the following roles to restore and permanently delete users.
Partner Tier1 Support
User administrator
View your restorable users

You can see all the users that were deleted less than 30 days ago. These users can be restored.
To view your restorable users
1. Sign in to the Azure portal using a Global administrator account for the organization.
2. Select Azure Active Director y , select Users , and then select Deleted users .
Review the list of users that are available to restore.
Restore a recently deleted user
When a user account is deleted from the organization, the account is in a suspended state and all the related
organization information is preserved. When you restore a user, this organization information is also restored.
NOTE
Once a user is restored, licenses that were assigned to the user at the time of deletion are also restored even if there are no
seats available for those licenses. If you are then consuming more licenses more than you purchased, your organization
could be temporarily out of compliance for license usage.
To restore a user
1. On the Users - Deleted users page, search for and select one of the available users. For example, Mary
Parker.
2. Select Restore user .
Permanently delete a user

You can permanently delete a user from your organization without waiting the 30 days for automatic deletion. A
permanently deleted user can't be restored by you, another administrator, nor by Microsoft customer support.
NOTE
If you permanently delete a user by mistake, you'll have to create a new user and manually enter all the previous
information. For more information about creating a new user, see Add or delete users.
To permanently delete a user

1. On the Users - Deleted users page, search for and select one of the available users. For example, Rae
Huff.
2. Select Delete permanently .
Next steps
After you've restored or deleted your users, you can perform the following basic processes:
Add or delete users
Add guest users from another organization
For more information about other available user management tasks, Azure AD user management documentation.
Bulk restore deleted users in Azure Active Directory
Azure Active Directory (Azure AD) supports bulk user restore operations and supports downloading lists of users,
groups, and group members.

Download and fill in the CSV template to help you successfully restore Azure AD users in bulk. The CSV template
you download might look like this example:

Column headings : The format of the column headings is <Item name> [PropertyName] <Required or
blank>. For example, Object ID [objectId] Required . Some older versions of the template might have slight
variations.
Additional guidance
not processed.
To bulk restore users

1. Sign in to your Azure AD organization with an account that is a User administrator in the Azure AD
organization.
2. In Azure AD, select Users > Deleted .
3. On the Deleted users page, select Bulk restore to upload a valid CSV file of properties of the users to
restore.
4. Open the CSV template and add a line for each user you want to restore. The only required value is
ObjectID . Then save the file.
5. On the Bulk restore page, under Upload your csv file , browse to the file. When you select the file and
click Submit , validation of the CSV file starts.
6. When the file contents are validated, you’ll see File uploaded successfully . If there are errors, you must
fix them before you can submit the job.
7. When your file passes validation, select Submit to start the Azure bulk operation that restores the users.
8. When the restore operation completes, you'll see a notification that the bulk operation succeeded.
contains the reason for each error.
Check status
Next, you can check to see that the users you restored exist in the Azure AD organization either in the Azure portal
View restored users in the Azure portal

1. Sign in to the Azure AD admin center with an account that is a User administrator in the organization.
4. Under Show , select All users and verify that the users you restored are listed.
View users with PowerShell
You should see that the users that you restored are listed.
Next steps
Bulk import users
Bulk delete users
Revoke user access in Azure Active Directory
Among the scenarios that could require an administrator to revoke all access for a user include compromised
accounts, employee termination, and other insider threats. Depending on the complexity of the environment,
administrators can take several steps to ensure access is revoked. In some scenarios, there could be a period
between initiation of access revocation and when access is effectively revoked.
To mitigate the risks, you must understand how tokens work. There are many kinds of tokens, which fall into one of
the patterns mentioned in the sections below.
Access tokens and refresh tokens

Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based
applications such as single page apps.
When users authenticate to Azure AD, authorization policies are evaluated to determine if the user can be
granted access to a specific resource.
If authorized, Azure AD issues an access token and a refresh token for the resource.
Access tokens issued by Azure AD by default last for 1 hour. If the authentication protocol allows, the app can
silently reauthenticate the user by passing the refresh token to the Azure AD when the access token expires.
Azure AD then reevaluates its authorization policies. If the user is still authorized, Azure AD issues a new access
token and refresh token.
Access tokens can be a security concern if access must be revoked within a time that is shorter than the lifetime of
the token, which is usually around an hour. For this reason, Microsoft is actively working to bring continuous access
evaluation to Office 365 applications, which helps ensure invalidation of access tokens in near real time.
Session tokens (cookies)

Most browser-based applications use session tokens instead of access and refresh tokens.
When a user opens a browser and authenticates to an application via Azure AD, the user receives two
session tokens. One from Azure AD and another from the application.
Once an application issues its own session token, access to the application is governed by the application’s
session. At this point, the user is affected by only the authorization policies that the application is aware of.
The authorization policies of Azure AD are reevaluated as often as the application sends the user back to
Azure AD. Reevaluation usually happens silently, though the frequency depends on how the application is
configured. It's possible that the app may never send the user back to Azure AD as long as the session token
is valid.
For a session token to be revoked, the application must revoke access based on its own authorization
policies. Azure AD can’t directly revoke a session token issued by an application.
Revoke access for a user in the hybrid environment

For a hybrid environment with on-premises Active Directory synchronized with Azure Active Directory, Microsoft
recommends IT admins to take the following actions.
On-premises Active Directory environment
As an admin in the Active Directory, connect to your on-premises network, open PowerShell, and take the following
actions:
1. Disable the user in Active Directory. Refer to Disable-ADAccount.
Disable-ADAccount -Identity johndoe
2. Reset the user’s password twice in the Active Directory. Refer to Set-ADAccountPassword.
NOTE
The reason for changing a user’s password twice is to mitigate the risk of pass-the-hash, especially if there are delays
in on-premises password replication. If you can safely assume this account isn't compromised, you may reset the
password only once.
IMPORTANT
Don't use the example passwords in the following cmdlets. Be sure to change the passwords to a random string.
Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText

"p@ssw0rd1" -Force)
Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText
"p@ssw0rd2" -Force)
Azure Active Directory environment

As an administrator in Azure Active Directory, open PowerShell, run Connect-AzureAD , and take the following
actions:
1. Disable the user in Azure AD. Refer to Set-AzureADUser.
Set-AzureADUser -ObjectId johndoe@contoso.com -AccountEnabled $false
2. Revoke the user’s Azure AD refresh tokens. Refer to Revoke-AzureADUserAllRefreshToken.
Revoke-AzureADUserAllRefreshToken -ObjectId johndoe@contoso.com
3. Disable the user’s devices. Refer to Get-AzureADUserRegisteredDevice.
Get-AzureADUserRegisteredDevice -ObjectId johndoe@contoso.com | Set-AzureADDevice -AccountEnabled $false
Optional steps
Wipe corporate data from Intune-managed applications.
Wipe corporate owned devices be resetting device to factory default settings.
NOTE
Data on the device cannot be recovered after a wipe.
When access is revoked
Once admins have taken the above steps, the user can't gain new tokens for any application tied to Azure Active
Directory. The elapsed time between revocation and the user losing their access depends on how the application is
granting access:
For applications using access tokens , the user loses access when the access token expires.
For applications that use session tokens , the existing sessions end as soon as the token expires. If the
disabled state of the user is synchronized to the application, the application can automatically revoke the
user’s existing sessions if it's configured to do so. The time it takes depends on the frequency of
synchronization between the application and Azure AD.
Next steps
Secure access practices for Azure AD administrators
Add or update user profile information
Close your work or school account in an unmanaged
Azure AD organization
If you are a user in an unmanaged Azure Active Directory (Azure AD) organization, and you no longer need to use
apps from that organization or maintain any association with it, you can close your account at any time. An
unmanaged organization does not have a Global administrator. Users in an unmanaged organization can close
their accounts on their own, without having to contact an administrator.
Users in an unmanaged organization are often created during self-service sign-up. An example might be an
information worker in an organization who signs up for a free service. For more information about self-service
sign-up, see What is self-service sign-up for Azure Active Directory?.
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Before you begin

Before you can close your account, you should confirm the following items:
Make sure you are a user of an unmanaged Azure AD organization. You can't close your account if you
belong to a managed organization. If you belong to a managed organization and want to close your account,
you must contact your administrator. For information about how to determine whether you belong to an
unmanaged organization, see Delete the user from Unmanaged Tenant.
Save any data you want to keep. For information about how to submit an export request, see Accessing and
exporting system-generated logs for Unmanaged Tenants.
WARNING
Closing your account is irreversible. When you close your account, all personal data will be removed. You will no longer have
access to your account and data associated with your account.
Close your account

To close an unmanaged work or school account, follow these steps:
1. Sign in to close your account, using the account that you want to close.
2. On My data requests , select Close account .
3. Review the confirmation message and then select Yes .
Next steps
What is self-service sign-up for Azure Active Directory?
Delete the user from Unmanaged Tenant
Accessing and exporting system-generated logs for Unmanaged Tenants
Restrict guest access permissions (preview) in Azure
Active Directory
Azure Active Directory (Azure AD) allows you to restrict what external guest users can see in their organization in
Azure AD. Guest users are set to a limited permission level by default in Azure AD, while the default for member
users is the full set of default user permissions. This is a preview of a new guest user permission level in your
Azure AD organization's external collaboration settings for even more restricted access, so your guest access
choices now are:
P ERM ISSIO N L EVEL A C C ESS L EVEL
Same as member users Guests have the same access to Azure AD resources as
member users
Limited access (default) Guests can see membership of all non-hidden groups
Restricted access (new) Guests can't see membership of any groups
When guest access is restricted, guests can view only their own user profile. Permission to view other users isn't
allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest
users from seeing the membership of groups they're in. For more information about the overall default user
permissions, including guest user permissions, see What are the default user permissions in Azure Active
Directory?.
Permissions and licenses

You must be in the Global Administrator role to configure the external collaboration settings. There are no
additional licensing requirements to restrict guest access.
Update in the Azure portal

We’ve made changes to the existing Azure portal controls for guest user permissions.
1. Sign in to the Azure AD admin center with Global administrator permissions.
2. On the Azure Active Director y overview page for your organization, select User settings .
3. Under External users , select Manage external collaboration settings .
4. On the External collaboration settings page, select Guest user access is restricted to proper ties
and memberships of their own director y objects option.
5. Select Save . The changes can take up to 15 minutes to take effect for guest users.
Update with the Microsoft Graph API

We’ve added a new Microsoft Graph API to configure guest permissions in your Azure AD organization. The
following API calls can be made to assign any permission level. The value for guestUserRoleId used here is to
illustrate the most restricted guest user setting. For more information about using the Microsoft Graph to set guest
permissions, see authorizationPolicy resource type.
Configuring for the first time
POST https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
{
"guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
}
Response should be Success 204.

Updating the existing value
PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
{
"guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
}
Response should be Success 204.

View the current value
GET https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
Example response:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authorizationPolicy/$entity",
"id": "authorizationPolicy",
"displayName": "Authorization Policy",
"description": "Used to manage authorization related settings across the company.",
"enabledPreviewFeatures": [],
"guestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
"permissionGrantPolicyIdsAssignedToDefaultUserRole": [
"user-default-legacy"
]
}
Update with PowerShell cmdlets

With this feature, we’ve added the ability to configure the restricted permissions via PowerShell v2 cmdlets. Get
and Set PowerShell cmdlets have been published in version 2.0.2.85.
Get command: Get-AzureADMSAuthorizationPolicy
Example:
PS C:\WINDOWS\system32> Get-AzureADMSAuthorizationPolicy
Id : authorizationPolicy
OdataType :
Description : Used to manage authorization related settings across the
company.
DisplayName : Authorization Policy
EnabledPreviewFeatures : {}
GuestUserRoleId : 10dae51f-b6af-4016-8d66-8c2a99b929b3
PermissionGrantPolicyIdsAssignedToDefaultUserRole : {user-default-legacy}
Set command: Set-AzureADMSAuthorizationPolicy

Example:
PS C:\WINDOWS\system32> Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-

daa82404023b'
NOTE
You must enter authorizationPolicy as the ID when requested.
Supported Microsoft 365 services
Supported services
By supported we mean that the experience is as expected; specifically, that it is same as current guest experience.
Teams
Outlook (OWA)
SharePoint
Services currently not supported
Service without current support might have compatibility issues with the new guest restriction setting.
Forms
Planner in Teams
Planner app
Project
Yammer
Frequently asked questions (FAQ)

Where do these permissions apply? These directory level permissions are enforced across Azure
AD services and portals including the Microsoft Graph,
PowerShell v2, the Azure portal, and My Apps portal.
Microsoft 365 services leveraging Office 365 groups for
collaboration scenarios are also affected, specifically Outlook,
Microsoft Teams, and SharePoint.
Which parts of the My Apps portal will this feature affect? The groups functionality in the My Apps portal will honor
these new permissions. This includes all paths to view the
groups list and group memberships in My Apps. No changes
were made to the group tile availability. The group tile
availability is still controlled by the existing group setting in
the Azure admin portal.
Do these permissions override SharePoint or Microsoft Teams No. Those existing settings still control the experience and
guest settings? access in those applications. For example, if you see issues in
SharePoint, double check your external sharing settings.
What are the known compatibility issues in Planner and With permissions set to ‘restricted’, guests logged into the
Yammer? Planner app or accessing the Planner in Microsoft Teams won't
be able to access their plans or any tasks.
With permissions set to ‘restricted’, guests logged into
Yammer won't be able to leave the group.
Will my existing guest permissions be changed in my tenant? No changes were made to your current settings. We maintain
backward compatibility with your existing settings. You decide
when you want make changes.
Will these permissions be set by default? No. The existing default permissions remain unchanged. You
can optionally set the permissions to be more restrictive.
Are there any license requirements for this feature? No, there are no new licensing requirements with this feature.
Next steps
To learn more about existing guest permissions in Azure AD, see What are the default user permissions in Azure
Active Directory?.
To see the Microsoft Graph API methods for restricting guest access, see authorizationPolicy resource type.
To revoke all access for a user, see Revoke user access in Azure AD.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps
your employees sign in and access resources in:
External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
Internal resources, such as apps on your corporate network and intranet, along with any cloud apps
developed by your own organization. For more information about creating a tenant for your organization,
see Quickstart: Create a new tenant in Azure Active Directory.
To learn the difference between Azure AD and Active Directory Domain Services, see Compare Active Directory to
Azure Active Directory. You can also use the various Microsoft Cloud for Enterprise Architects Series posters to
better understand the core identity services in Azure, Azure AD, and Office 365.
Who uses Azure AD?

Azure AD is intended for:
IT admins. As an IT admin, you can use Azure AD to control access to your apps and your app resources,
based on your business requirements. For example, you can use Azure AD to require multi-factor
authentication when accessing important organizational resources. Additionally, you can use Azure AD to
automate user provisioning between your existing Windows Server AD and your cloud apps, including
Office 365. Finally, Azure AD gives you powerful tools to automatically help protect user identities and
credentials and to meet your access governance requirements. To get started, sign up for a free 30-day
Azure Active Directory Premium trial.
App developers. As an app developer, you can use Azure AD as a standards-based approach for adding
single sign-on (SSO) to your app, allowing it to work with a user's pre-existing credentials. Azure AD also
provides APIs that can help you build personalized app experiences using existing organizational data. To
get started, sign up for a free 30-day Azure Active Directory Premium trial. For more information, you can
also see Azure Active Directory for developers.
Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers. As a subscriber, you're
already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is
automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud
apps.
What are the Azure AD licenses?

Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help
with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD
with access to all the free features.
To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active
Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free
directory, providing self-service, enhanced monitoring, security reporting, and secure access for your mobile users.
NOTE
For the pricing options of these licenses, see Azure Active Directory Pricing.
Azure Active Directory Premium P1 and Premium P2 are not currently supported in China. For more information about
Azure AD pricing, contact the Azure Active Directory Forum.
Azure Active Director y Free. Provides user and group management, on-premises directory
synchronization, basic reports, self-service password change for cloud users, and single sign-on across
Azure, Office 365, and many popular SaaS apps.
Azure Active Director y Premium P1. In addition to the Free features, P1 also lets your hybrid users
access both on-premises and cloud resources. It also supports advanced administration, such as dynamic
groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access
management suite) and cloud write-back capabilities, which allow self-service password reset for your on-
premises users.
Azure Active Director y Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active
Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical
company data and Privileged Identity Management to help discover, restrict, and monitor administrators
and their access to resources and to provide just-in-time access when needed.
"Pay as you go" feature licenses. You can also get additional feature licenses, such as Azure Active
Directory Business-to-Customer (B2C). B2C can help you provide identity and access management
solutions for your customer-facing apps. For more information, see Azure Active Directory B2C
documentation.
For more information about associating an Azure subscription to Azure AD, see Associate or add an Azure
subscription to Azure Active Directory and for more information about assigning licenses to your users, see How
to: Assign or remove Azure Active Directory licenses.
Which features work in Azure AD?

After you choose your Azure AD license, you'll get access to some or all of the following features for your
organization:
C AT EGO RY DESC RIP T IO N
Application management Manage your cloud and on-premises apps using Application
Proxy, single sign-on, the My Apps portal (also known as the
Access panel), and Software as a Service (SaaS) apps. For more
information, see How to provide secure remote access to on-
premises applications and Application Management
documentation.
Authentication Manage Azure Active Directory self-service password reset,

Multi-Factor Authentication, custom banned password list,
and smart lockout. For more information, see Azure AD
Authentication documentation.
Azure Active Directory for developers Build apps that sign in all Microsoft identities, get tokens to
call Microsoft Graph, other Microsoft APIs, or custom APIs.
For more information, see Microsoft identity platform (Azure
Active Directory for developers).
C AT EGO RY DESC RIP T IO N
Business-to-Business (B2B) Manage your guest users and external partners, while
maintaining control over your own corporate data. For more
information, see Azure Active Directory B2B documentation.
Business-to-Customer (B2C) Customize and control how users sign up, sign in, and
manage their profiles when using your apps. For more
information, see Azure Active Directory B2C documentation.
Conditional Access Manage access to your cloud apps. For more information, see
Azure AD Conditional Access documentation.
Device Management Manage how your cloud or on-premises devices access your
corporate data. For more information, see Azure AD Device
Management documentation.
Domain services Join Azure virtual machines to a domain without using

domain controllers. For more information, see Azure AD
Domain Services documentation.
Enterprise users Manage license assignment, access to apps, and set up

delegates using groups and administrator roles. For more
information, see Azure Active Directory user management
documentation.
Hybrid identity Use Azure Active Directory Connect and Connect Health to
provide a single user identity for authentication and
authorization to all resources, regardless of location (cloud or
on-premises). For more information, see Hybrid identity
documentation.
Identity governance Manage your organization's identity through employee,

business partner, vendor, service, and app access controls. You
can also perform access reviews. For more information, see
Azure AD identity governance documentation and Azure AD
access reviews.
Identity protection Detect potential vulnerabilities affecting your organization's

identities, configure policies to respond to suspicious actions,
and then take appropriate action to resolve them. For more
information, see Azure AD Identity Protection.
Managed identities for Azure resources Provides your Azure services with an automatically managed
identity in Azure AD that can authenticate any Azure AD-
supported authentication service, including Key Vault. For
more information, see What is managed identities for Azure
resources?.
Privileged identity management (PIM) Manage, control, and monitor access within your organization.
This feature includes access to resources in Azure AD and
Azure, and other Microsoft Online Services, like Office 365 or
Intune. For more information, see Azure AD Privileged Identity
Management.
Reports and monitoring Gain insights into the security and usage patterns in your
environment. For more information, see Azure Active
Directory reports and monitoring.
Terminology
To better understand Azure AD and its documentation, we recommend reviewing the following terms.
T ERM O R C O N C EP T DESC RIP T IO N
Identity A thing that can get authenticated. An identity can be a user

with a username and password. Identities also include
applications or other servers that might require
authentication through secret keys or certificates.
Account An identity that has data associated with it. You cannot have
an account without an identity.
Azure AD account An identity created through Azure AD or another Microsoft

cloud service, such as Office 365. Identities are stored in Azure
AD and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or
school account.
Account Administrator This classic subscription administrator role is conceptually the

billing owner of a subscription. This role has access to the
Azure Account Center and enables you to manage all
subscriptions in an account. For more information, see Classic
subscription administrator roles, Azure roles, and Azure AD
administrator roles.
Service Administrator This classic subscription administrator role enables you to

manage all Azure resources, including access. This role has the
equivalent access of a user who is assigned the Owner role at
the subscription scope. For more information, see Classic
subscription administrator roles, Azure roles, and Azure AD
Owner This role helps you manage all Azure resources, including
access. This role is built on a newer authorization system
called Azure role-base access control (Azure RBAC) that
provides fine-grained access management to Azure resources.
For more information, see Classic subscription administrator
roles, Azure roles, and Azure AD administrator roles.
Azure AD Global administrator This administrator role is automatically assigned to whomever

created the Azure AD tenant. Global administrators can do all
of the administrative functions for Azure AD and any services
that federate to Azure AD, such as Exchange Online,
SharePoint Online, and Skype for Business Online. You can
have multiple Global administrators, but only Global
administrators can assign administrator roles (including
assigning other Global administrators) to users. Note that this
administrator role is called Global administrator in the Azure
portal, but it's called Company administrator in the
Microsoft Graph API and Azure AD PowerShell.For more
information about the various administrator roles, see
Administrator role permissions in Azure Active Directory.
Azure subscription Used to pay for Azure cloud services. You can have many
subscriptions and they're linked to a credit card.
T ERM O R C O N C EP T DESC RIP T IO N
Azure tenant A dedicated and trusted instance of Azure AD that's

automatically created when your organization signs up for a
Microsoft cloud service subscription, such as Microsoft Azure,
Microsoft Intune, or Office 365. An Azure tenant represents a
single organization.
Single tenant Azure tenants that access other services in a dedicated

environment are considered single tenant.
Multi-tenant Azure tenants that access other services in a shared

environment, across multiple organizations, are considered
multi-tenant.
Azure AD directory Each Azure tenant has a dedicated and trusted Azure AD
directory. The Azure AD directory includes the tenant's users,
groups, and apps and is used to perform identity and access
management functions for tenant resources.
Custom domain Every new Azure AD directory comes with an initial domain
name, domainname.onmicrosoft.com. In addition to that initial
name, you can also add your organization's domain names,
which include the names you use to do business and your
users use to access your organization's resources, to the list.
Adding custom domain names helps you to create user
names that are familiar to your users, such as
alain@contoso.com.
Microsoft account (also called, MSA) Personal accounts that provide access to your consumer-
oriented Microsoft products and cloud services, such as
Outlook, OneDrive, Xbox LIVE, or Office 365. Your Microsoft
account is created and stored in the Microsoft consumer
identity account system that's run by Microsoft.
Next steps
Sign up for Azure Active Directory Premium
Associate an Azure subscription to your Azure Active Directory
Azure Active Directory Premium P2 feature deployment checklist
Managing custom domain names in your Azure
Active Directory
A domain name is an important part of the identifier for many directory resources: it's part of a user name or email
address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) can include a domain name that's owned by the directory that
contains the resource. Only a Global Administrator can manage domains in Azure AD.
Set the primary domain name for your Azure AD directory

When your directory is created, the initial domain name, such as ‘contoso.onmicrosoft.com,’ is also the primary
domain name. The primary domain is the default domain name for a new user when you create a new user. Setting
a primary domain name streamlines the process for an administrator to create new users in the portal. To change
the primary domain name:
1. Sign in to the Azure portal with an account that's a Global Administrator for the directory.
2. Select Azure Active Director y .
3. Select Custom domain names .
4. Select the name of the domain that you want to be the primary domain.
5. Select the Make primar y command. Confirm your choice when prompted.
You can change the primary domain name for your directory to be any verified custom domain that isn't federated.
Changing the primary domain for your directory won't change the user name for any existing users.
Add custom domain names to your Azure AD organization

You can add up to 900 managed domain names. If you're configuring all your domains for federation with on-
premises Active Directory, you can add up to 450 domain names in each directory.
Add subdomains of a custom domain

If you want to add a third-level domain name such as ‘europe.contoso.com’ to your directory, you should first add
and verify the second-level domain, such as contoso.com. The subdomain is automatically verified by Azure AD. To
see that the subdomain you added is verified, refresh the domain list in the browser.
Note
If you have already added a contoso.com domain to an Azure AD tenant, you can also add the subdomain
europe.contoso.com to a second Azure AD tenant. When adding the subdomain, you will be prompted to add a TXT
record in the DNS hosting provider.
What to do if you change the DNS registrar for your custom domain
name
If you change the DNS registrars, there are no additional configuration tasks in Azure AD. You can continue using
the domain name with Azure AD without interruption. If you use your custom domain name with Office 365,
Intune, or other services that rely on custom domain names in Azure AD, see the documentation for those services.
Delete a custom domain name

You can delete a custom domain name from your Azure AD if your organization no longer uses that domain name,
or if you need to use that domain name with another Azure AD.
To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain
name. You can't delete a domain name from your directory if:
Any user has a user name, email address, or proxy address that includes the domain name.
Any group has an email address or proxy address that includes the domain name.
Any application in your Azure AD has an app ID URI that includes the domain name.
You must change or delete any such resource in your Azure AD directory before you can delete the custom domain
name.
ForceDelete option
You can ForceDelete a domain name in the Azure AD Admin Center or using Microsoft Graph API. These options
use an asynchronous operation and update all references from the custom domain name like “user@contoso.com”
to the initial default domain name such as “user@contoso.onmicrosoft.com.”
To call ForceDelete in the Azure portal, you must ensure that there are fewer than 1000 references to the domain
name, and any references where Exchange is the provisioning service must be updated or removed in the Exchange
Admin Center. This includes Exchange Mail-Enabled Security Groups and distributed lists; for more information, see
Removing mail-enabled security groups. Also, the ForceDelete operation won't succeed if either of the following is
true:
You purchased a domain via Office 365 domain subscription services
You are a partner administering on behalf of another customer organization
The following actions are performed as part of the ForceDelete operation:
Renames the UPN, EmailAddress, and ProxyAddress of users with references to the custom domain name to the
initial default domain name.
Renames the EmailAddress of groups with references to the custom domain name to the initial default domain
name.
Renames the identifierUris of applications with references to the custom domain name to the initial default
domain name.
An error is returned when:
The number of objects to be renamed is greater than 1000
One of the applications to be renamed is a multi-tenant app
Frequently asked questions
Q: Why is the domain deletion failing with an error that states that I have Exchange mastered groups
on this domain name?
A: Today, certain groups like Mail-Enabled Security groups and distributed lists are provisioned by Exchange and
need to be manually cleaned up in Exchange Admin Center (EAC). There may be lingering ProxyAddresses which
rely on the custom domain name and will need to be updated manually to another domain name.
Q: I am logged in as admin@contoso.com but I cannot delete the domain name “contoso.com”?
A: You cannot reference the custom domain name you are trying to delete in your user account name. Ensure that
the Global Administrator account is using the initial default domain name (.onmicrosoft.com) such as
admin@contoso.onmicrosoft.com. Sign in with a different Global Administrator account that such as
admin@contoso.onmicrosoft.com or another custom domain name like “fabrikam.com” where the account is
admin@fabrikam.com.
Q: I clicked the Delete domain button and see In Progress status for the Delete operation. How long
does it take? What happens if it fails?
A: The delete domain operation is an asynchronous background task that renames all references to the domain
name. It should complete within a minute or two. If domain deletion fails, ensure that you don’t have:
Apps configured on the domain name with the appIdentifierURI
Any mail-enabled group referencing the custom domain name
More than 1000 references to the domain name
If you find that any of the conditions haven’t been met, manually clean up the references and try to delete the
domain again.
Use PowerShell or the Microsoft Graph API to manage domain names

Most management tasks for domain names in Azure Active Directory can also be completed using Microsoft
PowerShell, or programmatically using the Microsoft Graph API.
Using PowerShell to manage domain names in Azure AD
Domain resource type
Next steps
Add custom domain names
Remove Exchange mail-enabled security groups in Exchange Admin Center on a custom domain name in Azure
AD
ForceDelete a custom domain name with Microsoft Graph API
Delete a tenant in Azure Active Directory
When an Azure AD organization (tenant) is deleted, all resources that are contained in the organization are also
deleted. Prepare your organization by minimizing its associated resources before you delete. Only an Azure Active
Directory (Azure AD) global administrator can delete an Azure AD organization from the portal.
Prepare the organization

You can't delete a organization in Azure AD until it passes several checks. These checks reduce risk that deleting an
Azure AD organization negatively impacts user access, such as the ability to sign in to Office 365 or access
resources in Azure. For example, if the organization associated with a subscription is unintentionally deleted, then
users can't access the Azure resources for that subscription. The following conditions are checked:
There can be no users in the Azure AD organization (tenant) except one global administrator who is to delete the
organization. Any other users must be deleted before the organization can be deleted. If users are synchronized
from on-premises, then sync must first be turned off, and the users must be deleted in the cloud organization
using the Azure portal or Azure PowerShell cmdlets.
There can be no applications in the organization. Any applications must be removed before the organization can
be deleted.
There can be no multi-factor authentication providers linked to the organization.
There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Office 365, or Azure
AD Premium associated with the organization. For example, if a default Azure AD organization was created for
you in Azure, you cannot delete this organization if your Azure subscription still relies on this organization for
authentication. Similarly, you can't delete a organization if another user has associated a subscription with it.
Delete the organization

1. Sign in to the Azure AD admin center with an account that is the Global Administrator for your organization.
2. Select Azure Active Director y .
3. Switch to the organization you want to delete.
4. Select Delete tenant .

5. If your organization does not pass one or more checks, you're provided with a link to more information on
how to pass. After you pass all checks, select Delete to complete the process.
If you can't delete the organization

When you configured your Azure AD organization, you may have also activated license-based subscriptions for
your organization like Azure AD Premium P2, Office 365 Business Premium, or Enterprise Mobility + Security E5. To
avoid accidental data loss, you can't delete a organization until the subscriptions are fully deleted. The subscriptions
must be in a Deprovisioned state to allow organization deletion. An Expired or Canceled subscription moves to
the Disabled state, and the final stage is the Deprovisioned state.
For what to expect when a trial Office 365 subscription expires (not including paid Partner/CSP, Enterprise
Agreement, or Volume Licensing), see the following table. For more information on Office 365 data retention and
subscription lifecycle, see What happens to my data and access when my Office 365 for business subscription
ends?.
SUB SC RIP T IO N STAT E DATA A C C ESS TO DATA
Active (30 days for trial) Data accessible to all Users have normal access to Office 365
files, or apps
Admins have normal access to
Microsoft 365 admin center and
resources
Expired (30 days) Data accessible to all Users have normal access to Office 365
files, or apps
resources
Disabled (30 days) Data accessible to admin only Users can’t access Office 365 files, or
apps
Admins can access the Microsoft 365
admin center but can’t assign licenses
to or update users
Deprovisioned (30 days after Disabled) Data deleted (automatically deleted if Users can’t access Office 365 files, or
no other services are in use) apps
admin center to purchase and manage
other subscriptions
Delete a subscription
You can put a subscription into the Deprovisioned state to be deleted in three days using the Microsoft 365 admin
center.
1. Sign in to the Microsoft 365 admin center with an account that is a global administrator in your
organization. If you are trying to delete the “Contoso” organization that has the initial default domain
contoso.onmicrosoft.com, sign in with a UPN such as admin@contoso.onmicrosoft.com.
2. Preview the new Microsoft 365 admin center by making sure the Tr y the new admin center toggle is
enabled.
3. Once the new admin center is enabled, you need to cancel a subscription before you can delete it. Select
Billing and select Products & ser vices , then select Cancel subscription for the subscription you want to
cancel. You will be brought to a feedback page.
4. Complete the feedback form and select Cancel subscription to cancel the subscription.
5. You can now delete the subscription. Select Delete for the subscription you want to delete. If you cannot find
the subscription in the Products & ser vices page, make sure you have Subscription status set to All .
6. Select Delete subscription to delete the subscription and accept the terms and conditions. All data is
permanently deleted within three days. You can reactivate the subscription during the three-day period if
you change your mind.
7. Now the subscription state has changed, and the subscription is marked for deletion. The subscription enters
the Deprovisioned state 72 hours later.
8. Once you have deleted a subscription in your organization and 72 hours have elapsed, you can sign back
into the Azure AD admin center again and there should be no required action and no subscriptions blocking
your organization deletion. You should be able to successfully delete your Azure AD organization.
I have a trial subscription that blocks deletion

There are self-service sign-up products like Microsoft Power BI, Rights Management Services, Microsoft Power
Apps, or Dynamics 365, individual users can sign up via Office 365, which also creates a guest user for
authentication in your Azure AD organization. These self-service products block directory deletions until the
products are fully deleted from the organization, to avoid data loss. They can be deleted only by the Azure AD
admin whether the user signed up individually or was assigned the product.
There are two types of self-service sign-up products in how they are assigned:
Org-level assignment: An Azure AD admin assigns the product to the entire organization and a user can be
actively using the service with this org-level assignment even if they are not licensed individually.
User level assignment: An individual user during self-service sign-up essentially assigns the product to
themselves without an admin. Once the organization becomes managed by an admin (see Administrator
takeover of an unmanaged organization, then the admin can directly assign the product to users without self-
service sign-up.
When you begin the deletion of the self-service sign-up product, the action permanently deletes the data and
removes all user access to the service. Any user that was assigned the offer individually or on the organization level
is then blocked from signing in or accessing any existing data. If you want to prevent data loss with the self-service
sign-up product like Microsoft Power BI dashboards or Rights Management Services policy configuration, ensure
that the data is backed up and saved elsewhere.
For more information about currently available self-service sign-up products and services, see Available self-
service programs.
For what to expect when a trial Office 365 subscription expires (not including paid Partner/CSP, Enterprise
Agreement, or Volume Licensing), see the following table. For more information on Office 365 data retention and
subscription lifecycle, see What happens to my data and access when my Office 365 for business subscription
ends?.
P RO DUC T STAT E DATA A C C ESS TO DATA
Active (30 days for trial) Data accessible to all Users have normal access to self-service
sign-up product, files, or apps
resources
Deleted Data deleted Users can’t access self-service sign-up

product, files, or apps
admin center to purchase and manage
other subscriptions
How can I delete a self-service sign-up product in the Azure portal?

You can put a self-service sign-up product like Microsoft Power BI or Azure Rights Management Services into a
Delete state to be immediately deleted in the Azure AD portal.
1. Sign in to the Azure AD admin center with an account that is a Global administrator in the organization. If
you are trying to delete the “Contoso” organization that has the initial default domain
contoso.onmicrosoft.com, sign on with a UPN such as admin@contoso.onmicrosoft.com.
2. Select Licenses , and then select Self-ser vice sign-up products . You can see all the self-service sign-up
products separately from the seat-based subscriptions. Choose the product you want to permanently delete.
Here's an example in Microsoft Power BI:
3. Select Delete to delete the product and accept the terms that data is deleted immediately and irrevocably.
This delete action will remove all users and remove organization access to the product. Click Yes to move
forward with the deletion.
4. When you select Yes , the deletion of the self-service product will be initiated. There is a notification that will
tell you of the deletion in progress.
5. Now the self-service sign-up product state has changed to Deleted . When you refresh the page, the product
should be removed from the Self-ser vice sign-up products page.
6. Once you have deleted all the products, you can sign back into the Azure AD admin center again and there
should be no required action and no products blocking your organization deletion. You should be able to
successfully delete your Azure AD organization.
Next steps
Azure Active Directory documentation
Understand how multiple Azure Active Directory
organizations interact
In Azure Active Directory (Azure AD), each Azure AD organization is fully independent: a peer that is logically
independent from the other Azure AD organizations that you manage. This independence between organizations
includes resource independence, administrative independence, and synchronization independence. There is no
parent-child relationship between organizations.
Resource independence
If you create or delete an Azure AD resource in one organization, it has no impact on any resource in another
organization, with the partial exception of external users.
If you register one of your domain names with one organization, it can't be used by any other organization.
Administrative independence
If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:
By default, the user who creates a organization is added as an external user in that new organization, and
assigned the global administrator role in that organization.
The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,'
unless an administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso'
can control access to organization 'Test' if they control the user account that created 'Test.'
If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that
the user is assigned in any other Azure AD organization.
Synchronization independence
You can configure each Azure AD organization independently to get data synchronized from a single instance of
either:
The Azure AD Connect tool, to synchronize data with a single AD forest.
The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-
premises forests, and/or non-Azure AD data sources.
Add an Azure AD organization

To add an Azure AD organization in the Azure portal, sign in to the Azure portal with an account that is an Azure AD
global administrator, and select New .
NOTE
Unlike other Azure resources, your Azure AD organizations are not child resources of an Azure subscription. If your Azure
subscription is canceled or expired, you can still access your Azure AD organization's data using Azure PowerShell, the
Microsoft Graph API, or the Microsoft 365 admin center. You can also associate another subscription with the organization.
Next steps
For Azure AD licensing considerations and best practices, see What is Azure Active Directory licensing?.
What is self-service sign-up for Azure Active
Directory?
This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure
AD). If you want to take over a domain name from an unmanaged Azure AD organization, see Take over an
unmanaged directory as administrator.
Why use self-service sign-up?

Get customers to services they want faster
Create email-based offers for a service
Create email-based sign-up flows that quickly allow users to create identities using their easy-to-remember
work email aliases
A self-service-created Azure AD directory can be turned into a managed directory that can be used for other
services
Terms and definitions

Self-ser vice sign-up : This is the method by which a user signs up for a cloud service and has an identity
automatically created for them in Azure AD based on their email domain.
Unmanaged Azure AD director y : This is the directory where that identity is created. An unmanaged
directory is a directory that has no global administrator.
Email-verified user : This is a type of user account in Azure AD. A user who has an identity created
automatically after signing up for a self-service offer is known as an email-verified user. An email-verified user
is a regular member of a directory tagged with creationmethod=EmailVerified.
How do I control self-service settings?

Admins have two self-service controls today. They can control whether:
Users can join the directory via email
Users can license themselves for applications and services
How can I control these capabilities?
An admin can configure these capabilities using the following Azure AD cmdlet Set-MsolCompanySettings
parameters:
AllowEmailVerifiedUsers controls whether a user can create or join a directory. If you set that parameter to
$false, no email-verified user can join the directory.
AllowAdHocSubscriptions controls the ability for users to perform self-service sign-up. If you set that
parameter to $false, no user can perform self-service sign-up.
AllowEmailVerifiedUsers and AllowAdHocSubscriptions are directory-wide settings that can be applied to a
managed or unmanaged directory. Here's an example where:
You administer a directory with a verified domain such as contoso.com
You use B2B collaboration from a different directory to invite a user that does not already exist
(userdoesnotexist@contoso.com) in the home directory of contoso.com
The home directory has the AllowEmailVerifiedUsers turned on
If the preceding conditions are true, then a member user is created in the home directory, and a B2B guest user is
created in the inviting directory.
For more information on Flow and PowerApps trial sign-ups, see the following articles:
How can I prevent my existing users from starting to use Power BI?
Flow in your organization Q&A
How do the controls work together?
These two parameters can be used in conjunction to define more precise control over self-service sign-up. For
example, the following command will allow users to perform self-service sign-up, but only if those users already
have an account in Azure AD (in other words, users who would need an email-verified account to be created first
cannot perform self-service sign-up):
Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true
The following flowchart explains the different combinations for these parameters and the resulting conditions for
the directory and self-service sign-up.
For more information and examples of how to use these parameters, see Set-MsolCompanySettings.
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
Close your work or school account in an unmanaged directory
Take over an unmanaged directory as administrator
This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active
Directory (Azure AD). When a self-service user signs up for a cloud service that uses Azure AD, they are added to
an unmanaged Azure AD directory based on their email domain. For more about self-service or "viral" sign-up for
a service, see What is self-service sign-up for Azure Active Directory?
Decide how you want to take over an unmanaged directory

During the process of admin takeover, you can prove ownership as described in Add a custom domain name to
Azure AD. The next sections explain the admin experience in more detail, but here's a summary:
When you perform an "internal" admin takeover of an unmanaged Azure directory, you are added as the
global administrator of the unmanaged directory. No users, domains, or service plans are migrated to any
other directory you administer.
When you perform an "external" admin takeover of an unmanaged Azure directory, you add the DNS
domain name of the unmanaged directory to your managed Azure directory. When you add the domain
name, a mapping of users to resources is created in your managed Azure directory so that users can
continue to access services without interruption.
Internal admin takeover

Some products that include SharePoint and OneDrive, such as Office 365, do not support external takeover. If that
is your scenario, or if you are an admin and want to take over an unmanaged or "shadow" Azure AD organization
create by users who used self-service sign-up, you can do this with an internal admin takeover.
1. Create a user context in the unmanaged organization through signing up for Power BI. For convenience of
example, these steps assume that path.
2. Open the Power BI site and select Star t Free . Enter a user account that uses the domain name for the
organization; for example, admin@fourthcoffee.xyz . After you enter in the verification code, check your email
for the confirmation code.
3. In the confirmation email from Power BI, select Yes, that's me .
4. Sign in to the Microsoft 365 admin center with the Power BI user account. You receive a message that
instructs you to Become the Admin of the domain name that was already verified in the unmanaged
organization. select Yes, I want to be the admin .
5. Add the TXT record to prove that you own the domain name four thcoffee.xyz at your domain name
registrar. In this example, it is GoDaddy.com.
When the DNS TXT records are verified at your domain name registrar, you can manage the Azure AD
organization.
When you complete the preceding steps, you are now the global administrator of the Fourth Coffee organization
in Office 365. To integrate the domain name with your other Azure services, you can remove it from Office 365 and
add it to a different managed organization in Azure.
Adding the domain name to a managed organization in Azure AD
1. Open the Microsoft 365 admin center.
2. Select Users tab, and create a new user account with a name like user@fourthcoffeexyz.onmicrosoft.com
that does not use the custom domain name.
3. Ensure that the new user account has global admin privileges for the Azure AD organization.
4. Open Domains tab in the Microsoft 365 admin center, select the domain name and select Remove .
5. If you have any users or groups in Office 365 that reference the removed domain name, they must be
renamed to the .onmicrosoft.com domain. If you force delete the domain name, all users are automatically
renamed, in this example to user@fourthcoffeexyz.onmicrosoft.com.
6. Sign in to the Azure AD admin center with an account that is the global admin for the Azure AD
organization.
7. Select Custom domain names , then add the domain name. You'll have to enter the DNS TXT records to
verify ownership of the domain name.
NOTE
Any users of Power BI or Azure Rights Management service who have licenses assigned in the Office 365 organization must
save their dashboards if the domain name is removed. They must sign in with a user name like
user@fourthcoffeexyz.onmicrosoft.com rather than user@fourthcoffee.xyz.
External admin takeover

If you already manage an organization with Azure services or Office 365, you cannot add a custom domain name if
it is already verified in another Azure AD organization. However, from your managed organization in Azure AD you
can take over an unmanaged organization as an external admin takeover. The general procedure follows the article
Add a custom domain to Azure AD.
When you verify ownership of the domain name, Azure AD removes the domain name from the unmanaged
organization and moves it to your existing organization. External admin takeover of an unmanaged directory
requires the same DNS TXT validation process as internal admin takeover. The difference is that the following are
also moved over with the domain name:
Users
Subscriptions
License assignments
Support for external admin takeover
External admin takeover is supported by the following online services:
Azure Rights Management
Exchange Online
The supported service plans include:
PowerApps Free
PowerFlow Free
RMS for individuals
Microsoft Stream
Dynamics 365 free trial
External admin takeover is not supported for any service that has service plans that include SharePoint, OneDrive,
or Skype For Business; for example, through an Office free subscription.
You can optionally use the ForceTakeover option for removing the domain name from the unmanaged
organization and verifying it on the desired organization.
More information about RMS for individuals
For RMS for individuals, when the unmanaged organization is in the same region as the organization that you
own, the automatically created Azure Information Protection organization key and default protection templates are
additionally moved over with the domain name.
The key and templates are not moved over when the unmanaged organization is in a different region. For example,
if the unmanaged organization is in Europe and the organization that you own is in North America.
Although RMS for individuals is designed to support Azure AD authentication to open protected content, it doesn't
prevent users from also protecting content. If users did protect content with the RMS for individuals subscription,
and the key and templates were not moved over, that content is not accessible after the domain takeover.
Azure AD PowerShell cmdlets for the ForceTakeover option
You can see these cmdlets used in PowerShell example.
C M DL ET USA GE
connect-msolservice When prompted, sign in to your managed organization.
get-msoldomain Shows your domain names associated with the current

organization.
new-msoldomain –name <domainname> Adds the domain name to organization as Unverified (no DNS
verification has been performed yet).
get-msoldomain The domain name is now included in the list of domain names
associated with your managed organization, but is listed as
Unverified .
get-msoldomainverificationdns –Domainname Provides the information to put into new DNS TXT record for
<domainname> –Mode DnsTxtRecord the domain (MS=xxxxx). Verification might not happen
immediately because it takes some time for the TXT record to
propagate, so wait a few minutes before considering the -
ForceTakeover option.
confirm-msoldomain –Domainname <domainname> – If your domain name is still not verified, you can proceed
ForceTakeover Force with the -ForceTakeover option. It verifies that the TXT
record was created and kicks off the takeover process.
The -ForceTakeover option should be added to the
cmdlet only when forcing an external admin takeover, such as
when the unmanaged organization has Office 365 services
blocking the takeover.
get-msoldomain The domain list now shows the domain name as Verified .
NOTE
The unmanaged Azure AD organization is deleted 10 days after you exercise the external takeover force option.
PowerShell example
1. Connect to Azure AD using the credentials that were used to respond to the self-service offering:
Install-Module -Name MSOnline

$msolcred = get-credential
connect-msolservice -credential $msolcred
2. Get a list of domains:
Get-MsolDomain
3. Run the Get-MsolDomainVerificationDns cmdlet to create a challenge:
Get-MsolDomainVerificationDns –DomainName *your_domain_name* –Mode DnsTxtRecord
For example:
Get-MsolDomainVerificationDns –DomainName contoso.com –Mode DnsTxtRecord
4. Copy the value (the challenge) that is returned from this command. For example:
MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9
5. In your public DNS namespace, create a DNS txt record that contains the value that you copied in the
previous step. The name for this record is the name of the parent domain, so if you create this resource
record by using the DNS role from Windows Server, leave the Record name blank and just paste the value
into the Text box.
6. Run the Confirm-MsolDomain cmdlet to verify the challenge:
Confirm-MsolDomain –DomainName *your_domain_name* –ForceTakeover Force
For example:
Confirm-MsolDomain –DomainName contoso.com –ForceTakeover Force
A successful challenge returns you to the prompt without an error.
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
What is hybrid identity with Azure Active Directory?
Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud
applications. Users require access to those applications both on-premises and in the cloud. Managing users both
on-premises and in the cloud poses challenging scenarios.
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common
user identity for authentication and authorization to all resources, regardless of location. We call this hybrid
identity .
With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your
scenarios. The three methods are:
Password hash synchronization (PHS)
Pass-through authentication (PTA)
Federation (AD FS)
These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your
users in when they are on their corporate devices, connected to your corporate network.
For additional information, see Choose the right authentication method for your Azure Active Directory hybrid
identity solution.
Common scenarios and recommendations

Here are some common hybrid identity and access management scenarios with recommendations as to which
hybrid identity option (or options) might be appropriate for each.
I N EED TO : P H S A N D SSO 1 P TA A N D SSO 2 A D F S3
Sync new user, contact, and

group accounts created in
my on-premises Active
Directory to the cloud
automatically.
Set up my tenant for Office

365 hybrid scenarios.
Enable my users to sign in

and access cloud services
using their on-premises
password.
Implement single sign-on

using corporate credentials.
Ensure no password hashes

are stored in the cloud.
I N EED TO : P H S A N D SSO P TA A N D SSO AD FS
Enable cloud-based multi-

factor authentication
solutions.
Enable on-premises multi-

factor authentication
solutions.
Support smartcard
authentication for my
users.4
Display password expiry

notifications in the Office
Portal and on the Windows
10 desktop.
1 Password hash synchronization with single sign-on.
2 Pass-through authentication and single sign-on.
3 Federated single sign-on with AD FS.
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be
soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates
(including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard
authentication support, see this blog.
License requirements for using Azure AD Connect

Using this feature is free and included in your Azure subscription.
Next Steps
What is Azure AD Connect and Connect Health?
What is password hash synchronization (PHS)?
What is pass-through authentication (PTA)?
What is federation?
What is single-sign on?
Manage app and resource access using Azure Active
Directory groups
Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises
apps, and your resources. Your resources can be part of the Azure AD organization, such as permissions to
manage objects through roles in Azure AD, or external to the organization, such as for Software as a Service
(SaaS) apps, Azure services, SharePoint sites, and on-premises resources.
NOTE
In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:
Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin
center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to
manage these groups.
How access management in Azure AD works

Azure AD helps you give access to your organization's resources by providing access rights to a single user or to
an entire Azure AD group. Using groups lets the resource owner (or Azure AD directory owner), assign a set of
access permissions to all the members of the group, instead of having to provide the rights one-by-one. The
resource or directory owner can also give management rights for the member list to someone else, such as a
department manager or a Helpdesk administrator, letting that person add and remove members, as needed. For
more information about how to manage group owners, see Manage group owners
Ways to assign access rights

There are four ways to assign resource access rights to your users:
Direct assignment. The resource owner directly assigns the user to the resource.
Group assignment. The resource owner assigns an Azure AD group to the resource, which automatically
gives all of the group members access to the resource. Group membership is managed by both the group
owner and the resource owner, letting either owner add or remove members from the group. For more
information about adding or removing group membership, see How to: Add or remove a group from
another group using the Azure Active Directory portal.
Rule-based assignment. The resource owner creates a group and uses a rule to define which users are
assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The
resource owner manages the rule, determining which attributes and values are required to allow access the
resource. For more information, see Create a dynamic group and check status.
You can also Watch this short video for a quick explanation about creating and using dynamic groups:
External authority assignment. Access comes from an external source, such as an on-premises
directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the
resource and then the external source manages the group members.
Can users join groups without being assigned?

The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up
the group to automatically accept all users that join or to require approval.
After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can
approve the request and the user is notified of the group membership. However, if you have multiple owners and
one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions
about how to let your users request to join groups, see Set up Azure AD so users can request to join groups
Next steps
Now that you have a bit of an introduction to access management using groups, you start to manage your
resources and apps.
Create a new group using Azure Active Directory or Create and manage a new group using PowerShell
cmdlets
Sync an on-premises group to Azure using Azure AD Connect
Create a basic group and add members using Azure
Active Directory
You can create a basic group using the Azure Active Directory (Azure AD) portal. For the purposes of this article,
a basic group is added to a single resource by the resource owner (administrator) and includes specific
members (employees) that need to access that resource. For more complex scenarios, including dynamic
memberships and rule creation, see the Azure Active Directory user management documentation.
Group and membership types

There are several group and membership types. The following information explains each group and
membership type and why they are used, to help you decide which options to use when you create a group.
Group types:
Security . Used to manage member and computer access to shared resources for a group of users. For
example, you can create a security group for a specific security policy. By doing it this way, you can give a set
of permissions to all the members at once, instead of having to add permissions to each member
individually. A security group can have users, devices, groups and service principals as its members and users
and service principals as its owners. For more info about managing access to resources, see Manage access
to resources with Azure Active Directory groups.
Microsoft 365 . Provides collaboration opportunities by giving members access to a shared mailbox,
calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization
access to the group. An Microsoft 365 group can have only users as its members. Both users and service
principals can be owners of an Microsoft 365 group. For more info about Office 365 Groups, see Learn about
Microsoft 365 Groups.
Membership types:
Assigned. Lets you add specific users to be members of this group and to have unique permissions. For
the purposes of this article, we're using this option.
Dynamic user. Lets you use dynamic membership rules to automatically add and remove members. If a
member's attributes change, the system looks at your dynamic group rules for the directory to see if the
member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
Dynamic device. Lets you use dynamic group rules to automatically add and remove devices. If a
device's attributes change, the system looks at your dynamic group rules for the directory to see if the
device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
IMPORTANT
You can create a dynamic group for either devices or users, but not for both. You also can't create a device group
based on the device owners' attributes. Device membership rules can only reference device attributions. For more
info about creating a dynamic group for users and devices, see Create a dynamic group and check status

You can create a basic group and add your members at the same time. To create a basic group and add members
use the following procedure:
1. Sign in to the Azure portal using a Global administrator account for the directory.
3. On the Active Director y page, select Groups and then select New group .
4. The New Group pane will appear and you must fill out the required information.
5. Select a pre-defined Group type . For more information on group types, see Group and membership
types.
6. Create and add a Group name. Choose a name that you'll remember and that makes sense for the
group. A check will be performed to determine if the name is already in use by another group. If the name
is already in use, to avoid duplicate naming, you'll be asked to change the name of your group.
7. Add a Group email address for the group, or keep the email address that is filled in automatically.
8. Group description. Add an optional description to your group.
9. Select a pre-defined Membership type (required). For more information on membership types, see
Group and membership types.
10. Select Create . Your group is created and ready for you to add members.
11. Select the Members area from the Group page, and then begin searching for the members to add to
your group from the Select members page.
12. When you're done adding members, choose Select .

The Group Over view page updates to show the number of members who are now added to the group.
Turn on or off group welcome email
When any new Microsoft 365 group is created, whether with dynamic or static membership, a welcome
notification is sent to all users who are added to the group. When any attributes of a user or device change, all
dynamic group rules in the organization are processed for potential membership changes. Users who are added
then also receive the welcome notification. You can turn this behavior off in Exchange PowerShell.
Next steps
Manage access to SaaS apps using groups
Manage groups using PowerShell commands
Azure Active Directory version 2 cmdlets for group
management
This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure
AD). It also tells you how to get set up with the Azure AD PowerShell module. First, you must download the Azure
AD PowerShell module.
Install the Azure AD PowerShell module

To install the Azure AD PowerShell module, use the following commands:
PS C:\Windows\system32> install-module azuread

PS C:\Windows\system32> import-module azuread
To verify that the module is ready to use, use the following command:
PS C:\Windows\system32> get-module azuread

---------- --------- ---- ----------------
Binary 2.0.0.115 azuread {Add-AzureADAdministrati...}
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module,
please refer to the online reference documentation for Azure Active Directory PowerShell Version 2.
NOTE
The Azure AD PowerShell cmdlets does not work with the new Powershell 7 as it is based on .net Core. We are aware and
this is in the process of getting updated. As of now we suggest to use the Windows Powershell 5.x Module to be used for
Azure AD powershell operations.
Connect to the directory

Before you can start managing groups using Azure AD PowerShell cmdlets, you must connect your PowerShell
session to the directory you want to manage. Use the following command:
PS C:\Windows\system32> Connect-AzureAD
The cmdlet prompts you for the credentials you want to use to access your directory. In this example, we are using
karen@drumkit.onmicrosoft.com to access the demonstration directory. The cmdlet returns a confirmation to
show the session was connected successfully to your directory:
Account Environment Tenant ID

------- ----------- ---------
Karen@drumkit.onmicrosoft.com AzureCloud 85b5ff1e-0402-400c-9e3c-0f…
Now you can start using the AzureAD cmdlets to manage groups in your directory.
Retrieve groups
To retrieve existing groups from your directory, use the Get-AzureADGroups cmdlet.
To retrieve all groups in the directory, use the cmdlet without parameters:
PS C:\Windows\system32> get-azureadgroup
The cmdlet returns all groups in the connected directory.

You can use the -objectID parameter to retrieve a specific group for which you specify the group’s objectID:
PS C:\Windows\system32> get-azureadgroup -ObjectId e29bae11-4ac0-450c-bc37-6dae8f3da61b
The cmdlet now returns the group whose objectID matches the value of the parameter you entered:
DeletionTimeStamp :
ObjectId : e29bae11-4ac0-450c-bc37-6dae8f3da61b
ObjectType : Group
Description :
DirSyncEnabled :
DisplayName : Pacific NW Support
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
You can search for a specific group using the -filter parameter. This parameter takes an ODATA filter clause and
returns all groups that match the filter, as in the following example:
PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
ProxyAddresses : {}
NOTE
The Azure AD PowerShell cmdlets implement the OData query standard. For more information, see $filter in OData system
query options using the OData endpoint.
Create groups
To create a new group in your directory, use the New-AzureADGroup cmdlet. This cmdlet creates a new security
group called “Marketing":
PS C:\Windows\system32> New-AzureADGroup -Description "Marketing" -DisplayName "Marketing" -MailEnabled

$false -SecurityEnabled $true -MailNickName "Marketing"
Update groups
To update an existing group, use the Set-AzureADGroup cmdlet. In this example, we’re changing the DisplayName
property of the group “Intune Administrators.” First, we’re finding the group using the Get-AzureADGroup cmdlet
and filter using the DisplayName attribute:
DeletionTimeStamp :
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
LastDirSyncTime :
Mail :
MailEnabled : False
ProxyAddresses : {}
Next, we’re changing the Description property to the new value “Intune Device Administrators”:
PS C:\Windows\system32> Set-AzureADGroup -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -Description

"Intune Device Administrators"
Now, if we find the group again, we see the Description property is updated to reflect the new value:
DeletionTimeStamp :
ObjectType : Group
Description : Intune Device Administrators
DirSyncEnabled :
LastDirSyncTime :
Mail :
MailEnabled : False
ProxyAddresses : {}
Delete groups
To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:
PS C:\Windows\system32> Remove-AzureADGroup -ObjectId b11ca53e-07cc-455d-9a89-1fe3ab24566b
Manage group membership

Add members
To add new members to a group, use the Add-AzureADGroupMember cmdlet. This command adds a member to
the Intune Administrators group we used in the previous example:
PS C:\Windows\system32> Add-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -

RefObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea
The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is
the ObjectID of the user we want to add as a member to the group.
Get members
To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:
PS C:\Windows\system32> Get-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
DeletionTimeStamp ObjectId ObjectType

----------------- -------- ----------
72cd4bbd-2594-40a2-935c-016f3cfeeeea User
8120cc36-64b4-4080-a9e8-23aa98e8b34f User
Remove members
To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is
shown here:
PS C:\Windows\system32> Remove-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -

MemberId 72cd4bbd-2594-40a2-935c-016f3cfeeeea
Verify members
To verify the group memberships of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. This cmdlet
takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of groups
for which to check the memberships. The list of groups must be provided in the form of a complex variable of
type “Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”, so we first must create a variable with that
type:
PS C:\Windows\system32> $g = new-object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck
Next, we provide values for the groupIds to check in the attribute “GroupIds” of this complex variable:
PS C:\Windows\system32> $g.GroupIds = "b11ca53e-07cc-455d-9a89-1fe3ab24566b", "31f1ff6c-d48c-4f8a-b2e1-

abca7fd399df"
Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-
016f3cfeeeea against the groups in $g, we should use:
PS C:\Windows\system32> Select-AzureADGroupIdsUserIsMemberOf -ObjectId 72cd4bbd-2594-40a2-935c-
016f3cfeeeea -GroupIdsForMembershipCheck $g
OdataMetadata
Value
-------------
-----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)
{31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}
The value returned is a list of groups of which this user is a member. You can also apply this method to check
Contacts, Groups or Service Principals membership for a given list of groups, using Select-
AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-
AzureADGroupIdsServicePrincipalIsMemberOf
Disable group creation by your users

You can prevent non-admin users from creating security groups. The default behavior in Microsoft Online
Directory Services (MSODS) is to allow non-admin users to create groups, whether or not self-service group
management (SSGM) is also enabled. The SSGM setting controls behavior only in the My Apps access panel.
To disable group creation for non-admin users:
1. Verify that non-admin users are allowed to create groups:
PS C:\> Get-MsolCompanyInformation | fl UsersPermissionToCreateGroupsEnabled
2. If it returns UsersPermissionToCreateGroupsEnabled : True , then non-admin users can create groups. To

disable this feature:
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
Manage owners of groups

To add owners to a group, use the Add-AzureADGroupOwner cmdlet:
PS C:\Windows\system32> Add-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -RefObjectId

72cd4bbd-2594-40a2-935c-016f3cfeeeea
The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is
the ObjectID of the user or service principal we want to add as an owner of the group.
To retrieve the owners of a group, use the Get-AzureADGroupOwner cmdlet:
PS C:\Windows\system32> Get-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
The cmdlet returns the list of owners (users and service principals) for the specified group:
DeletionTimeStamp ObjectId ObjectType

----------------- -------- ----------
e831b3fd-77c9-49c7-9fca-de43e109ef67 User
If you want to remove an owner from a group, use the Remove-AzureADGroupOwner cmdlet:
PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId
e831b3fd-77c9-49c7-9fca-de43e109ef67
Reserved aliases
When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as
part of the email address of the group. Groups with the following highly privileged email aliases can only be
created by an Azure AD global administrator.
abuse
admin
administrator
hostmaster
majordomo
postmaster
root
secure
security
ssl-admin
webmaster
Group writeback to on-premises (preview)

Today, many groups are still managed in on-premises Active Directory. To answer requests to sync cloud groups
back to on-premises, Office 365 groups writeback feature for Azure AD is now available for preview.
Office 365 groups are created and managed in the cloud. The writeback capability allows you to write back Office
365 groups as distribution groups to an Active Directory forest with Exchange installed. Users with on-premises
Exchange mailboxes can then send and receive emails from these groups. The group writeback feature doesn't
support Azure AD security groups or distribution groups.
For more details, please refer to documentation for the Azure AD Connect sync service.
Office 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with
any paid Azure AD license plan. For some legal information about previews, see Supplemental Terms of Use for
Microsoft Azure Previews.
Next steps
You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Azure Active Directory cmdlets for configuring
group settings
This article contains instructions for using Azure Active Directory (Azure AD) PowerShell cmdlets to create and
update groups. This content applies only to Microsoft 365 groups (sometimes called unified groups).
IMPORTANT
Some settings require an Azure Active Directory Premium P1 license. For more information, see the Template settings table.
For more information on how to prevent non-administrator users from creating security groups, set
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False as described in Set-
MSOLCompanySettings.
Microsoft 365 groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you
don't see any Settings objects in your directory, because your directory is configured with the default settings. To
change the default settings, you must create a new settings object using a settings template. Settings templates
are defined by Microsoft. There are several different settings templates. To configure Microsoft 365 group settings
for your directory, you use the template named "Group.Unified". To configure Microsoft 365 group settings on a
single group, use the template named "Group.Unified.Guest". This template is used to manage guest access to an
Microsoft 365 group.
The cmdlets are part of the Azure Active Directory PowerShell V2 module. For instructions how to download and
install the module on your computer, see the article Azure Active Directory PowerShell Version 2. You can install
the version 2 release of the module from the PowerShell gallery.
Install PowerShell cmdlets

Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows
PowerShell and install Azure Active Directory PowerShell for Graph - Public Preview Release (later than 2.0.0.137)
before you run the PowerShell commands.
1. Open the Windows PowerShell app as an administrator.
2. Uninstall any previous version of AzureADPreview.
Uninstall-Module AzureADPreview
Uninstall-Module azuread
3. Install the latest version of AzureADPreview.
Install-Module AzureADPreview
Create settings at the directory level

These steps create settings at directory level, which apply to all Microsoft 365 groups in the directory. The Get-
AzureADDirectorySettingTemplate cmdlet is available only in the Azure AD PowerShell Preview module for Graph.
1. In the DirectorySettings cmdlets, you must specify the ID of the SettingsTemplate you want to use. If you do
not know this ID, this cmdlet returns the list of all settings templates:
Get-AzureADDirectorySettingTemplate
This cmdlet call returns all templates that are available:
Id DisplayName Description
-- ----------- -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Microsoft 365 group
16933506-8a8d-4f0d-ad58-e1db05a5b929 Company.BuiltIn Setting templates define the different
settings that can be used for the associ...
4bc7f740-180e-4586-adb6-38b2e9024e6b Application...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
2. To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage
guideline URL value; that is, the Group.Unified template:
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id

$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
3. Next, create a new settings object based on that template:
$Setting = $Template.CreateDirectorySetting()
4. Then update the usage guideline value:
$Setting["UsageGuidelinesUrl"] = "https://guideline.example.com"
5. Then apply the setting:
New-AzureADDirectorySetting -DirectorySetting $Setting
6. You can read the values using:
$Setting.Values
Update settings at the directory level

To update the value for UsageGuideLinesUrl in the setting template, read the current settings from Azure AD,
otherwise we could end up overwriting existing settings other than the UsageGuideLinesUrl.
1. Get the current settings from the Group.Unified SettingsTemplate:
$Setting = Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"}
2. Check the current settings:

$Setting.Values
Output:
Name Value
---- -----
EnableMIPLabels false
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl https://guideline.example.com
ClassificationList
EnableGroupCreation True
3. To remove the value of UsageGuideLinesUrl, edit the URL to be an empty string:
$Setting["UsageGuidelinesUrl"] = ""
4. Save update to the directory:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Template settings
Here are the settings defined in the Group.Unified SettingsTemplate. Unless otherwise indicated, these features
require an Azure Active Directory Premium P1 license.
SET T IN G DESC RIP T IO N
EnableGroupCreation The flag indicating whether Microsoft 365 group creation is

Type: Boolean allowed in the directory by non-admin users. This setting
Default: True does not require an Azure Active Directory Premium P1
license.
GroupCreationAllowedGroupId GUID of the security group for which the members are
Type: String allowed to create Microsoft 365 groups even when
Default: "" EnableGroupCreation == false.
UsageGuidelinesUrl A link to the Group Usage Guidelines.

Type: String
Default: ""
ClassificationDescriptions A comma-delimited list of classification descriptions. The value

Type: String of ClassificationDescriptions is only valid in this format:
Default: "" $setting["ClassificationDescriptions"]
="Classification:Description,Classification:Description"
where Classification matches an entry in the ClassificationList.
This setting does not apply when EnableMIPLabels == True.
DefaultClassification The classification that is to be used as the default classification

Type: String for a group if none was specified.
Default: "" This setting does not apply when EnableMIPLabels == True.
PrefixSuffixNamingRequirement String of a maximum length of 64 characters that defines the

Type: String naming convention configured for Microsoft 365 groups. For
Default: "" more information, see Enforce a naming policy for Microsoft
365 groups.
CustomBlockedWordsList Comma-separated string of phrases that users will not be

Type: String permitted to use in group names or aliases. For more
Default: "" information, see Enforce a naming policy for Microsoft 365
groups.
EnableMSStandardBlockedWords Do not use

Type: Boolean
Default: "False"
AllowGuestsToBeGroupOwner Boolean indicating whether or not a guest user can be an

Type: Boolean owner of groups.
Default: False
AllowGuestsToAccessGroups Boolean indicating whether or not a guest user can have

Type: Boolean access to Microsoft 365 groups content. This setting does not
Default: True require an Azure Active Directory Premium P1 license.
GuestUsageGuidelinesUrl The url of a link to the guest usage guidelines.

Type: String
Default: ""
AllowToAddGuests A boolean indicating whether or not is allowed to add guests

Type: Boolean to this directory.
Default: True This setting may be overridden and become read-only if
EnableMIPLabels is set to True and a guest policy is
associated with the sensitivity label assigned to the group.
If the AllowToAddGuests setting is set to False at the
organization level, any AllowToAddGuests setting at the
group level is ignored. If you want to enable guest access for
only a few groups, you must set AllowToAddGuests to be true
at the organization level, and then selectively disable it for
specific groups.
ClassificationList A comma-delimited list of valid classification values that can

Type: String be applied to Microsoft 365 groups.
Default: "" This setting does not apply when EnableMIPLabels == True.
EnableMIPLabels The flag indicating whether sensitivity labels published in

Type: Boolean Microsoft 365 Compliance Center can be applied to Microsoft
Default: "False" 365 groups. For more information, see Assign Sensitivity
Labels for Microsoft 365 groups.
Example: Configure Guest policy for groups at the directory level

1. Get all the setting templates:
2. To set guest policy for groups at the directory level, you need Group.Unified template
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value "62375ab9-6b52-47ed-826b-

58e47e0e304b" -EQ
3. Next, create a new settings object based on that template:
$Setting = $template.CreateDirectorySetting()
4. Then update AllowToAddGuests setting
$Setting["AllowToAddGuests"] = $False
5. Then apply the setting:
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value

"Group.Unified" -EQ).id -DirectorySetting $Setting
6. You can read the values using:
$Setting.Values
Read settings at the directory level

If you know the name of the setting you want to retrieve, you can use the below cmdlet to retrieve the current
settings value. In this example, we're retrieving the value for a setting named "UsageGuidelinesUrl."
(Get-AzureADDirectorySetting).Values | Where-Object -Property Name -Value UsageGuidelinesUrl -EQ
These steps read settings at directory level, which apply to all Office groups in the directory.
1. Read all existing directory settings:
Get-AzureADDirectorySetting -All $True
This cmdlet returns a list of all directory settings:
Id DisplayName TemplateId Values

-- ----------- ---------- ------
c391b57d-5783-4c53-9236-cefb5c6ef323 Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class
SettingValue {...
2. Read all settings for a specific group:
Get-AzureADObjectSetting -TargetObjectId ab6a3887-776a-4db7-9da4-ea2b0d63c504 -TargetType Groups
3. Read all directory settings values of a specific directory settings object, using Settings ID GUID:
(Get-AzureADDirectorySetting -Id c391b57d-5783-4c53-9236-cefb5c6ef323).values
This cmdlet returns the names and values in this settings object for this specific group:
Name Value
---- -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
CustomBlockedWordsList
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl https://guideline.example.com
ClassificationList
EnableGroupCreation True
Remove settings at the directory level

This step removes settings at directory level, which apply to all Office groups in the directory.
Remove-AzureADDirectorySetting –Id c391b57d-5783-4c53-9236-cefb5c6ef323c
Create settings for a specific group

1. Search for the settings template named "Groups.Unified.Guest"
Id DisplayName Description
-- ----------- -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Microsoft 365 group
4bc7f740-180e-4586-adb6-38b2e9024e6b Application ...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
2. Retrieve the template object for the Groups.Unified.Guest template:
$Template1 = Get-AzureADDirectorySettingTemplate | where -Property Id -Value "08d542b9-071f-4e16-94b0-

74abb372e3d9" -EQ
3. Create a new settings object from the template:
$SettingCopy = $Template1.CreateDirectorySetting()
4. Set the setting to the required value:
$SettingCopy["AllowToAddGuests"]=$False
5. Get the ID of the group you want to apply this setting to:
$groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId
6. Create the new setting for the required group in the directory:
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $SettingCopy
7. To verify the settings, run this command:
Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values
Update settings for a specific group

1. Get the ID of the group whose setting you want to update:
$groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId
2. Retrieve the setting of the group:
$Setting = Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups
3. Update the setting of the group as you need, e.g.
$Setting["AllowToAddGuests"] = $True
4. Then get the ID of the setting for this specific group:
Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups
You will get a response similar to this:

Id DisplayName TemplateId
Values
-- ----------- ----------- ----
------
2dbee4ca-c3b6-4f0d-9610-d15569639e1a Group.Unified.Guest 08d542b9-071f-4e16-94b0-74abb372e3d9
{class SettingValue {...
5. Then you can set the new value for this setting:
Set-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -Id 2dbee4ca-c3b6-4f0d-9610-

d15569639e1a -DirectorySetting $Setting
6. You can read the value of the setting to make sure it has been updated correctly:
Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values
Cmdlet syntax reference

You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Additional reading
Search groups and members (preview) in Azure
Active Directory
This article tells you how to search for members and owners of a group and how to use search filters as part of the
groups improvement preview in the Azure Active Directory (Azure AD) portal. There are lots of improvements in
the groups experiences to help you manage your groups, including members and owners, quickly and easily. For
more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Changes in this preview include:
New groups search capabilities, such as substring search in group names
New filtering and sorting options on member and owner lists
New search capabilities for member and owner lists
More accurate group counts for large groups
Enabling and managing the preview

We’ve made it easy to join the preview:
1. Sign in to the Azure AD portal, and select Groups .
2. From the Groups – All groups page, select the banner at the top of the page to join the preview.
You can also check out the the latest features and improvements by selecting Preview info on the All groups
page. After you join the preview, you can see the preview tag on all groups pages that have improvements and are
part of the preview. Not every groups page has been updated as part of this preview.
If you are having any issues, you can switch back the legacy experience by selecting the banner at the top of the All
groups page. We appreciate your feedback so that we can improve our experience.
Group search and sorting

The groups list search has been enhanced so that when you can enter a search string, the search automatically
perform a startswith and substring search on the list of group names. The substring search is performed only on
whole words, and doesn't include special characters. Substring search is case-sensitive.
For example, a search for “policy” will now return both "MDM policy – West" and "Policy group." A group named
"New_policy" wouldn't be returned.
You can perform the same search on group membership lists as well.
You can now sort the groups list by name using the arrows to the right of the name column heading to sort the
list in ascending or descending order.
Group member search and filtering

Search group member and owner lists
You can now search the members of a specific group by name, and perform the same search on the list of a the
group's owners as well. In the new experience, if you enter a string in the search box, a startswith search will
automatically performed. For example, a search for “Scott” will return Scott Wilkinson.
Filter member and owners list

In addition to search, now you can filter the member and owner lists by user type. This is the information found in
the User Type column of the list. So, you can filter the list by members and guests to determine if there are any
guests in the group.
View and manage membership
In addition to viewing the direct members of a specific group, you can now view the list of all members of the
group within the Members page. The members list includes all the unique members of group including any
transitive members.
You can also search and filter the direct members list and the all members list individually. Filtering the all members
list does not affect the filters that are applied on the direct members list.
Improved group member counts

We’ve improved the group Over view page to provide group member counts for groups of all sizes. You can see
the member counts even for groups with more than 1,000 members. You can now see the total number of direct
members for a group and the total membership count (all the unique members of group including transitive
members) on the Over view page.
Next steps
These articles provide additional information on working with groups in Azure AD.
View your groups and members
Manage group membership
Manage dynamic rules for users in a group
Edit your group settings
Manage access to resources using groups
Manage access to SaaS apps using groups
Add an Azure subscription to Azure Active Directory
Add or remove group members using Azure Active
Directory
Using Azure Active Directory, you can continue to add and remove group members.
To add group members

2. Select Azure Active Director y , and then select Groups .
3. From the Groups - All groups page, search for and select the group you want to add the member to. In
this case, use our previously created group, MDM policy - West .
4. From the MDM policy - West Over view page, select Members from the Manage area.
5. Select Add members , and then search and select each of the members you want to add to the group, and
then choose Select .
You'll get a message that says the members were added successfully.
6. Refresh the screen to see all of the member names added to the group.
To remove group members

1. From the Groups - All groups page, search for and select the group you want to remove the member
from. Again we'll use, MDM policy - West .
2. Select Members from the Manage area, search for and select the name of the member to remove, and
then select Remove .
Next steps
Associate or add an Azure subscription to Azure Active Directory
Create or update a dynamic group in Azure Active
Directory
In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device
properties. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership
is supported for security groups or Microsoft 365 Groups. When a group membership rule is applied, user and
device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or
device, all dynamic group rules in the organization are processed for membership changes. Users and devices
are added or removed if they meet the conditions for a group. Security groups can be used for either devices or
users, but Microsoft 365 Groups can be only user groups.
Rule builder in the Azure portal

Azure AD provides a rule builder to create and update your important rules more quickly. The rule builder
supports the construction up to five expressions. The rule builder makes it easier to form a rule with a few simple
expressions, however, it can't be used to reproduce every rule. If the rule builder doesn't support the rule you
want to create, you can use the text box.
Here are some examples of advanced rules or syntax for which we recommend that you construct using the text
box:
Rule with more than five expressions
The Direct reports rule
Setting operator precedence
Rules with complex expressions; for example (user.proxyAddresses -any (_ -contains "contoso"))
NOTE
The rule builder might not be able to display some rules constructed in the text box. You might see a message when the
rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing
of dynamic group rules in any way.
For examples of syntax, supported properties, operators, and values for a membership rule, see Dynamic
membership rules for groups in Azure Active Directory.
To create a group membership rule

1. Sign in to the Azure AD admin center with an account that is in the Global administrator, Intune
administrator, or User administrator role in the Azure AD organization.
2. Search for and select Groups .
3. Select All groups , and select New group .
4. On the Group page, enter a name and description for the new group. Select a Membership type for
either users or devices, and then select Add dynamic quer y . The rule builder supports up to five
expressions. To add more than five expressions, you must use the text box.
5. To see the custom extension properties available for your membership query:
a. Select Get custom extension proper ties
b. Enter the application ID, and then select Refresh proper ties .
6. After creating the rule, select Save .
7. Select Create on the New group page to create the group.
If the rule you entered isn't valid, an explanation of why the rule couldn't be processed is displayed in an Azure
notification in the portal. Read it carefully to understand how to fix the rule.
To update an existing rule

1. Sign in to the Azure AD admin center with an account that is in the Global administrator, Group
administrator, Intune administrator, or User administrator role in the Azure AD organization.
2. Select Groups > All groups .
3. Select a group to open its profile.
4. On the profile page for the group, select Dynamic membership rules . The rule builder supports up to
five expressions. To add more than five expressions, you must use the text box.
5. To see the custom extension properties available for your membership rule:
a. Select Get custom extension proper ties
b. Enter the application ID, and then select Refresh proper ties .
6. After updating the rule, select Save .
Turn on or off welcome email

When a new Microsoft 365 group is created, a welcome email notification is sent the users who are added to the
group. Later, if any attributes of a user or device change, all dynamic group rules in the organization are
processed for membership changes. Users who are added then also receive the welcome notification. You can
turn off this behavior in Exchange PowerShell.
Check processing status for a rule

You can see the membership processing status and the last updated date on the Over view page for the group.
The following status messages can be shown for Membership processing status:
Evaluating : The group change has been received and the updates are being evaluated.
Processing : Updates are being processed.
Update complete : Processing has completed and all applicable updates have been made.
Processing error : Processing couldn't be completed because of an error evaluating the membership rule.
Update paused : Dynamic membership rule updates have been paused by the administrator.
MembershipRuleProcessingState is set to “Paused”.
The following status messages can be shown for Membership last updated status:
<Date and time >: The last time the membership was updated.
In Progress : Updates are currently in progress.
Unknown : The last update time can't be retrieved. The group might be new.
If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the
Over view page for the group. If no pending dynamic membership updates can be processed for all the groups
within the organization for more than 24 hours, an alert is shown on the top of All groups .
These articles provide additional information on groups in Azure Active Directory.

See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Dynamic membership rules for groups in Azure
Active Directory
In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic
memberships for groups. Dynamic group membership reduces the administrative overhead of adding and
removing users. This article details the properties and syntax to create dynamic membership rules for users or
devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see
if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are
added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or
remove a member of a dynamic group.
You can create a dynamic group for devices or for users, but you can't create a rule that contains both users
and devices.
You can't create a device group based on the device owners' attributes. Device membership rules can only
reference device attributes.
NOTE
This feature requires an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic
groups. You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the
minimum number of licenses in the Azure AD organization to cover all such users. For example, if you had a total of 1,000
unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1
to meet the license requirement. No license is required for devices that are members of a dynamic device group.
Rule builder in the Azure portal

Azure AD provides a rule builder to create and update your important rules more quickly. The rule builder
supports the construction of up to five expressions. The rule builder makes it easier to form a rule with a few
simple expressions, however, it can't be used to reproduce every rule. If the rule builder doesn't support the rule
you want to create, you can use the text box.
Here are some examples of advanced rules or syntax for which we recommend that you construct using the text
box:
Rule with more than five expressions
The Direct reports rule
Setting operator precedence
Rules with complex expressions; for example (user.proxyAddresses -any (_ -contains "contoso"))
NOTE
The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule
builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of
dynamic group rules in any way.
For more step-by-step instructions, see Create or update a dynamic group.

Rule syntax for a single expression
A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A
rule with a single expression looks similar to this: Property Operator Value , where the syntax for the property is
the name of object.property.
The following is an example of a properly constructed membership rule with a single expression:
user.department -eq "Sales"
Parentheses are optional for a single expression. The total length of the body of your membership rule cannot
exceed 2048 characters.
Constructing the body of a membership rule

A membership rule that automatically populates a group with users or devices is a binary expression that results
in a true or false outcome. The three parts of a simple rule are:
Property
Operator
Value
The order of the parts within an expression are important to avoid syntax errors.
Supported properties
There are three types of properties that can be used to construct a membership rule.
Boolean
String
String collection
The following are the user properties that you can use to create a single expression.
Properties of type boolean
P RO P ERT IES A L LO W ED VA L UES USA GE
accountEnabled true false user.accountEnabled -eq true
dirSyncEnabled true false user.dirSyncEnabled -eq true
Properties of type string

city Any string value or null (user.city -eq "value")
country Any string value or null (user.country -eq "value")
companyName Any string value or null (user.companyName -eq "value")
department Any string value or null (user.department -eq "value")
displayName Any string value (user.displayName -eq "value")
employeeId Any string value (user.employeeId -eq "value")

(user.employeeId -ne null)
facsimileTelephoneNumber Any string value or null (user.facsimileTelephoneNumber -eq

"value")
givenName Any string value or null (user.givenName -eq "value")
jobTitle Any string value or null (user.jobTitle -eq "value")
mail Any string value or null (SMTP address (user.mail -eq "value")
of the user)
mailNickName Any string value (mail alias of the user) (user.mailNickName -eq "value")
mobile Any string value or null (user.mobile -eq "value")
objectId GUID of the user object (user.objectId -eq "11111111-1111-

1111-1111-111111111111")
onPremisesSecurityIdentifier On-premises security identifier (SID) for (user.onPremisesSecurityIdentifier -eq

users who were synchronized from on- "S-1-1-11-1111111111-1111111111-
premises to the cloud. 1111111111-1111111")
passwordPolicies None DisableStrongPassword (user.passwordPolicies -eq

DisablePasswordExpiration "DisableStrongPassword")
DisablePasswordExpiration,
DisableStrongPassword
physicalDeliveryOfficeName Any string value or null (user.physicalDeliveryOfficeName -eq

"value")
postalCode Any string value or null (user.postalCode -eq "value")

preferredLanguage ISO 639-1 code (user.preferredLanguage -eq "en-US")
sipProxyAddress Any string value or null (user.sipProxyAddress -eq "value")
state Any string value or null (user.state -eq "value")
streetAddress Any string value or null (user.streetAddress -eq "value")
surname Any string value or null (user.surname -eq "value")
telephoneNumber Any string value or null (user.telephoneNumber -eq "value")
usageLocation Two lettered country/region code (user.usageLocation -eq "US")
userPrincipalName Any string value (user.userPrincipalName -eq

"alias@domain")
userType member guest null (user.userType -eq "Member")
Properties of type string collection

otherMails Any string value (user.otherMails -contains

"alias@domain")
proxyAddresses SMTP: alias@domain smtp: (user.proxyAddresses -contains "SMTP:

alias@domain alias@domain")
For the properties used for device rules, see Rules for devices.
Supported expression operators

The following table lists all the supported operators and their syntax for a single expression. Operators can be
used with or without the hyphen (-) prefix.
O P ERATO R SY N TA X
Not Equals -ne
Equals -eq
Not Starts With -notStartsWith
Starts With -startsWith
Not Contains -notContains
Contains -contains
Not Match -notMatch

O P ERATO R SY N TA X
Match -match
In -in
Not In -notIn
Using the -in and -notIn operators

If you want to compare the value of a user attribute against a number of different values you can use the -in or -
notIn operators. Use the bracket symbols "[" and "]" to begin and end the list of values.
In the following example, the expression evaluates to true if the value of user.department equals any of the values
in the list:
user.department -in
["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]
Using the -match operator

The -match operator is used for matching any regular expression. Examples:
user.displayName -match "Da.*"
Da, Dav, David evaluate to true, aDa evaluates to false.
user.displayName -match ".*vid"
David evaluates to true, Da evaluates to false.
Supported values
The values used in an expression can consist of several types, including:
Strings
Boolean – true, false
Numbers
Arrays – number array, string array
When specifying a value within an expression it is important to use the correct syntax to avoid errors. Some
syntax tips are:
Double quotes are optional unless the value is a string.
String and regex operations are not case sensitive.
When a string value contains double quotes, both quotes should be escaped using the ` character, for example,
user.department -eq `"Sales`" is the proper syntax when "Sales" is the value.
You can also perform Null checks, using null as a value, for example, user.department -eq null .
Use of Null values
To specify a null value in a rule, you can use the null value.
Use -eq or -ne when comparing the null value in an expression.
Use quotes around the word null only if you want it to be interpreted as a literal string value.
The -not operator can't be used as a comparative operator for null. If you use it, you get an error whether you
use null or $null.
The correct way to reference the null value is as follows:
user.mail –ne null
Rules with multiple expressions

A group membership rule can consist of more than one single expression connected by the -and, -or, and -not
logical operators. Logical operators can also be used in combination.
The following are examples of properly constructed membership rules with multiple expressions:
(user.department -eq "Sales") -or (user.department -eq "Marketing")

(user.department -eq "Sales") -and -not (user.jobTitle -contains "SDE")
Operator precedence
All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal
precedence:
-eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
-not
-and
-or
-any -all
The following is an example of operator precedence where two expressions are being evaluated for the user:
user.department –eq "Marketing" –and user.country –eq "US"
Parentheses are needed only when precedence does not meet your requirements. For example, if you want
department to be evaluated first, the following shows how parentheses can be used to determine order:
user.country –eq "US" –and (user.department –eq "Marketing" –or user.department –eq "Sales")
Rules with complex expressions

A membership rule can consist of complex expressions where the properties, operators, and values take on more
complex forms. Expressions are considered complex when any of the following are true:
The property consists of a collection of values; specifically, multi-valued properties
The expressions use the -any and -all operators
The value of the expression can itself be one or more expressions
Multi-value properties
Multi-value properties are collections of objects of the same type. They can be used to create membership rules
using the -any and -all logical operators.
P RO P ERT IES VA L UES USA GE
assignedPlans Each object in the collection exposes user.assignedPlans -any

the following string properties: (assignedPlan.servicePlanId -eq
capabilityStatus, service, servicePlanId "efb87545-963c-4e0d-99df-
69c6916d9eb0" -and
assignedPlan.capabilityStatus -eq
"Enabled")
proxyAddresses SMTP: alias@domain smtp: (user.proxyAddresses -any (_ -contains

alias@domain "contoso"))
Using the -any and -all operators

You can use -any and -all operators to apply a condition to one or all of the items in the collection, respectively.
-any (satisfied when at least one item in the collection matches the condition)
-all (satisfied when all items in the collection match the condition)
Example 1
assignedPlans is a multi-value property that lists all service plans assigned to the user. The following expression
selects users who have the Exchange Online (Plan 2) service plan (as a GUID value) that is also in Enabled state:
user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and

assignedPlan.capabilityStatus -eq "Enabled")
A rule such as this one can be used to group all users for whom an Microsoft 365 (or other Microsoft Online
Service) capability is enabled. You could then apply with a set of policies to the group.
Example 2
The following expression selects all users who have any service plan that is associated with the Intune service
(identified by service name "SCO"):
user.assignedPlans -any (assignedPlan.service -eq "SCO" -and assignedPlan.capabilityStatus -eq "Enabled")
Using the underscore (_) syntax

The underscore (_) syntax matches occurrences of a specific value in one of the multivalued string collection
properties to add users or devices to a dynamic group. It is used with the -any or -all operators.
Here's an example of using the underscore (_) in a rule to add members based on user.proxyAddress (it works the
same for user.otherMails). This rule adds any user with proxy address that contains "contoso" to the group.
(user.proxyAddresses -any (_ -contains "contoso"))
Other properties and common rules

Create a "Direct reports" rule
You can create a group containing all direct reports of a manager. When the manager's direct reports change in
the future, the group's membership is adjusted automatically.
The direct reports rule is constructed using the following syntax:
Direct Reports for "{objectID_of_manager}"

Here's an example of a valid rule where "62e19b97-8b3d-4d4a-a106-4ce66896a863" is the objectID of the
manager:
Direct Reports for "62e19b97-8b3d-4d4a-a106-4ce66896a863"
The following tips can help you use the rule properly.
The Manager ID is the object ID of the manager. It can be found in the manager's Profile .
For the rule to work, make sure the Manager property is set correctly for users in your organization. You can
check the current value in the user's Profile .
This rule supports only the manager's direct reports. In other words, you can't create a group with the
manager's direct reports and their reports.
This rule can't be combined with any other membership rules.
Create an "All users" rule
You can create a group containing all users within an organization using a membership rule. When users are
added or removed from the organization in the future, the group's membership is adjusted automatically.
The "All users" rule is constructed using single expression using the -ne operator and the null value. This rule adds
B2B guest users as well as member users to the group.
user.objectId -ne null
If you want your group to exclude guest users and include only members of your organization, you can use the
following syntax:
(user.objectId -ne null) -and (user.userType -eq "Member")
Create an "All devices" rule

You can create a group containing all devices within an organization using a membership rule. When devices are
added or removed from the organization in the future, the group's membership is adjusted automatically.
The "All Devices" rule is constructed using single expression using the -ne operator and the null value:
device.objectId -ne null
Extension properties and custom extension properties

Extension attributes and custom extension properties are supported as string properties in dynamic membership
rules. Extension attributes are synced from on-premises Window Server AD and take the format of
"ExtensionAttributeX", where X equals 1 - 15. Here's an example of a rule that uses an extension attribute as a
property:
(user.extensionAttribute15 -eq "Marketing")
Custom extension properties are synced from on-premises Windows Server AD or from a connected SaaS
application and are of the format of user.extension_[GUID]_[Attribute] , where:
[GUID] is the unique identifier in Azure AD for the application that created the property in Azure AD
[Attribute] is the name of the property as it was created
An example of a rule that uses a custom extension property is:
user.extension_c272a57b722d4eb29bfe327874ae79cb_OfficeNumber -eq "123"
The custom property name can be found in the directory by querying a user's property using Graph Explorer and
searching for the property name. Also, you can now select Get custom extension proper ties link in the
dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties
to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension
properties for that app.
Rules for devices

You can also create a rule that selects device objects for membership in a group. You can't have both users and
devices as group members.
NOTE
The organizationalUnit attribute is no longer listed and should not be used. This string is set by Intune in specific cases
but is not recognized by Azure AD, so no devices are added to groups based on this attribute.
NOTE
systemlabels is a read-only attribute that cannot be set with Intune.
For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -eq
"10.0.17763"). The formatting can be validated with the Get-MsolDevice PowerShell cmdlet.
The following device attributes can be used.
DEVIC E AT T RIB UT E VA L UES EXA M P L E
accountEnabled true false (device.accountEnabled -eq true)
displayName any string value (device.displayName -eq "Rob iPhone")
deviceOSType any string value (device.deviceOSType -eq "iPad") -or

(device.deviceOSType -eq "iPhone")
(device.deviceOSType -contains
"AndroidEnterprise")
(device.deviceOSType -eq
"AndroidForWork")
deviceOSVersion any string value (device.deviceOSVersion -eq "9.1")
deviceCategory a valid device category name (device.deviceCategory -eq "BYOD")
deviceManufacturer any string value (device.deviceManufacturer -eq

"Samsung")
deviceModel any string value (device.deviceModel -eq "iPad Air")
deviceOwnership Personal, Company, Unknown (device.deviceOwnership -eq

"Company")
DEVIC E AT T RIB UT E VA L UES EXA M P L E
enrollmentProfileName Apple Device Enrollment Profile name, (device.enrollmentProfileName -eq

Android Enterprise Corporate-owned "DEP iPhones")
dedicated device Enrollment Profile
name, or Windows Autopilot profile
name
isRooted true false (device.isRooted -eq true)
managementType MDM (for mobile devices) (device.managementType -eq "MDM")

PC (for computers managed by the
Intune PC agent)
deviceId a valid Azure AD device ID (device.deviceId -eq "d4fe7726-5966-

431c-b3b8-cddc8fdb717d")
objectId a valid Azure AD object ID (device.objectId -eq "76ad43c9-32c5-

45e8-a272-7b58b58f596d")
devicePhysicalIds any string value used by Autopilot, (device.devicePhysicalIDs -any _ -

such as all Autopilot devices, OrderID, contains "[ZTDId]")
or PurchaseOrderID (device.devicePhysicalIds -any _ -eq "
[OrderID]:179887111881")
(device.devicePhysicalIds -any _ -eq "
[PurchaseOrderId]:76222342342")
systemLabels any string matching the Intune device (device.systemLabels -contains

property for tagging Modern "M365Managed")
Workplace devices
NOTE
For the deviceOwnership when creating Dynamic Groups for devices you need to set the value equal to "Company". On
Intune the device ownership is represented instead as Corporate. Refer to OwnerTypes for more details.
Next steps
See existing groups
Validate a dynamic group membership rule (preview)
Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules (in public preview). On
the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is
working as expected. When creating or updating dynamic group rules, administrators want to know whether a user
or a device will be a member of the group. This helps evaluate whether user or device meets the rule criteria and
aid in troubleshooting when membership is not expected.
Step-by-step walk-through
To get started, go to Azure Active Director y > Groups . Select an existing dynamic group or create a new
dynamic group and click on Dynamic membership rules. You can then see the Validate Rules tab.
On Validate rules tab, you can select users to validate their memberships. 20 users or devices can be selected at
one time.
After choosing the users or devices from the picker, and Select , validation will automatically start and validation
results will appear.
The results tell whether a user is a member of the group or not. If the rule is not valid or there is a network issue,
the result will show as Unknown . In case of Unknown , the detailed error message will describe the issue and
actions needed.
You can modify the rule and validation of memberships will be triggered. To see why user is not a member of the
group, click on "View details" and verification details will show the result of each expression composing the rule.
Click OK to exit.
Next steps
Dynamic membership rules for groups
Change static group membership to dynamic in
You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD).
Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If
you create a new group instead, you would need to update those references. Dynamic group membership
eliminates management overhead adding and removing users. This article tells you how to convert existing groups
from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
WARNING
When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the
membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that
the original members might lose access until the membership rule is fully processed.
We recommend that you test the new membership rule beforehand to make sure that the new membership in the group is
as expected.
Change the membership type for a group

1. Sign in to the Azure AD admin center with an account that is a global administrator or a user administrator in
your Azure AD organization.
2. Select Groups .
3. From the All groups list, open the group that you want to change.
4. Select Proper ties .
5. On the Proper ties page for the group, select a Membership type of either Assigned (static), Dynamic User, or
Dynamic Device, depending on your desired membership type. For dynamic membership, you can use the rule
builder to select options for a simple rule or write a membership rule yourself.
The following steps are an example of changing a group from static to dynamic membership for a group of users.
1. On the Proper ties page for your selected group, select a Membership type of Dynamic User , then select
Yes on the dialog explaining the changes to the group membership to continue.
2. Select Add dynamic quer y , and then provide the rule.
3. After creating the rule, select Add quer y at the bottom of the page.
4. Select Save on the Proper ties page for the group to save your changes. The Membership type of the
group is immediately updated in the group list.
TIP
Group conversion might fail if the membership rule you entered was incorrect. A notification is displayed in the upper-right
hand corner of the portal that it contains an explanation of why the rule can't be accepted by the system. Read it carefully to
understand how you can adjust the rule to make it valid. For examples of rule syntax and a complete list of the supported
properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Azure Active Directory.
Change membership type for a group (PowerShell)

NOTE
To change dynamic group properties you will need to use cmdlets from the preview version of Azure AD PowerShell
Version 2. You can install the preview from the PowerShell Gallery.
Here is an example of functions that switch membership management on an existing group. In this example, care is
taken to correctly manipulate the GroupTypes property and preserve any values that are unrelated to dynamic
membership.
#The moniker for dynamic groups as used in the GroupTypes property of a group object
$dynamicGroupTypeString = "DynamicMembership"
function ConvertDynamicGroupToStatic
{
Param([string]$groupId)
#existing group types

[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes
if($groupTypes -eq $null -or !$groupTypes.Contains($dynamicGroupTypeString))

{
throw "This group is already a static group. Aborting conversion.";
}
#remove the type for dynamic groups, but keep the other type values
$groupTypes.Remove($dynamicGroupTypeString)
#modify the group properties to make it a static group: i) change GroupTypes to remove the dynamic type,
ii) pause execution of the current rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "Paused"
}
function ConvertStaticGroupToDynamic
{
Param([string]$groupId, [string]$dynamicMembershipRule)
#existing group types

[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes
if($groupTypes -ne $null -and $groupTypes.Contains($dynamicGroupTypeString))

{
throw "This group is already a dynamic group. Aborting conversion.";
}
#add the dynamic group type to existing types
$groupTypes.Add($dynamicGroupTypeString)
#modify the group properties to make it a static group: i) change GroupTypes to add the dynamic type, ii)
start execution of the rule, iii) set the rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -
MembershipRule $dynamicMembershipRule
}
To make a group static:
ConvertDynamicGroupToStatic "a58913b2-eee4-44f9-beb2-e381c375058f"
To make a group dynamic:
ConvertStaticGroupToDynamic "a58913b2-eee4-44f9-beb2-e381c375058f" "user.displayName -startsWith ""Peter"""

Next steps
See existing groups
Bulk add group members in Azure Active Directory
Using Azure Active Directory (Azure AD) portal, you can add a large number of members to a group by using a
comma-separated values (CSV) file to bulk import group members.

Download and fill in the bulk upload CSV template to successfully add Azure AD group members in bulk. Your CSV
template might look like this example:

For example, Member object ID or user principal name [memberObjectIdOrUpn] Required . Some older versions of
the template might have slight variations. For group membership changes, you have the option of which
identifier to use: member object ID or user principal name.
Additional guidance
not processed.
Add at least two users' UPNs or object IDs to successfully upload the file.
To bulk import group members

1. Sign in to the Azure portal with a User administrator account in the organization. Group owners can also
bulk import members of groups they own.
2. In Azure AD, select Groups > All groups .
3. Open the group to which you're adding members and then select Members .
4. On the Members page, select Impor t members .
5. On the Bulk impor t group members page, select Download to get the CSV file template with required
group member properties.
6. Open the CSV file and add a line for each group member you want to import into the group (required
values are either Member object ID or User principal name ). Then save the file.
7. On the Bulk impor t group members page, under Upload your csv file , browse to the file. When you
select the file, validation of the CSV file starts.
8. When the file contents are validated, the bulk import page displays File uploaded successfully . If there
are errors, you must fix them before you can submit the job.
9. When your file passes validation, select Submit to start the Azure bulk operation that imports the group
members to the group.
10. When the import operation completes, you'll see a notification that the bulk operation succeeded.
Check import status

For details about each line item within the bulk operation, select the values under the # Success , # Failure , or
Total Requests columns. If failures occurred, the reasons for failure will be listed.
Bulk import service limits
Each bulk activity to import a list of group members can run for up to one hour. This enables importation of a list of
at least 40,000 members.
Next steps
Bulk remove group members
Download members of a group
Download a list of all groups
Bulk remove group members in Azure Active
Directory
Using Azure Active Directory (Azure AD) portal, you can remove a large number of members from a group by
using a comma-separated values (CSV) file to bulk remove group members.

Download and fill in the bulk upload CSV template to successfully add Azure AD group members in bulk. Your CSV
template might look like this example:

For example, Member object ID or user principal name [memberObjectIdOrUpn] Required . Some older versions of
the template might have slight variations. For group membership changes, you have the option of which
identifier to use: member object ID or user principal name.
Additional guidance
not processed.
To bulk remove group members

bulk remove members of groups they own.
3. Open the group from which you're removing members and then select Members .
4. On the Members page, select Remove members .
5. On the Bulk remove group members page, select Download to get the CSV file template with required
group member properties.
6. Open the CSV file and add a line for each group member you want to remove from the group (required
values are Member object ID or User principal name). Then save the file.
7. On the Bulk remove group members page, under Upload your csv file , browse to the file. When you
select the file, validation of the CSV file starts.
8. When the file contents are validated, the bulk import page displays File uploaded successfully . If there
are errors, you must fix them before you can submit the job.
9. When your file passes validation, select Submit to start the Azure bulk operation that removes the group
members from the group.
10. When the removal operation completes, you'll see a notification that the bulk operation succeeded.
Check removal status

For details about each line item within the bulk operation, select the values under the # Success , # Failure , or
Total Requests columns. If failures occurred, the reasons for failure will be listed.
Bulk removal service limits

Each bulk activity to remove a list of group members from can run for up to one hour. This enables removal of a list
of at least 40,000 members.
Next steps
Bulk import group members
Download a list of all groups
Bulk download members of a group in Azure Active
Directory
Using Azure Active Directory (Azure AD) portal, you can bulk download the members of a group in your
organization to a comma-separated values (CSV) file.
To bulk download group membership

bulk download members of groups they own.
3. Open the group whose membership you want to download, and then select Members .
4. On the Members page, select Download members to download a CSV file listing the group members.
Check download status


Each bulk activity to download a list of group members can run for up to one hour. This enables you to download a
list of at least 500,000 members.
Next steps
Bulk import group members
Bulk download a list of groups in Azure Active
Directory
Using Azure Active Directory (Azure AD) portal, you can bulk download the list of all the groups in your
organization to a comma-separated values (CSV) file.
To download a list of groups

1. Sign in to the Azure portal with an administrator account in the organization.
2. In Azure AD, select Groups > Download groups .
3. On the Groups download page, select Star t to receive a CSV file listing your groups.
Check download status


Each bulk activity to download a group list can run for up to one hour. This enables you to download a list of at
least 300,000 groups.
Next steps
Restore a deleted Microsoft 365 group in Azure
Active Directory
When you delete an Microsoft 365 group in the Azure Active Directory (Azure AD), the deleted group is retained
but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be
restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It is not available
for security groups and distribution groups. Please note that the 30-day group restoration period is not
customizable.
NOTE
Don't use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an
The permissions required to restore a group can be any of the following:
RO L E P ERM ISSIO N S
Global administrator, Group administrator, Partner Tier2 Can restore any deleted Microsoft 365 group
support, and Intune administrator
User administrator and Partner Tier1 support Can restore any deleted Microsoft 365 group except those
groups assigned to the Company Administrator role
User Can restore any deleted Microsoft 365 group that they own
View and manage the deleted Microsoft 365 groups that are available
to restore
1. Sign in to the Azure AD admin center with a User administrator account.
2. Select Groups , then select Deleted groups to view the deleted groups that are available to restore.
3. On the Deleted groups blade, you can:

Restore the deleted group and its contents by selecting Restore group .
Permanently remove the deleted group by selecting Delete permanently . To permanently remove a
group, you must be an administrator.
View the deleted Microsoft 365 groups that are available to restore
using Powershell
The following cmdlets can be used to view the deleted groups to verify that the one or ones you're interested in
have not yet been permanently purged. These cmdlets are part of the Azure AD PowerShell module. More
information about this module can be found in the Azure Active Directory PowerShell Version 2 article.
1. Run the following cmdlet to display all deleted Microsoft 365 groups in your Azure AD organization that are
still available to restore.
Get-AzureADMSDeletedGroup
2. Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run
the following cmdlet to verify that the specific deleted group has not yet been permanently purged.
Get-AzureADMSDeletedGroup –Id <objectId>
How to restore your deleted Microsoft 365 group using Powershell

Once you have verified that the group is still available to restore, restore the deleted group with one of the
following steps. If the group contains documents, SP sites, or other persistent objects, it might take up to 24 hours
to fully restore a group and its contents.
1. Run the following cmdlet to restore the group and its contents.
Restore-AzureADMSDeletedDirectoryObject –Id <objectId>
2. Alternatively, the following cmdlet can be run to permanently remove the deleted group.
Remove-AzureADMSDeletedDirectoryObject –Id <objectId>
How do you know this worked?

To verify that you’ve successfully restored an Microsoft 365 group, run the Get-AzureADGroup –ObjectId <objectId>
cmdlet to display information about the group. After the restore request is completed:
The group appears in the Left navigation bar on Exchange
The plan for the group will appear in Planner
Any SharePoint sites and all of their contents will be available
The group can be accessed from any of the Exchange endpoints and other Microsoft365 workloads that support
Microsoft 365 groups
Next steps
These articles provide additional information on Azure Active Directory groups.
See existing groups
Manage members of a group
Edit your group information using Azure Active
Directory
Using Azure Active Directory (Azure AD), you can edit a group's settings, including updating its name, description,
or membership type.
To edit your group settings

The Groups - All groups page appears, showing all of your active groups.
3. From the Groups - All groups page, type as much of the group name as you can into the Search box.
For the purposes of this article, we're searching for the MDM policy - West group.
The search results appear under the Search box, updating as you type more characters.
4. Select the group MDM policy - West , and then select Proper ties from the Manage area.
5. Update the General settings information as needed, including:
Group name. Edit the existing group name.

Group description. Edit the existing group description.
Group type. You can't change the type of group after it's been created. To change the Group type ,
you must delete the group and create a new one.
Membership type. Change the membership type. For more info about the various available
membership types, see How to: Create a basic group and add members using the Azure Active
Directory portal.
Object ID. You can't change the Object ID, but you can copy it to use in your PowerShell commands
for the group. For more info about using PowerShell cmdlets, see Azure Active Directory cmdlets
for configuring group settings.
Next steps
These articles provide additional information on Azure Active Directory.
How to add or remove members from a group
Associate or add an Azure subscription to Azure Active Directory
Add or remove group owners in Azure Active
Directory
Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users
or service principals, and are able to manage the group including membership. Only existing group owners or
group-managing administrators can assign group owners. Group owners aren't required to be members of the
group.
When a group has no owner, group-managing administrators are still able to manage the group. It is
recommended for every group to have at least one owner. Once owners are assgined to a group, the last owner of
the group cannot be removed. Please make sure to select another owner before removing the last owner from the
group.
Add an owner to a group

Below are instructions for adding a user as an owner to a group using the Azure AD portal. To add a service
principal as an owner of a group, follow the instructions to do so using PowerShell.
To add a group owner
2. Select Azure Active Director y , select Groups , and then select the group for which you want to add an
owner (for this example, MDM policy - West).
3. On the MDM policy - West Over view page, select Owners .
4. On the MDM policy - West - Owners page, select Add owners , and then search for and select the user
that will be the new group owner, and then choose Select .
After you select the new owner, you can refresh the Owners page and see the name added to the list of
owners.
Remove an owner from a group

Remove an owner from a group using Azure AD.
To remove an owner
2. Select Azure Active Director y , select Groups , and then select the group for which you want to remove
an owner (for this example, MDM policy - West).
3. On the MDM policy - West Over view page, select Owners .
4. On the MDM policy - West - Owners page, select the user you want to remove as a group owner, choose
Remove from the user's information page, and select Yes to confirm your decision.
After you remove the owner, you can return to the Owners page and see the name has been removed from
the list of owners.
Next steps
Azure Active Directory cmdlets for configuring group settings
Add or remove a group from another group using
This article helps you to add and remove a group from another group using Azure Active Directory.
NOTE
If you're trying to delete the parent group, see How to update or delete a group and its members.
Add a group to another group

You can add an existing Security group to another existing Security group (also known as nested groups),
creating a member group (subgroup) and a parent group. The member group inherits the attributes and
properties of the parent group, saving you configuration time.
IMPORTANT
We don't currently support:
Adding groups to a group synced with on-premises Active Directory.
Adding Security groups to Office 365 groups.
Adding Office 365 groups to Security groups or other Office 365 groups.
Assigning apps to nested groups.
Applying licenses to nested groups.
Adding distribution groups in nesting scenarios.
To add a group as a member of another group

3. On the Groups - All groups page, search for and select the group that's to become a member of
another group. For this exercise, we're using the MDM policy - West group.
NOTE
You can add your group as a member to only one group at a time. Additionally, the Select Group box filters the
display based on matching your entry to any part of a user or device name. However, wildcard characters aren't
supported.
4. On the MDM policy - West - Group memberships page, select Group memberships , select Add ,
locate the group you want your group to be a member of, and then choose Select . For this exercise, we're
using the MDM policy - All org group.
The MDM policy - West group is now a member of the MDM policy - All org group, inheriting all the
properties and configuration of the MDM policy - All org group.
5. Review the MDM policy - West - Group memberships page to see the group and member
relationship.
6. For a more detailed view of the group and member relationship, select the group name (MDM policy -
All org ) and take a look at the MDM policy - West page details.
Remove a group from another group

You can remove an existing Security group from another Security group. However, removing the group also
removes any inherited attributes and properties for its members.
To remove a member group from another group
1. On the Groups - All groups page, search for and select the group that's to be removed as a member of
another group. For this exercise, we're again using the MDM policy - West group.
2. On the MDM policy - West over view page, select Group memberships .
3. Select the MDM policy - All org group from the MDM policy - West - Group memberships page,
and then select Remove from the MDM policy - West page details.
Additional information
Add or remove members from a group
Using a group to manage access to SaaS applications
Using a group to manage access to SaaS
applications
Using Azure Active Directory (Azure AD) with an Azure AD Premium license plan, you can use groups to assign
access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access for the
marketing department to use five different SaaS applications, you can create a group that contains the users in
the marketing department, and then assign that group to these five SaaS applications that are needed by the
marketing department. This way you can save time by managing the membership of the marketing department
in one place. Users then are assigned to the application when they are added as members of the marketing
group, and have their assignments removed from the application when they are removed from the marketing
group. This capability can be used with hundreds of applications that you can add from within the Azure AD
Application Gallery.
IMPORTANT
You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan.
Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-
based assignment to applications at this time.
To assign access for a user or group to a SaaS application

1. In the Azure AD admin center, select Enterprise applications .
2. Select an application that you added from the Application Gallery to open it.
3. Select Users and groups , and then select Add user .
4. On Add Assignment , select Users and groups to open the Users and groups selection list.
5. Select as many groups or users as you want, then click or tap Select to add them to the Add Assignment list.
You can also assign a role to a user at this stage.
6. Select Assign to assign the users or groups to the selected enterprise application.
Next steps
Enforce a naming policy on Microsoft 365 groups in
To enforce consistent naming conventions for Microsoft 365 groups created or edited by your users, set up a
group naming policy for your organizations in Azure Active Directory (Azure AD). For example, you could use the
naming policy to communicate the function of a group, membership, geographic region, or who created the
group. You could also use the naming policy to help categorize groups in the address book. You can use the policy
to block specific words from being used in group names and aliases.
IMPORTANT
Using Azure AD naming policy for Microsoft 365 groups requires that you possess but not necessarily assign an Azure
Active Directory Premium P1 license or Azure AD Basic EDU license for each unique user that is a member of one or more
Microsoft 365 groups.
The naming policy is applied to creating or editing groups created across workloads (for example, Outlook,
Microsoft Teams, SharePoint, Exchange, or Planner). It is applied to both the group name and group alias. If you set
up your naming policy in Azure AD and you have an existing Exchange group naming policy, the Azure AD naming
policy is enforced in your organization.
When group naming policy is configured, the policy will be applied to new Microsoft 365 groups created by end
users. Naming policy does not apply to certain directory roles, such as Global Administrator or User Administrator
(please see below for the complete list of roles exempted from group naming policy). For existing Microsoft 365
groups, the policy will not immediately apply at the time of configuration. Once group owner edits the group
name for these groups, naming policy will be enforced.
Naming policy features

You can enforce naming policy for groups in two different ways:
Prefix-suffix naming policy You can define prefixes or suffixes that are then added automatically to
enforce a naming convention on your groups (for example, in the group name “GRP_JAPAN_My
Group_Engineering”, GRP_JAPAN_ is the prefix, and _Engineering is the suffix).
Custom blocked words You can upload a set of blocked words specific to your organization to be blocked
in groups created by users (for example, “CEO, Payroll, HR”).
Prefix-suffix naming policy
The general structure of the naming convention is ‘Prefix[GroupName]Suffix’. While you can define multiple
prefixes and suffixes, you can only have one instance of the [GroupName] in the setting. The prefixes or suffixes
can be either fixed strings or user attributes such as [Department] that are substituted based on the user who is
creating the group. The total allowable number of characters for your prefix and suffix strings including group
name is 53 characters.
Prefixes and suffixes can contain special characters that are supported in group name and group alias. Any
characters in the prefix or suffix that are not supported in the group alias are still applied in the group name, but
removed from the group alias. Because of this restriction, the prefixes and suffixes applied to the group name
might be different from the ones applied to the group alias.
Fixed strings
You can use strings to make it easier to scan and differentiate groups in the global address list and in the left
navigation links of group workloads. Some of the common prefixes are keywords like ‘Grp_Name’ , ‘#Name’,
‘_Name’
User attributes
You can use attributes that can help you and your users identify which department, office or geographic region for
which the group was created. For example, if you define your naming policy as
PrefixSuffixNamingRequirement = "GRP [GroupName] [Department]" , and User’s department = Engineering , then an
enforced group name might be “GRP My Group Engineering." Supported Azure AD attributes are [Department],
[Company], [Office], [StateOrProvince], [CountryOrRegion], [Title]. Unsupported user attributes are treated as fixed
strings; for example, “[postalCode]”. Extension attributes and custom attributes aren't supported.
We recommend that you use attributes that have values filled in for all users in your organization and don't use
attributes that have long values.
Custom blocked words
A blocked word list is a comma-separated list of phrases to be blocked in group names and aliases. No sub-string
searches are performed. An exact match between the group name and one or more of the custom blocked words
is required to trigger a failure. Sub-string search isn't performed so that users can use common words like ‘Class’
even if ‘lass’ is a blocked word.
Blocked word list rules:
Blocked words are not case sensitive.
When a user enters a blocked word as part of a group name, they see an error message with the blocked word.
There are no character restrictions on blocked words.
There is an upper limit of 5000 phrases that can be configured in the blocked words list.
To configure naming policy, one of the following roles is required:
Group administrator
Selected administrators can be exempted from these policies, across all group workloads and endpoints, so that
they can create groups using blocked words and with their own naming conventions. The following are the list of
administrator roles exempted from the group naming policy.
Partner Tier 1 Support
Partner Tier 2 Support
User administrator
Directory writers
Configure naming policy in Azure portal

1. Sign in to the Azure AD admin center with a Group administrator account.
2. Select Groups , then select Naming policy to open the Naming policy page.
View or edit the prefix-suffix naming policy
1. On the Naming policy page, select Group naming policy .
2. You can view or edit the current prefix or suffix naming policies individually by selecting the attributes or
strings you want to enforce as part of the naming policy.
3. To remove a prefix or suffix from the list, select the prefix or suffix, then select Delete . Multiple items can be
deleted at the same time.
4. Save your changes for the new policy to go into effect by selecting Save .
Edit custom blocked words
1. On the Naming policy page, select Blocked words .
2. View or edit the current list of custom blocked words by selecting Download .
3. Upload the new list of custom blocked words by selecting the file icon.
4. Save your changes for the new policy to go into effect by selecting Save .
Install PowerShell cmdlets

Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows
PowerShell and install Azure Active Directory PowerShell for Graph - Public Preview Release 2.0.0.137 before you
run the PowerShell commands.
1. Open the Windows PowerShell app as an administrator.
2. Uninstall any previous version of AzureADPreview.
Uninstall-Module AzureADPreview
3. Install the latest version of AzureADPreview.
Install-Module AzureADPreview
If you are prompted about accessing an untrusted repository, enter Y . It might take few minutes for the new
module to install.
Configure naming policy in PowerShell

1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
2. Run the following commands to prepare to run the cmdlets.
Import-Module AzureADPreview
Connect-AzureAD
In the Sign in to your Account screen that opens, enter your admin account and password to connect
you to your service, and select Sign in .
3. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings
for this organization.
View the current settings
1. Fetch the current naming policy to view the current settings.
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -

Value "Group.Unified" -EQ).id
2. Display the current group settings.
$Setting.Values
Set the naming policy and custom blocked words

1. Set the group name prefixes and suffixes in Azure AD PowerShell. For the feature to work properly,
[GroupName] must be included in the setting.
$Setting["PrefixSuffixNamingRequirement"] =“GRP_[GroupName]_[Department]"
2. Set the custom blocked words that you want to restrict. The following example illustrates how you can add
your own custom words.
$Setting["CustomBlockedWordsList"]=“Payroll,CEO,HR"
3. Save the settings for the new policy to go into effect, such as in the following example.

That's it. You've set your naming policy and added your blocked words.
Export or import custom blocked words

For more information, see the article Azure Active Directory cmdlets for configuring group settings.
Here is an example of a PowerShell script to export multiple blocked words:
$Words = (Get-AzureADDirectorySetting).Values | Where-Object -Property Name -Value CustomBlockedWordsList -EQ

Add-Content "c:\work\currentblockedwordslist.txt" -Value $words.value.Split(",").Replace("`"","")
Here is an example PowerShell script to import multiple blocked words:
$BadWords = Get-Content "C:\work\currentblockedwordslist.txt"

$BadWords = [string]::join(",", $BadWords)
$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
if ($Settings.Count -eq 0)
{$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
$Settings = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Settings
$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}}
$Settings["CustomBlockedWordsList"] = $BadWords
Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings
Remove the naming policy

Remove the naming policy using Azure portal
1. On the Naming policy page, select Delete policy .
2. After you confirm the deletion, the naming policy is removed, including all prefix-suffix naming policy and any
custom blocked words.
Remove the naming policy using Azure AD PowerShell
1. Empty the group name prefixes and suffixes in Azure AD PowerShell.
$Setting["PrefixSuffixNamingRequirement"] =""
2. Empty the custom blocked words.
$Setting["CustomBlockedWordsList"]=""
3. Save the settings.

Experience across Office 365 apps
After you set a group naming policy in Azure AD, when a user creates a group in an Office 365 app, they see:
A preview of the name according to your naming policy (with prefixes and suffixes) as soon as the user types in
the group name
If the user enters blocked words, they'll see an error message so they can remove the blocked words.
W O RK LO A D C O M P L IA N C E
Azure Active Directory portals The Azure AD portal and the Access Panel portal show the
naming policy enforced name when the user types in a group
name when creating or editing a group. When a user enters a
custom blocked word, an error message with the blocked
word is displayed so that the user can remove it.
Outlook Web Access (OWA) Outlook Web Access shows the naming policy enforced name
when the user types a group name or group alias. When an
user enters a custom blocked word, an error message is
shown in the UI along with the blocked word so that the user
can remove it.
Outlook Desktop Groups created in Outlook desktop are compliant with the
naming policy settings. Outlook desktop app doesn't yet
show the preview of the enforced group name and doesn't
return the custom blocked word errors when the user enters
the group name. However, the naming policy is automatically
applied when creating or editing a group, and users see error
messages if there are custom blocked words in the group
name or alias.
Microsoft Teams Microsoft Teams shows the group naming policy enforced
name when the user enters a team name. When a user enters
a custom blocked word, an error message is shown along with
the blocked word so that the user can remove it.
SharePoint SharePoint shows the naming policy enforced name when the
user types a site name or group email address. When an user
enters a custom blocked word, an error message is shown,
along with the blocked word so that the user can remove it.
Microsoft Stream Microsoft Stream shows the group naming policy enforced
name when the user types a group name or group email alias.
When an user enters a custom blocked word, an error
message is shown with the blocked word so the user can
remove it.
Outlook iOS and Android App Groups created in Outlook apps are compliant with the
configured naming policy. Outlook mobile app doesn't yet
show the preview of the naming policy enforced name, and
doesn't return custom blocked word errors when the user
enters the group name. However, the naming policy is
automatically applied on clicking create/edit and users see
error messages if there are custom blocked words in the
group name or alias.
Groups mobile app Groups created in the Groups mobile app are compliant with
the naming policy. Groups mobile app does not show the
preview of the naming policy and does not return custom
blocked word errors when the user enters the group name.
But the naming policy is automatically applied when creating
or editing a group and users is presented with appropriate
errors if there are custom blocked words in the group name
or alias.
Planner Planner is compliant with the naming policy. Planner shows

the naming policy preview when entering the plan name.
When a user enters a custom blocked word, an error message
is shown when creating the plan.
Dynamics 365 for Customer Engagement Dynamics 365 for Customer Engagement is compliant with
the naming policy. Dynamics 365 shows the naming policy
enforced name when the user types a group name or group
email alias. When the user enters a custom blocked word, an
error message is shown with the blocked word so the user
can remove it.
School Data Sync (SDS) Groups created through SDS comply with naming policy, but
the naming policy isn't applied automatically. SDS
administrators have to append the prefixes and suffixes to
class names for which groups need to be created and then
uploaded to SDS. Group create or edit would fail otherwise.
Outlook Customer Manager (OCM) Outlook Customer Manager is compliant with the naming
policy, which is automatically applied to the group created in
Outlook Customer Manager. If a custom blocked word is
detected, group creation in OCM is blocked, and the user is
blocked from using the OCM app.
Classroom app Groups created in Classroom app comply with the naming
policy, but the naming policy isn't applied automatically, and
the naming policy preview isn't shown to the users while
entering a classroom group name. Users must enter the
enforced classroom group name with prefixes and suffixes. If
not, the classroom group create or edit operation fails with
errors.
Power BI Power BI workspaces are compliant with the naming policy.
Yammer When a user signed in to Yammer with their Azure Active

Directory account creates a group or edits a group name, the
group name will comply with naming policy. This applies both
to Office 365 connected groups and all other Yammer groups.
If an Office 365 connected group was created before the
naming policy is in place, the group name will not
automatically follow the naming policies. When a user edits
the group name, they will be prompted to add the prefix and
suffix.
StaffHub StaffHub teams do not follow the naming policy, but the
underlying Microsoft 365 group does. StaffHub team name
does not apply the prefixes and suffixes and does not check
for custom blocked words. But StaffHub does apply the
prefixes and suffixes and removes blocked words from the
underlying Microsoft 365 group.
Exchange PowerShell Exchange PowerShell cmdlets are compliant with the naming
policy. Users receive appropriate error messages with
suggested prefixes and suffixes and for custom blocked words
if they don't follow the naming policy in the group name and
group alias (mailNickname).
Azure Active Directory PowerShell cmdlets Azure Active Directory PowerShell cmdlets are compliant with
naming policy. Users receive appropriate error messages with
suggested prefixes and suffixes and for custom blocked words
if they don't follow the naming convention in group names
and group alias.
Exchange admin center Exchange admin center is compliant with naming policy. Users
receive appropriate error messages with suggested prefixes
and suffixes and for custom blocked words if they don't follow
the naming convention in the group name and group alias.
Microsoft 365 admin center Microsoft 365 admin center is compliant with naming policy.
When a user creates or edits group names, the naming policy
is automatically applied, and users receive appropriate errors
when they enter custom blocked words. The Microsoft 365
admin center doesn't yet show a preview of the naming policy
and doesn't return custom blocked word errors when the user
enters the group name.
Next steps
These articles provide additional information on Azure AD groups.
See existing groups
Expiration policy for Microsoft 365 groups
Configure the expiration policy for Microsoft 365
groups
This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them.
You can set expiration policy only for Microsoft 365 groups in Azure Active Directory (Azure AD).
Once you set a group to expire:
Groups with user activities are automatically renewed as the expiration nears.
Owners of the group are notified to renew the group, if the group is not auto-renewed.
Any group that is not renewed is deleted.
Any Microsoft 365 group that is deleted can be restored within 30 days by the group owners or the
administrator.
Currently, only one expiration policy can be configured for all Microsoft 365 groups in an Azure AD organization.
NOTE
Configuring and using the expiration policy for Microsoft 365 groups requires you to possess but not necessarily assign
Azure AD Premium licenses for the members of all groups to which the expiration policy is applied.
For information on how to download and install the Azure AD PowerShell cmdlets, see Azure Active Directory
PowerShell for Graph 2.0.0.137.
Activity-based automatic renewal

With Azure AD intelligence, groups are now automatically renewed based on whether they have been recently
used. This feature eliminates the need for manual action by group owners, because it's based on user activity in
groups across Office 365 services like Outlook, SharePoint, or Teams. For example, if an owner or a group member
does something like upload a document in SharePoint, visit a Teams channel, or send an email to the group in
Outlook, the group is automatically renewed and the owner does not get any renewal notifications.
Activities that automatically renew group expiration
The following user actions cause automatic group renewal:
SharePoint: View, edit, download, move, share, or upload files
Outlook: Join group, read/write group message from group space, Like a message (in Outlook Web Access)
Teams: Visit a Teams channel
Auditing and reporting
Administrators can get a list of automatically renewed groups from the activity audit logs in Azure AD.
The following are roles that can configure and use expiration for Microsoft 365 groups in Azure AD.
RO L E P ERM ISSIO N S
Global administrator, Group administrator, or User Can create, read, update, or delete the Microsoft 365 groups
administrator expiration policy settings
Can renew any Microsoft 365 group
User Can renew an Microsoft 365 group that they own

Can restore an Microsoft 365 group that they own
Can read the expiration policy settings
For more information on permissions to restore a deleted group, see Restore a deleted Microsoft 365 group in
Set group expiration

1. Open the Azure AD admin center with an account that is a global administrator in your Azure AD
organization.
2. Select Groups , then select Expiration to open the expiration settings.
3. On the Expiration page, you can:
Set the group lifetime in days. You could select one of the preset values, or a custom value (should be 30
days or more).
Specify an email address where the renewal and expiration notifications should be sent when a group
has no owner.
Select which Microsoft 365 groups expire. You can set expiration for:
All Microsoft 365 groups
A list of Selected Microsoft 365 groups
None to restrict expiration for all groups
Save your settings when you're done by selecting Save .
NOTE
When you first set up expiration, any groups that are older than the expiration interval are set to 35 days until expiration
unless the group is automatically renewed or the owner renews it.
When a dynamic group is deleted and restored, it's seen as a new group and re-populated according to the rule. This
process can take up to 24 hours.
Expiration notices for groups used in Teams appear in the Teams Owners feed.
Email notifications
If groups are not automatically renewed, email notifications such as this one are sent to the Microsoft 365 group
owners 30 days, 15 days, and 1 day prior to expiration of the group. The language of the email is determined by
groups owner's preferred language or Azure AD language setting. If the group owner has defined a preferred
language, or multiple owners have the same preferred language, then that language is used. For all other cases,
Azure AD language setting is used.
From the Renew group notification email, group owners can directly access the group details page in the Access
Panel. There, the users can get more information about the group such as its description, when it was last renewed,
when it will expire, and also the ability to renew the group. The group details page now also includes links to the
Microsoft 365 group resources, so that the group owner can conveniently view the content and activity in their
group.
When a group expires, the group is deleted one day after the expiration date. An email notification such as this one
is sent to the Microsoft 365 group owners informing them about the expiration and subsequent deletion of their
The group can be restored within 30 days of its deletion by selecting Restore group or by using PowerShell
cmdlets, as described in Restore a deleted Microsoft 365 group in Azure Active Directory. Please note that the 30-
day group restoration period is not customizable.
If the group you're restoring contains documents, SharePoint sites, or other persistent objects, it might take up to
24 hours to fully restore the group and its contents.
How to retrieve Microsoft 365 group expiration date

In addition to Access Panel where users can view group details including expiration date and last renewed date,
expiration date of an Microsoft 365 group can be retrieved from Microsoft Graph REST API Beta.
expirationDateTime as a group property has been enabled in Microsoft Graph Beta. It can be retrieved with a GET
request. For more details, please refer to this example.
NOTE
In order to manage group memberships on Access Panel, "Restrict access to Groups in Access Panel" needs to be set to "No"
in Azure Active Directory Groups General Setting.
How Microsoft 365 group expiration works with a mailbox on legal hold
When a group expires and is deleted, then 30 days after deletion the group's data from apps like Planner, Sites, or
Teams is permanently deleted, but the group mailbox that is on legal hold is retained and is not permanently
deleted. The administrator can use Exchange cmdlets to restore the mailbox to fetch the data.
How Microsoft 365 group expiration works with retention policy
The retention policy is configured by way of the Security and Compliance Center. If you have set up a retention
policy for Microsoft 365 groups, when a group expires and is deleted, the group conversations in the group
mailbox and files in the group site are retained in the retention container for the specific number of days defined in
the retention policy. Users won't see the group or its content after expiration, but can recover the site and mailbox
data via e-discovery.
PowerShell examples
Here are examples of how you can use PowerShell cmdlets to configure the expiration settings for Microsoft 365
groups in your Azure AD organization:
1. Install the PowerShell v2.0 module and sign in at the PowerShell prompt:
Install-Module -Name AzureAD

Connect-AzureAD
2. Configure the expiration settings Use the New-AzureADMSGroupLifecyclePolicy cmdlet to set the lifetime
for all Microsoft 365 groups in the Azure AD organization to 365 days. Renewal notifications for Microsoft
365 groups without owners will be sent to 'emailaddress@contoso.com'
New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 365 -ManagedGroupTypes All -

AlternateNotificationEmails emailaddress@contoso.com
3. Retrieve the existing policy Get-AzureADMSGroupLifecyclePolicy: This cmdlet retrieves the current Microsoft
365 group expiration settings that have been configured. In this example, you can see:
The policy ID
The lifetime for all Microsoft 365 groups in the Azure AD organization is set to 365 days
Renewal notifications for Microsoft 365 groups without owners will be sent to
'emailaddress@contoso.com.'
Get-AzureADMSGroupLifecyclePolicy
ID GroupLifetimeInDays ManagedGroupTypes AlternateNotificationEmails

-- ------------------- ----------------- ---------------------------
26fcc232-d1c3-4375-b68d-15c296f1f077 365 All emailaddress@contoso.com
4. Update the existing policy Set-AzureADMSGroupLifecyclePolicy: This cmdlet is used to update an existing
policy. In the example below, the group lifetime in the existing policy is changed from 365 days to 180 days.
Set-AzureADMSGroupLifecyclePolicy -Id "26fcc232-d1c3-4375-b68d-15c296f1f077" -GroupLifetimeInDays 180 -

AlternateNotificationEmails "emailaddress@contoso.com"
5. Add specific groups to the policy Add-AzureADMSLifecyclePolicyGroup: This cmdlet adds a group to the
lifecycle policy. As an example:
Add-AzureADMSLifecyclePolicyGroup -Id "26fcc232-d1c3-4375-b68d-15c296f1f077" -groupId "cffd97bd-6b91-

4c4e-b553-6918a320211c"
6. Remove the existing Policy Remove-AzureADMSGroupLifecyclePolicy: This cmdlet deletes the Microsoft 365
group expiration settings but requires the policy ID. This cmdlet disables expiration for Microsoft 365
groups.
Remove-AzureADMSGroupLifecyclePolicy -Id "26fcc232-d1c3-4375-b68d-15c296f1f077"
The following cmdlets can be used to configure the policy in more detail. For more information, see PowerShell
documentation.
Get-AzureADMSGroupLifecyclePolicy
New-AzureADMSGroupLifecyclePolicy
Set-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSGroupLifecyclePolicy
Add-AzureADMSLifecyclePolicyGroup
Remove-AzureADMSLifecyclePolicyGroup
Reset-AzureADMSLifeCycleGroup
Get-AzureADMSLifecyclePolicyGroup
Next steps
These articles provide additional information on Azure AD groups.
See existing groups
Set up self-service group management in Azure
Active Directory
You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active
Directory (Azure AD). The owner of the group can approve or deny membership requests, and can delegate
control of group membership. Self-service group management features are not available for mail-enabled
security groups or distribution lists.
Self-service group membership defaults

When security groups are created in the Azure portal or using Azure AD PowerShell, only the group's owners can
update membership. Security groups created by self-service in the Access panel and all Microsoft 365 groups are
available to join for all users, whether owner-approved or auto-approved. In the Access panel, you can change
membership options when you create the group.
M IC RO SO F T 365 GRO UP DEFA ULT

GRO UP S C REAT ED IN SEC URIT Y GRO UP DEFA ULT B EH AVIO R B EH AVIO R
Azure AD PowerShell Only owners can add members Open to join for all users
Visible but not available to join in
Access panel
Azure portal Only owners can add members Open to join for all users
Visible but not available to join in
Access panel
Owner is not assigned automatically at
group creation
Access panel Open to join for all users Open to join for all users
Membership options can be changed Membership options can be changed
when the group is created when the group is created
Self-service group management scenarios

Delegated group management An example is an administrator who is managing access to a SaaS
application that the company is using. Managing these access rights is becoming cumbersome, so this
administrator asks the business owner to create a new group. The administrator assigns access for the
application to the new group, and adds to the group all people already accessing the application. The business
owner then can add more users, and those users are automatically provisioned to the application. The business
owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the
same permission to a manager in a different business group, then that person can also manage access for their
own group members. Neither the business owner nor the manager can view or manage each other's group
memberships. The administrator can still see all users who have access to the application and block access
rights if needed.
Self-ser vice group management An example of this scenario is two users who both have SharePoint
Online sites that they set up independently. They want to give each other's teams access to their sites. To
accomplish this, they can create one group in Azure AD, and in SharePoint Online each of them selects that
group to provide access to their sites. When someone wants access, they request it from the Access Panel, and
after approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all
people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS
application can add access rights for the application to the SharePoint Online site. From then on, any requests
that get approved gives access to the two SharePoint Online sites and also to this SaaS application.
Make a group available for user self-service

1. Sign in to the Azure AD admin center with an account that's a global admin for the directory.
2. Select Groups , and then select General settings.
3. Set Owners can manage group membership requests in the Access Panel to Yes .
4. Set Restrict access to Groups in the Access Panel to No .
5. If you set Users can create security groups in Azure por tals or Users can create Microsoft 365
groups in Azure por tals to
Yes : All users in your Azure AD organization are allowed to create new security groups and add
members to these groups. These new groups would also show up in the Access Panel for all other users.
If the policy setting on the group allows it, other users can create requests to join these groups
No : Users can't create groups and can't change existing groups for which they are an owner. However,
they can still manage the memberships of those groups and approve requests from other users to join
their groups.
You can also use Owners who can assign members as group owners in Azure por tals and Owners who
can assign members as group owners in Azure por tals to achieve more granular access control over self-
service group management for your users.
When users can create groups, all users in your organization are allowed to create new groups and then can, as
the default owner, add members to these groups. You can't specify individuals who can create their own groups.
You can specify individuals only for making another group member a group owner.
NOTE
An Azure Active Directory Premium (P1 or P2) license is required for users to request to join a security group or Microsoft
365 group and for owners to approve or deny membership requests. Without an Azure Active Directory Premium license,
users can still manage their groups in the Access Panel, but they can't create a group that requires owner approval in the
Access Panel, and they can't request to join a group.
Next steps
Manage access to resources with Azure Active Directory groups
Integrate your on-premises identities with Azure Active Directory
Assign sensitivity labels to Microsoft 365 groups in
Azure Active Directory (Azure AD) supports applying sensitivity labels published by the Microsoft 365 compliance
center to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and
SharePoint. This feature is currently in public GA. For more information about Office 365 apps support, see Office
365 support for sensitivity labels.
IMPORTANT
To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD
organization.
Enable sensitivity label support in PowerShell

To apply published labels to groups, you must first enable the feature. These steps enable the feature in Azure AD.
1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
2. Run the following commands to prepare to run the cmdlets.
Import-Module AzureADPreview
Connect-AzureAD
In the Sign in to your account page, enter your admin account and password to connect you to your
service, and select Sign in .
3. Fetch the current group settings for the Azure AD organization.
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -

Value "Group.Unified" -EQ).id
NOTE
If no group settings have been created for this Azure AD organization, you must first create the settings. Follow the
steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD
organization.
4. Next, display the current group settings.
$Setting.Values
5. Then enable the feature:
$Setting["EnableMIPLabels"] = "True"
6. Then save the changes and apply the settings:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
That's it. You've enabled the feature and you can apply published labels to groups.
Assign a label to a new group in Azure portal

1. Sign in to the Azure AD admin center.
2. Select Groups , and then select New group .
3. On the New Group page, select Office 365 , and then fill out the required information for the new group
and select a sensitivity label from the list.
4. Save your changes and select Create .

Your group is created and the site and group settings associated with the selected label are then automatically
enforced.
Assign a label to an existing group in Azure portal

1. Sign in to the Azure AD admin center with a Groups admin account, or as a group owner.
2. Select Groups .
3. From the All groups page, select the group that you want to label.
4. On the selected group's page, select Proper ties and select a sensitivity label from the list.
5. Select Save to save your changes.
Remove a label from an existing group in Azure portal

1. Sign in to the Azure AD admin center with a Global admin or Groups admin account, or as a group owner.
2. Select Groups .
3. From the All groups page, select the group that you want to remove the label from.
4. On the Group page, select Proper ties .
5. Select Remove .
6. Select Save to apply your changes.
Using classic Azure AD classifications

After you enable this feature, the “classic” classifications for groups will appear only existing groups and sites, and
you should use them for new groups only if creating groups in apps that don’t support sensitivity labels. Your
admin can convert them to sensitivity labels later if needed. Classic classifications are the old classifications you set
up by defining values for the ClassificationList setting in Azure AD PowerShell. When this feature is enabled,
those classifications will not be applied to groups.
Troubleshooting issues
Sensitivity labels are not available for assignment on a group
The sensitivity label option is only displayed for groups when all the following conditions are met:
1. Labels are published in the Microsoft 365 Compliance Center for this Azure AD organization.
2. The feature is enabled, EnableMIPLabels is set to True in PowerShell.
3. The group is an Microsoft 365 group.
4. The organization has an active Azure Active Directory Premium P1 license.
5. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global
Administrator, Group Administrator, or the group owner.
Please make sure all the conditions are met in order to assign labels to a group.
The label I want to assign is not in the list
If the label you are looking for is not in the list, this could be the case for one of the following reasons:
The label might not be published in the Microsoft 365 Compliance Center. This could also apply to labels that
are no longer published. Please check with your administrator for more information.
The label may be published, however, it is not available to the user that is signed-in. Please check with your
administrator for more information on how to get access to the label.
How to change the label on a group
Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
1. Sign in to the Azure AD admin center with a Global or Group administrator account or as group owner.
2. Select Groups .
3. From the All groups page, select the group that you want to label.
4. On the selected group's page, select Proper ties and select a new sensitivity label from the list.
5. Select Save .
Group setting changes to published labels are not updated on the groups
As a best practice, we don't recommend that you change group settings for a label after the label is applied to
groups. When you make changes to group settings associated with published labels in Microsoft 365 compliance
center, those policy changes aren't automatically applied on the impacted groups.
If you must make a change, use an Azure AD PowerShell script to manually apply updates to the impacted groups.
This method makes sure that all existing groups enforce the new setting.
Next steps
Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Update groups after label policy change manually with Azure AD PowerShell script
Assign or remove licenses in the Azure Active
Directory portal
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and
associated members) for that service. Only users with active licenses will be able to access and use the licensed
Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.
Available license plans

There are several license plans available for the Azure AD service, including:
Azure AD Free
Azure AD Premium P1
Azure AD Premium P2
For specific information about each license plan and the associated licensing details, see What license do I need?.
To sign up for Azure AD premium license plans see here.
Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must
specify the Usage location for all members. You can set this value in the Azure Active Director y > Users >
Profile > Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the
Azure AD organization.
View license plans and plan details

You can view your available service plans, including the individual licenses, check pending expiration dates, and
view the number of available assignments.
To find your service plan and plan details
2. Select Azure Active Director y , and then select Licenses .
3. Select the Purchased link to view the Products page and to see the Assigned , Available , and Expiring
soon numbers for your license plans.
4. Select a plan name to see its licensed users and groups.
Assign licenses to users or groups

Make sure that anyone needing to use a licensed Azure AD service has the appropriate license. You can add the
licensing rights to users or to an entire group.
To assign a license to a user
2. On the license plan overview page, select Assign .
3. On the Assign page, select Users and groups , and then search for and select the user you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then
select OK .
NOTE
Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify
the Usage location . You can set this value in the Azure Active Director y > Users > Profile > Settings area
in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
5. Select Assign .
The user is added to the list of licensed users and has access to the included Azure AD services.
NOTE
Licenses can also be assigned directly to a user from the user's Licenses page. If a user has a license assigned
through a group membership and you want to assign the same license to the user directly, it can be done only from
the Products page mentioned in step 1 only.
To assign a license to a group

2. On the Azure Active Director y Premium Plan 2 page, select Assign .
3. On the Assign page, select Users and groups , and then search for and select the group you're assigning
the license.
4. Select Assignment options , make sure you have the appropriate license options turned on, and then
select OK .
5. Select Assign .
The group is added to the list of licensed groups and all of the members have access to the included Azure
AD services.
Remove a license
You can remove a license from a user's Azure AD user page, from the group overview page for a group
assignment, or starting from the Azure AD Licenses page to see the users and groups for a license.
To remove a license from a user
1. On the Licensed users page for the service plan, select the user that should no longer have the license.
For example, Alain Charon.
IMPORTANT
Licenses that a user inherits from a group can't be removed directly. Instead, you have to remove the user from the group
from which they're inheriting the license.
To remove a license from a group

1. On the Licensed groups page for the license plan, select the group that should no longer have the license.
NOTE
When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed,
the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based
licensing will be marked as suspended rather than deleted .
Next steps
After you've assigned your licenses, you can perform the following processes:
Identify and resolve license assignment problems
Add licensed users to a group for licensing
Assign licenses to users by group membership in
This article walks you through assigning product licenses to a group of users and verifying that they're licensed
correctly in Azure Active Directory (Azure AD).
In this example, the Azure AD organization contains a security group called HR Depar tment . This group includes
all members of the human resources department (around 1,000 users). You want to assign Office 365 Enterprise
E3 licenses to the entire department. The Yammer Enterprise service that's included in the product must be
temporarily disabled until the department is ready to start using it. You also want to deploy Enterprise Mobility +
Security licenses to the same group of users.
NOTE
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to
specify the Usage location property on the user.
For group license assignment, any users without a usage location specified inherit the location of the directory. If you have
users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Azure AD
(e.g. via AAD Connect configuration) - that ensures the result of license assignment is always correct and users do not
receive services in locations that are not allowed.
Step 1: Assign the required licenses

1. Sign in to the Azure AD admin center with a license administrator account. To manage licenses, the
account must be a license administrator, user administrator, or global administrator.
2. Select Licenses to open a page where you can see and manage all licensable products in the organization.
3. Under All products , select both Office 365 Enterprise E5 and Enterprise Mobility + Security E3 by selecting
the product names. To start the assignment, select Assign at the top of the page.
4. On the Assign license page, select Users and groups to open a list of users and groups.
5. Select a user or group, and then use the Select button at the bottom of the page to confirm your selection.
6. On the Assign license page, click Assignment options , which displays all service plans included in the
two products that we selected previously. Find Yammer Enterprise and turn it Off to disable that service
from the product license. Confirm by clicking OK at the bottom of License options .
7. To complete the assignment, on the Assign license page, click Assign at the bottom of the page.
8. A notification is displayed in the upper-right corner that shows the status and outcome of the process. If the
assignment to the group couldn't be completed (for example, because of pre-existing licenses in the group),
click the notification to view details of the failure.
When assign licenses to a group, Azure AD processes all existing members of that group. This process might take
some time, varying with the size of the group. The next step describes how to verify that the process has finished
and determine if further attention is required to resolve problems.
Step 2: Verify that the initial assignment has finished

1. Go to Azure Active Director y > Groups . Select the group that licenses were assigned to.
2. On the group page, select Licenses . This lets you quickly confirm if licenses have been fully assigned to
users and if there are any errors that you need to look into. The following information is available:
Service licenses that are currently assigned to the group. Select an entry to show the specific
services that have been enabled and to make changes.
Status updates of the latest license changes, which are available if the changes are being processed
or if processing has finished for all user members.
Information about user license assignments that are in an error state.
3. See more detailed information about license processing under Azure Active Director y > Users and
groups > group name > Audit logs . Check the following activities:
Activity: Start applying group based license to users . This is logged when the system picks up the
license assignment change on the group and starts applying it to all user members. It contains
information about the change that was made.
Activity: Finish applying group based license to users . This is logged when the system finishes
processing all users in the group. It contains a summary of how many users were successfully
processed and how many users couldn't be assigned group licenses.
Read this section to learn more about how audit logs can be used to analyze changes made by group-based
licensing.
Step 3: Check for license problems and resolve them

1. Go to Azure Active Director y > Groups , and find the group that licenses were assigned to.
2. On the group page, select Licenses . The notification on top of the page shows that there are 10 users that
licenses couldn't be assigned to. Open it to see a list of all users in a licensing error state for this group.
3. The Failed assignments column tells us that both product licenses couldn't be assigned to the users. The
Top reason for failure column contains the cause of the failure. In this case, it's Conflicting ser vice
plans .
4. Select a user to open the user's Licenses page. This page shows all licenses that are currently assigned to
the user. In this example, the user has the Office 365 Enterprise E1 license that was inherited from the Kiosk
users group. This conflicts with the E3 license that the system tried to apply from the HR Depar tment
group. As a result, none of the licenses from that group has been assigned to the user.
5. To solve this conflict, remove the user from the Kiosk users group. After Azure AD processes the change,
the HR Depar tment licenses are correctly assigned.
Next steps
To learn more about the feature set for license assignment using groups, see the following articles:
What is group-based licensing in Azure Active Directory?
Identify and resolve license assignment problems for a
group in Azure Active Directory
Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error
state. In this article, we explain the reasons why users might end up in this state.
When you assign licenses directly to individual users, without using group-based licensing, the assignment
operation might fail. For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user system,
the cmdlet can fail for many reasons that are related to business logic. For example, there might be an insufficient
number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is
immediately reported back to you.
When you're using group-based licensing, the same errors can occur, but they happen in the background while the
Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to
license the user is never lost, but it's recorded in an error state for future investigation and resolution.
Find license assignment errors

To find users in an error state in a group
1. Open the group to its overview page and select Licenses . A notification appears if there are any users in an
error state.
2. Select the notification to open a list of all affected users. You can select each user individually to see more
details.
3. To find all groups that contain at least one error, on the Azure Active Director y blade select Licenses , and
then select Over view . An information box is displayed when groups require your attention.
4. Select the box to see a list of all groups with errors. You can select each group for more details.
The following sections give a description of each potential problem and the way to resolve it.
Not enough licenses

Problem: There aren't enough available licenses for one of the products that's specified in the group. You need to
either purchase more licenses for the product or free up unused licenses from other users or groups.
To see how many licenses are available, go to Azure Active Director y > Licenses > All products .
To see which users and groups are consuming licenses, select a product. Under Licensed users , you see a list of all
users who have had licenses assigned directly or via one or more groups. Under Licensed groups , you see all
groups that have that products assigned.
PowerShell: PowerShell cmdlets report this error as CountViolation.
Conflicting service plans

Problem: One of the products that's specified in the group contains a service plan that conflicts with another
service plan that's already assigned to the user via a different product. Some service plans are configured in a way
that they can't be assigned to the same user as another, related service plan.
Consider the following example. A user has a license for Office 365 Enterprise E1 assigned directly, with all the plans
enabled. The user has been added to a group that has the Office 365 Enterprise E3 product assigned to it. The E3
product contains service plans that can't overlap with the plans that are included in E1, so the group license
assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans are:
SharePoint Online (Plan 2) conflicts with SharePoint Online (Plan 1).
Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).
To solve this conflict, you need to disable two of the plans. You can disable the E1 license that's directly assigned to
the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license.
Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3
license.
The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD
doesn't automatically resolve license conflicts.
PowerShell: PowerShell cmdlets report this error as MutuallyExclusiveViolation.
Other products depend on this license

Problem: One of the products that's specified in the group contains a service plan that must be enabled for
another service plan, in another product, to function. This error occurs when Azure AD attempts to remove the
underlying service plan. For example, this can happen when you remove the user from the group.
To solve this problem, you need to make sure that the required plan is still assigned to users through some other
method or that the dependent services are disabled for those users. After doing that, you can properly remove the
group license from those users.
PowerShell: PowerShell cmdlets report this error as DependencyViolation.
Usage location isn't allowed

Problem: Some Microsoft services aren't available in all locations because of local laws and regulations. Before you
can assign a license to a user, you must specify the Usage location property for the user. You can specify the
location under the User > Profile > Settings section in the Azure portal.
When Azure AD attempts to assign a group license to a user whose usage location isn't supported, it fails and
records an error on the user.
To solve this problem, remove users from unsupported locations from the licensed group. Alternatively, if the
current usage location values don't represent the actual user location, you can modify them so that the licenses are
correctly assigned next time (if the new location is supported).
PowerShell: PowerShell cmdlets report this error as ProhibitedInUsageLocationViolation.
NOTE
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. We
recommend that administrators set the correct usage location values on users before using group-based licensing to comply
with local laws and regulations.
Duplicate proxy addresses

If you use Exchange Online, some users in your organization might be incorrectly configured with the same proxy
address value. When group-based licensing tries to assign a license to such a user, it fails and shows “Proxy address
is already being used”.
TIP
To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:
Get-Recipient -ResultSize unlimited | where {$_.EmailAddresses -match "user@contoso.onmicrosoft.com"} | fL

Name, RecipientType,emailaddresses
For more information about this problem, see "Proxy address is already being used" error message in Exchange Online. The
article also includes information on how to connect to Exchange Online by using remote PowerShell.
After you resolve any proxy address problems for the affected users, make sure to force license processing on the
group to make sure that the licenses can now be applied.
Azure AD Mail and ProxyAddresses attribute change

Problem: While updating license assignment on a user or a group, you might see that the Azure AD Mail and
ProxyAddresses attribute of some users are changed.
Updating license assignment on a user causes the proxy address calculation to be triggered, which can change user
attributes. To understand the exact reason of the change and solve the problem, see this article on how the
proxyAddresses attribute is populated in Azure AD.
LicenseAssignmentAttributeConcurrencyException in audit logs

Problem: User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs. When
group-based licensing tries to process concurrent license assignment of same license to a user, this exception is
recorded on the user. This usually happens when a user is a member of more than one group with same assigned
license. Azure AD will retry processing the user license and will resolve the issue. There is no action required from
the customer to fix this issue.
More than one product license assigned to a group

You can assign more than one product license to a group. For example, you can assign Office 365 Enterprise E3 and
Enterprise Mobility + Security to a group to easily enable all included services for users.
Azure AD attempts to assign all licenses that are specified in the group to each user. If Azure AD can't assign one of
the products because of business logic problems, it won't assign the other licenses in the group either. An example
is if there aren't enough licenses for all, or if there are conflicts with other services that are enabled on the user.
You can see the users who failed to get assigned and check which products are affected by this problem.
When a licensed group is deleted

You must remove all licenses assigned to a group before you can delete the group. However, removing licenses
from all the users in the group may take time. While removing license assignments from a group, there can be
failures if user has a dependent license assigned or if there is a proxy address conflict issue which prohibits the
license removal. If a user has a license that is dependent on a license which is being removed due to group deletion,
the license assignment to the user is converted from inherited to direct.
For example, consider a group that has Office 365 E3/E5 assigned with a Skype for Business service plan enabled.
Also imagine that a few members of the group have Audio Conferencing licenses assigned directly. When the group
is deleted, group-based licensing will try to remove Office 365 E3/E5 from all users. Because Audio Conferencing is
dependent on Skype for Business, for any users with Audio Conferencing assigned, group-based licensing converts
the Office 365 E3/E5 licenses to direct license assignment.
Manage licenses for products with prerequisites
Some Microsoft Online products you might own are add-ons. Add-ons require a prerequisite service plan to be
enabled for a user or a group before they can be assigned a license. With group-based licensing, the system
requires that both the prerequisite and add-on service plans be present in the same group. This is done to ensure
that any users who are added to the group can receive the fully working product. Let's consider the following
example:
Microsoft Workplace Analytics is an add-on product. It contains a single service plan with the same name. We can
only assign this service plan to a user, or group, when one of the following prerequisites is also assigned:
Exchange Online (Plan 1)
If we try to assign this product on its own to a group, the portal returns a notification message. If we select the item
details, it shows the following error message:
"License operation failed. Make sure that the group has necessary services before adding or removing a dependent
service. The ser vice Microsoft Workplace Analytics requires Exchange Online (Plan 2) to be enabled as
well."
To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service plan.
For example, we might update an existing group that already contains the full Office 365 E3 product, and then add
the add-on product to it.
It is also possible to create a standalone group that contains only the minimum required products to make the add-
on work. It can the be used to license only selected users for the add-on product. Based on the previous example,
you would assign the following products to the same group:
Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
Microsoft Workplace Analytics
From now on, any users added to this group consume one license of the E3 product and one license of the
Workplace Analytics product. At the same time, those users can be members of another group that gives them the
full E3 product, and they still consume only one license for that product.
TIP
You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1 and
Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses E1
as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without consuming
additional licenses.
Force group license processing to resolve errors

Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the
processing of a group to update the user state.
For example, if you free up some licenses by removing direct license assignments from users, you need to trigger
the processing of groups that previously failed to fully license all user members. To reprocess a group, go to the
group pane, open Licenses , and then select the Reprocess button on the toolbar.
Force user license processing to resolve errors

processing of a user to update the users state.
For example, after you resolve duplicate proxy address problem for an affected user, you need to trigger the
processing of the user. To reprocess a user, go to the user pane, open Licenses , and then select the Reprocess
button on the toolbar.
Next steps
To learn more about other scenarios for license management through groups, see the following:
How to migrate users with individual licenses to
groups for licensing
You may have existing licenses deployed to users in the organizations via direct assignment; that is, using
PowerShell scripts or other tools to assign individual user licenses. Before you begin using group-based licensing
to manage licenses in your organization, you can use this migration plan to seamlessly replace existing solutions
with group-based licensing.
The most important thing to keep in mind is that you should avoid a situation where migrating to group-based
licensing will result in users temporarily losing their currently assigned licenses. Any process that may result in
removal of licenses should be avoided to remove the risk of users losing access to services and their data.
Recommended migration process

1. You have existing automation (for example, PowerShell) managing license assignment and removal for
users. Leave it running as is.
2. Create a new licensing group (or decide which existing groups to use) and make sure that all required
users are added as members.
3. Assign the required licenses to those groups; your goal should be to reflect the same licensing state your
existing automation (for example, PowerShell) is applying to those users.
4. Verify that licenses have been applied to all users in those groups. This application can be done by
checking the processing state on each group and by checking Audit Logs.
You can spot check individual users by looking at their license details. You will see that they have the
same licenses assigned “directly” and “inherited” from groups.
You can run a PowerShell script to verify how licenses are assigned to users.
When the same product license is assigned to the user both directly and through a group, only one
license is consumed by the user. Hence no additional licenses are required to perform migration.
5. Verify that no license assignments failed by checking each group for users in error state. For more
information, see Identifying and resolving license problems for a group.
Consider removing the original direct assignments. We recommend that you do it gradually, and monitor the
outcome on a subset of users first. If you could leave the original direct assignments on users, but when the users
leave their licensed groups they retain the directly assigned licenses, which might not be what you want.
An example
An organization has 1,000 users. All users require Office 365 Enterprise E3 licenses. Currently the organization
has a PowerShell script running on premises, adding and removing licenses from users as they come and go.
However, the organization wants to replace the script with group-based licensing so licenses can be managed
automatically by Azure AD.
Here is what the migration process could look like:
1. Using the Azure portal, assign the Office 365 E3 license to the All users group in Azure AD.
2. Confirm that license assignment has completed for all users. Go to the overview page for the group, select
Licenses , and check the processing status at the top of the Licenses blade.
Look for “Latest license changes have been applied to all users" to confirm processing has
completed.
Look for a notification on top about any users for whom licenses may have not been successfully
assigned. Did we run out of licenses for some users? Do some users have conflicting license plans
that prevent them from inheriting group licenses?
3. Spot check some users to verify that they have both the direct and group licenses applied. Go to the profile
page for a user, select Licenses , and examine the state of licenses.
This is the expected user state during migration:
This confirms that the user has both direct and inherited licenses. We see that Office 365 E3 is
assigned.
Select each license to see which services are enabled. To verify that the direct and group licenses
enable exactly the same services for the user, select Assignments .
4. After confirming that both direct and group licenses are equivalent, you can start removing direct licenses
from users. You can test this by removing them for individual users in the portal and then run automation
scripts to have them removed in bulk. Here is an example of the same user with the direct licenses
removed through the portal. Notice that the license state remains unchanged, but we no longer see direct
assignments.
Next steps
Learn more about other scenarios for group license management:
Change license assignments for a user or group in
This article describes how to move users and groups between service license plans in Azure Active Directory
(Azure AD). The goal Azure AD's approach is to ensure that there's no loss of service or data during the license
change. Users should switch between services seamlessly. The license plan assignment steps in this article
describe changing a user or group on Office 365 E1 to Office 365 E3, but the steps apply to all license plans.
When you update license assignments for a user or group, the license assignment removals and new assignments
are made simultaneously so that users do not lose access to their services during license changes or see license
conflicts between plans.
Before you begin

Before you update the license assignments, it's important to verify certain assumptions are true for all of the
users or groups to be updated. If the assumptions aren't true for all of the users in a group, the migration might
fail for some. As a result, some of the users might lose access to services or data. Ensure that:
Users have the current license plan (in this case, Office 365 E1) that's assigned to a group and inherited by
the user and not assigned directly.
You have enough available licenses for the license plan you're assigning. If you don't have enough licenses,
some users might not be assigned the new license plan. You can check the number of available licenses.
Users don't have other assigned service licenses that can conflict with the desired license or prevent
removal of the current license. For example, a license from a service such as Workplace Analytics or Project
Online that has a dependency on other services.
If you manage groups on-premises and sync them into Azure AD via Azure AD Connect, then you add or
remove users by using your on-premises system. It can take some time for the changes to sync with Azure
AD to be picked up by group licensing.
If you're using Azure AD dynamic group memberships, you add or remove users by changing their
attributes, but the update process for license assignments remains the same.
Change user license assignments

On the Update license assignments page, if you see that some checkboxes are unavailable, it indicates services
that can't be changed because they're inherited from a group license.
2. Select Azure Active Director y > Users , and then open the Profile page for a user.
3. Select Licenses .
4. Select Assignments to edit license assignment for the user or group. The Assignments page is where
you can resolve license assignment conflicts.
5. Select the check box for Office 365 E3 and ensure that at minimum the all of the E1 services that are
assigned to the user are selected.
6. Clear the check box for Office 365 E1.
7. Select Save .
Azure AD applies the new licenses and removes the old licenses simultaneously to provide service continuity.
Change group license assignments

2. Select Azure Active Director y > Groups , and then open the Over view page for a group.
3. Select Licenses .
4. Select the Assignments command to edit license assignment for the user or group.
5. Select the check box for Office 365 E3. To maintain continuity of service, ensure that you select all of the E1
services that are already assigned to the user.
6. Clear the check box for Office 365 E1.
7. Select Save .
To provide service continuity, Azure AD applies the new licenses and removes the old licenses simultaneously for
all users in the group.
Next steps
Learn about other scenarios for license management through groups in the following articles:
How to migrate individual licensed users to group licensing in Azure Active Directory
Azure Active Directory group licensing additional scenarios
PowerShell examples for group licensing in Azure Active Directory
Scenarios, limitations, and known issues using
groups to manage licensing in Azure Active
Directory
Use the following information and examples to gain a more advanced understanding of Azure Active Directory
(Azure AD) group-based licensing.
Usage location
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the
administrator has to specify the Usage location property on the user. In the Azure portal, you can specify usage
location in User > Profile > Settings .
For group license assignment, any users without a usage location specified inherit the location of the directory. If
you have users in multiple locations, make sure to reflect that correctly in your user resources before adding
users to groups with licenses.
NOTE
Group license assignment will never modify an existing usage location value on a user. We recommend that you always set
usage location as part of your user creation flow in Azure AD (e.g. via AAD Connect configuration) - that will ensure the
result of license assignment is always correct, and users do not receive services in locations that are not allowed.
Use group-based licensing with dynamic groups

You can use group-based licensing with any security group, which means it can be combined with Azure AD
dynamic groups. Dynamic groups run rules against user resource attributes to automatically add and remove
users from groups.
For example, you can create a dynamic group for some set of products you want to assign to users. Each group is
populated by a rule adding users by their attributes, and each group is assigned the licenses that you want them
to receive. You can assign the attribute on-premises and sync it with Azure AD, or you can manage the attribute
directly in the cloud.
Licenses are assigned to the user shortly after they are added to the group. When the attribute is changed, the
user leaves the groups and the licenses are removed.
Example
Consider the example of an on-premises identity management solution that decides which users should have
access to Microsoft web services. It uses extensionAttribute1 to store a string value representing the licenses
the user should have. Azure AD Connect syncs it with Azure AD.
Users might need one license but not another, or might need both. Here's an example, in which you are
distributing Office 365 Enterprise E5 and Enterprise Mobility + Security (EMS) licenses to users in groups:
Office 365 Enterprise E5: base services
Enterprise Mobility + Security: licensed users
For this example, modify one user and set their extensionAttribute1 to the value of EMS;E5_baseservices; if you
want the user to have both licenses. You can make this modification on-premises. After the change syncs with the
cloud, the user is automatically added to both groups, and licenses are assigned.
WARNING
Use caution when modifying an existing group’s membership rule. When a rule is changed, the membership of the group
will be re-evaluated and users who no longer match the new rule will be removed (users who still match the new rule will
not be affected during this process). Those users will have their licenses removed during the process which may result in
loss of service, or in some cases, loss of data.
If you have a large dynamic group you depend on for license assignment, consider validating any major changes on a
smaller test group before applying them to the main group.
Multiple groups and multiple licenses

A user can be a member of multiple groups with licenses. Here are some things to consider:
Multiple licenses for the same product can overlap, and they result in all enabled services being applied to
the user. The following example shows two licensing groups: E3 base services contains the foundation
services to deploy first, to all users. And E3 extended services contains additional services (Sway and
Planner) to deploy only to some users. In this example, the user was added to both groups:
As a result, the user has 7 of the 12 services in the product enabled, while using only one license for this
product.
Selecting the E3 license shows more details, including information about which services are enabled for
the user by by the group license assignment.
Direct licenses coexist with group licenses

When a user inherits a license from a group, you can't directly remove or modify that license assignment in the
user's properties. Changes must be made in the group and then propagated to all users.
It is possible, however, to assign the same product license directly to the user, in addition to the inherited license.
You can enable additional services from the product just for one user, without affecting other users.
Directly assigned licenses can be removed, and don’t affect inherited licenses. Consider the user who inherits an
Office 365 Enterprise E3 license from a group.
Initially, the user inherits the license only from the E3 basic services group, which enables four service plans.
1. Select Assign to directly assign an E3 license to the user. In this case, you are going to disable all service
plans except Yammer Enterprise.
As a result, the user still uses only one license of the E3 product. But the direct assignment enables the
Yammer Enterprise service for that user only. You can see which services are enabled by the group
membership versus the direct assignment.
2. When you use direct assignment, the following operations are allowed:
Yammer Enterprise can be turned off on the user resource directly. The On/Off toggle in the
illustration was enabled for this service, as opposed to the other service toggles. Because the service is
enabled directly on the user, it can be modified.
Additional services can be enabled as well, as part of the directly assigned license.
The Remove button can be used to remove the direct license from the user. You can see that the user
now only has the inherited group license and only the original services remain enabled:
Managing new services added to products

When Microsoft adds a new service to a product license plan, it is enabled by default in all groups to which you
have assigned the product license. Users in your organization who are subscribed to notifications about product
changes will receive emails ahead of time notifying them about the upcoming service additions.
As an administrator, you can review all groups affected by the change and take action, such as disabling the new
service in each group. For example, if you created groups targeting only specific services for deployment, you
can revisit those groups and make sure that any newly added services are disabled.
Here is an example of what this process may look like:
1. Originally, you assigned the Office 365 Enterprise E5 product to several groups. One of those groups,
called O365 E5 - Exchange only was designed to enable only the Exchange Online (Plan 2) service for its
members.
2. You received a notification from Microsoft that the E5 product will be extended with a new service -
Microsoft Stream. When the service becomes available in your organization, you can do the following:
3. Go to the Azure Active Director y > Licenses > All products blade and select Office 365 Enterprise
E5, then select Licensed Groups to view a list of all groups with that product.
4. Click on the group you want to review (in this case, O365 E5 - Exchange only). This will open the Licenses
tab. Clicking on the E5 license will open a blade listing all enabled services.
NOTE
The Microsoft Stream service has been automatically added and enabled in this group, in addition to the Exchange
Online service:
5. If you want to disable the new service in this group, click the On/Off toggle next to the service and click
the Save button to confirm the change. Azure AD will now process all users in the group to apply the
change; any new users added to the group will not have the Microsoft Stream service enabled.
NOTE
Users may still have the service enabled through some other license assignment (another group they are members
of or a direct license assignment).
6. If needed, perform the same steps for other groups with this product assigned.
Use PowerShell to see who has inherited and direct licenses

You can use a PowerShell script to check if users have a license assigned directly or inherited from a group.
1. Run the connect-msolservice cmdlet to authenticate and connect to your organization.
2. Get-MsolAccountSku can be used to discover all provisioned product licenses in the Azure AD organization.
3. Use the AccountSkuId value for the license you are interested in with this PowerShell script. This will
produce a list of users who have this license with the information about how the license is assigned.
Use Audit logs to monitor group-based licensing activity

You can use Azure AD audit logs to see all activity related to group-based licensing, including:
who changed licenses on groups
when the system started processing a group license change, and when it finished
what license changes were made to a user as a result of a group license assignment.
NOTE
Audit logs are available on most blades in the Azure Active Directory section of the portal. Depending on where you access
them, filters may be pre-applied to only show activity relevant to the context of the blade. If you are not seeing the results
you expect, examine the filtering options or access the unfiltered audit logs under Azure Active Director y > Activity >
Audit logs .
Find out who modified a group license

1. Set the Activity filter to Set group license and click Apply .
2. The results include all cases of licenses being set or modified on groups.
TIP
You can also type the name of the group in the Target filter to scope the results.
3. Select an item in the list to see the details of what has changed. Under Modified Properties both old and
new values for the license assignment are listed.
Here is an example of recent group license changes, with details:
Find out when group changes started and finished processing

When a license changes on a group, Azure AD will start applying the changes to all users.
1. To see when groups started processing, set the Activity filter to Start applying group based license to
users. Note that the actor for the operation is Microsoft Azure AD Group-Based Licensing - a system
account that is used to execute all group license changes.
TIP
Click an item in the list to see the Modified Properties field - it shows the license changes that were picked up for
processing. This is useful if you made multiple changes to a group and you are not sure which one was processed.
2. Similarly, to see when groups finished processing, use the filter value Finish applying group based license
to users.
TIP
In this case, the Modified Properties field contains a summary of the results - this is useful to quickly check if
processing resulted in any errors. Sample output:
Modified Properties
...
Name : Result
Old Value : []
New Value : [Users successfully assigned licenses: 6, Users for whom license assignment failed:
0.];
3. To see the complete log for how a group was processed, including all user changes, set the following
filters:
Initiated By (Actor) : "Microsoft Azure AD Group-Based Licensing"
Date Range (optional): custom range for when you know a specific group started and finished
processing
This sample output shows the start of processing, all resulting user changes, and the finish of processing.
TIP
Clicking items related to Change user license will show details for license changes applied to each individual user.
Deleting a group with an assigned license

It is not possible to delete a group with an active license assigned. An administrator could delete a group not
realizing that it will cause licenses to be removed from users - for this reason we require any licenses to be
removed from the group first, before it can be deleted.
When trying to delete a group in the Azure portal you may see an error notification like this:
Go to the Licenses tab on the group and see if there are any licenses assigned. If yes, remove those licenses and
try to delete the group again.
You may see similar errors when trying to delete the group through PowerShell or Graph API. If you are using a
group synced from on-premises, Azure AD Connect may also report errors if it is failing to delete the group in
Azure AD. In all such cases, make sure to check if there are any licenses assigned to the group, and remove them
first.
Limitations and known issues

If you use group-based licensing, it's a good idea to familiarize yourself with the following list of limitations and
known issues.
Group-based licensing currently does not support groups that contain other groups (nested groups). If
you apply a license to a nested group, only the immediate first-level user members of the group have the
licenses applied.
The feature can only be used with security groups, and Microsoft 365 groups that have
securityEnabled=TRUE.
The Microsoft 365 admin center does not currently support group-based licensing. If a user inherits a
license from a group, this license appears in the Office admin portal as a regular user license. If you try to
modify that license or try to remove the license, the portal returns an error message. Inherited group
licenses cannot be modified directly on a user.
When licenses are assigned or modified for a large group (for example, 100,000 users), it could impact
performance. Specifically, the volume of changes generated by Azure AD automation might negatively
impact the performance of your directory synchronization between Azure AD and on-premises systems.
If you are using dynamic groups to manage your user’s membership, verify that the user is part of the
group, which is necessary for license assignment. If not, check processing status for the membership rule
of the dynamic group.
In certain high load situations, it may take a long time to process license changes for groups or
membership changes to groups with existing licenses. If you see your changes take more than 24 hours to
process group size of 60K users or less, please open a support ticket to allow us to investigate.
License management automation does not automatically react to all types of changes in the environment.
For example, you might have run out of licenses, causing some users to be in an error state. To free up the
available seat count, you can remove some directly assigned licenses from other users. However, the
system does not automatically react to this change and fix users in that error state.
As a workaround to these types of limitations, you can go to the Group blade in Azure AD, and click
Reprocess . This command processes all users in that group and resolves the error states, if possible.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
PowerShell and Graph examples for group-based
licensing in Azure AD
Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell and
Microsoft Graph support is limited to read-only operations. However, there are some useful tasks that can be
performed using the existing MSOnline PowerShell cmdlets and Microsoft Graph. This document provides
examples of what is possible.
NOTE
Before you begin running cmdlets, make sure you connect to your organization first, by running the
Connect-MsolService cmdlet.
WARNING
This code is provided as an example for demonstration purposes. If you intend to use it in your environment, consider
testing it first on a small scale, or in a separate test organization. You may have to adjust the code to meet the specific
needs of your environment.
View product licenses assigned to a group

The Get-MsolGroup cmdlet can be used to retrieve the group object and check the Licenses property: it lists all
product licenses currently assigned to the group.
(Get-MsolGroup -ObjectId 99c4216a-56de-42c4-a4ac-e411cd8c7c41).Licenses

| Select SkuPartNumber
Output:
SkuPartNumber
-------------
ENTERPRISEPREMIUM
EMSPREMIUM
NOTE
The data is limited to product (SKU) information. It is not possible to list the service plans disabled in the license.
Use the following sample to get the same data from Microsoft Graph.
GET https://graph.microsoft.com/v1.0/groups/99c4216a-56de-42c4-a4ac-e411cd8c7c41?$select=assignedLicenses
Output:
HTTP/1.1 200 OK
{
"value": [
{
"assignedLicenses": [
{
"accountId":"f1b45b40-57df-41f7-9596-7f2313883635",
"skuId":"c7df2760-2c81-4ef7-b578-5b5392b571df",
"disabledPlans":[]
},
{
"accountId":"f1b45b40-57df-41f7-9596-7f2313883635",
"skuId":" b05e124f-c7cc-45a0-a6aa-8cf78c946968",
"disabledPlans":[]
},
],
}
]
}
Get all groups with licenses

You can find all groups with any license assigned by running the following command:
Get-MsolGroup -All | Where {$_.Licenses}
More details can be displayed about what products are assigned:
Get-MsolGroup -All | Where {$_.Licenses} | Select `

ObjectId, `
DisplayName, `
@{Name="Licenses";Expression={$_.Licenses | Select -ExpandProperty SkuPartNumber}}
Output:
ObjectId DisplayName Licenses

-------- ----------- --------
7023a314-6148-4d7b-b33f-6c775572879a EMS E5 – Licensed users EMSPREMIUM
cf41f428-3b45-490b-b69f-a349c8a4c38e PowerBi - Licensed users POWER\_BI\_STANDARD
962f7189-59d9-4a29-983f-556ae56f19a5 O365 E3 - Licensed users ENTERPRISEPACK
c2652d63-9161-439b-b74e-fcd8228a7074 EMSandOffice {ENTERPRISEPREMIUM,EMSPREMIUM}
Get statistics for groups with licenses

You can report basic statistics for groups with licenses. In the example below, the script lists the total user count,
the count of users with licenses already assigned by the group, and the count of users for whom licenses could
not be assigned by the group.
#get all groups with licenses
Get-MsolGroup -All | Where {$_.Licenses} | Foreach {
$groupId = $_.ObjectId;
$groupName = $_.DisplayName;
$groupLicenses = $_.Licenses | Select -ExpandProperty SkuPartNumber
$totalCount = 0;
$licenseAssignedCount = 0;
$licenseErrorCount = 0;
Get-MsolGroupMember -All -GroupObjectId $groupId |

#get full info about each user in the group
Get-MsolUser -ObjectId {$_.ObjectId} | Foreach {
$user = $_;
$totalCount++
#check if any licenses are assigned via this group

if($user.Licenses | ? {$_.GroupsAssigningLicense -ieq $groupId })
{
$licenseAssignedCount++
}
#check if user has any licenses that failed to be assigned from this group
if ($user.IndirectLicenseErrors | ? {$_.ReferencedObjectId -ieq $groupId })
{
$licenseErrorCount++
}
}
#aggregate results for this group

New-Object Object |
Add-Member -NotePropertyName GroupName -NotePropertyValue $groupName -PassThru |
Add-Member -NotePropertyName GroupId -NotePropertyValue $groupId -PassThru |
Add-Member -NotePropertyName GroupLicenses -NotePropertyValue $groupLicenses -PassThru |
Add-Member -NotePropertyName TotalUserCount -NotePropertyValue $totalCount -PassThru |
Add-Member -NotePropertyName LicensedUserCount -NotePropertyValue $licenseAssignedCount -
PassThru |
Add-Member -NotePropertyName LicenseErrorCount -NotePropertyValue $licenseErrorCount -
PassThru
} | Format-Table
Output:
GroupName GroupId GroupLicenses TotalUserCount LicensedUserCount

LicenseErrorCount
--------- ------- ------------- -------------- ----------------- -
----------------
Dynamics Licen... 9160c903-9f91-4597-8f79-22b6c47eafbf AAD_PREMIUM_P2 0 0
0
O365 E5 - base... 055dcca3-fb75-4398-a1b8-f8c6f4c24e65 ENTERPRISEPREMIUM 2 2
0
O365 E5 - extr... 6b14a1fe-c3a9-4786-9ee4-3a2bb54dcb8e ENTERPRISEPREMIUM 3 3
0
EMS E5 - all s... 7023a314-6148-4d7b-b33f-6c775572879a EMSPREMIUM 2 2
0
PowerBi - Lice... cf41f428-3b45-490b-b69f-a349c8a4c38e POWER_BI_STANDARD 2 2
0
O365 E3 - all ... 962f7189-59d9-4a29-983f-556ae56f19a5 ENTERPRISEPACK 2 2
0
O365 E5 - EXO 102fb8f4-bbe7-462b-83ff-2145e7cdd6ed ENTERPRISEPREMIUM 1 1
0
Access to Offi... 11151866-5419-4d93-9141-0603bbf78b42 STANDARDPACK 4 3
1
Get all groups with license errors
To find groups that contain some users for whom licenses could not be assigned:
Get-MsolGroup -All -HasLicenseErrorsOnly $true
Output:
ObjectId DisplayName GroupType Description

-------- ----------- --------- -----------
11151866-5419-4d93-9141-0603bbf78b42 Access to Office 365 E1 Security Users who should have E1 licenses
Use following to get the same data from Microsoft Graph
GET https://graph.microsoft.com/v1.0/groups?$filter=hasMembersWithLicenseErrors+eq+true
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"id": "11151866-5419-4d93-9141-0603bbf78b42",
... # other group properties.
},
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"id": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
...
},
... # other groups with license errors.
]
"odata.nextLink":"https://graph.microsoft.com/v1.0/ groups?
$filter=hasMembersWithLicenseErrors+eq+true&$skipToken=<encodedPageToken>"
}
Get all users with license errors in a group

Given a group that contains some license-related errors, you can now list all users affected by those errors. A user
can have errors from other groups, too. However, in this example we limit results only to errors relevant to the
group in question by checking the ReferencedObjectId property of each IndirectLicenseError entry on the
user.
#a sample group with errors
$groupId = '11151866-5419-4d93-9141-0603bbf78b42'
#get all user members of the group

Get-MsolGroupMember -All -GroupObjectId $groupId |
#get full information about user objects
Get-MsolUser -ObjectId {$_.ObjectId} |
#filter out users without license errors and users with license errors from other groups
Where {$_.IndirectLicenseErrors -and $_.IndirectLicenseErrors.ReferencedObjectId -eq $groupId} |
#display id, name and error detail. Note: we are filtering out license errors from other groups
Select ObjectId, `
DisplayName, `
@{Name="LicenseError";Expression={$_.IndirectLicenseErrors | Where {$_.ReferencedObjectId -eq
$groupId} | Select -ExpandProperty Error}}
Output:
ObjectId DisplayName License Error

-------- ----------- ------------
6d325baf-22b7-46fa-a2fc-a2500613ca15 Catherine Gibson MutuallyExclusiveViolation
Use following to get the same data from Microsoft Graph:
GET https://graph.microsoft.com/v1.0/groups/11151866-5419-4d93-9141-0603bbf78b42/membersWithLicenseErrors
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"id": "6d325baf-22b7-46fa-a2fc-a2500613ca15",
... # other user properties.
},
... # other users.
],
"odata.nextLink":"https://graph.microsoft.com/v1.0/groups/11151866-5419-4d93-9141-
0603bbf78b42/membersWithLicenseErrors?$skipToken=<encodedPageToken>"
}
Get all users with license errors in the entire organization

The following script can be used to get all users who have license errors from one or more groups. The script
prints one row per user, per license error, which allows you to clearly identify the source of each error.
NOTE
This script enumerates all users in the organization, which might not be optimal for large organizations.
Get-MsolUser -All | Where {$_.IndirectLicenseErrors } | % {
$user = $_;
$user.IndirectLicenseErrors | % {
New-Object Object |
Add-Member -NotePropertyName UserName -NotePropertyValue $user.DisplayName -PassThru |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName GroupId -NotePropertyValue $_.ReferencedObjectId -PassThru |
Add-Member -NotePropertyName LicenseError -NotePropertyValue $_.Error -PassThru
}
}
Output:
UserName UserId GroupId LicenseError

-------- ------ ------- ------------
Anna Bergman 0d0fd16d-872d-4e87-b0fb-83c610db12bc 7946137d-b00d-4336-975e-b1b81b0666d0
MutuallyExclusiveViolation
Catherine Gibson 6d325baf-22b7-46fa-a2fc-a2500613ca15 f2503e79-0edc-4253-8bed-3e158366466b CountViolation
Catherine Gibson 6d325baf-22b7-46fa-a2fc-a2500613ca15 11151866-5419-4d93-9141-0603bbf78b42
Drew Fogarty f2af28fc-db0b-4909-873d-ddd2ab1fd58c 1ebd5028-6092-41d0-9668-129a3c471332
Here is another version of the script that searches only through groups that contain license errors. It may be
more optimized for scenarios where you expect to have few groups with problems.
$groupIds = Get-MsolGroup -All -HasLicenseErrorsOnly $true

foreach ($groupId in $groupIds) {
Get-MsolGroupMember -All -GroupObjectId $groupId.ObjectID |
Get-MsolUser -ObjectId {$_.ObjectId} |
Where {$_.IndirectLicenseErrors -and $_.IndirectLicenseErrors.ReferencedObjectId -eq
$groupId.ObjectID} |
Select DisplayName, `
ObjectId, `
@{Name="LicenseError";Expression={$_.IndirectLicenseErrors | Where {$_.ReferencedObjectId -eq
$groupId.ObjectID} | Select -ExpandProperty Error}}
Check if user license is assigned directly or inherited from a group

For a user object, it is possible to check if a particular product license is assigned from a group or if it is assigned
directly.
The two sample functions below can be used to analyze the type of assignment on an individual user:
#Returns TRUE if the user has the license assigned directly
function UserHasLicenseAssignedDirectly
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId)
foreach($license in $user.Licenses)
{
#we look for the specific license SKU in all licenses assigned to the user
if ($license.AccountSkuId -ieq $skuId)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
#If the collection is empty, this means the license is assigned directly - this is the case for
users who have never been licensed via groups in the past
if ($license.GroupsAssigningLicense.Count -eq 0)
{
return $true
}
#If the collection contains the ID of the user object, this means the license is assigned
directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
#Returns TRUE if the user is inheriting the license from a group
function UserHasLicenseAssignedFromGroup
{
{
{
{
#If the collection contains at least one ID not matching the user ID this means that the
license is inherited from a group.
#Note: the license may also be assigned directly in addition to being inherited
if ($assignmentSource -ine $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
This script executes those functions on each user in the organization, using the SKU ID as input - in this example
we are interested in the license for Enterprise Mobility + Security, which in our organization is represented with
ID contoso:EMS :
#the license SKU we are interested in. use Get-MsolAccountSku to see a list of all identifiers in your
organization
$skuId = "contoso:EMS"
#find all users that have the SKU license assigned

Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.Licenses.AccountSKUID -eq $skuId} | select `
ObjectId, `
@{Name="SkuId";Expression={$skuId}}, `
@{Name="AssignedDirectly";Expression={(UserHasLicenseAssignedDirectly $_ $skuId)}}, `
@{Name="AssignedFromGroup";Expression={(UserHasLicenseAssignedFromGroup $_ $skuId)}}
Output:
ObjectId SkuId AssignedDirectly AssignedFromGroup

-------- ----- ---------------- -----------------
157870f6-e050-4b3c-ad5e-0f0a377c8f4d contoso:EMS True False
1f3174e2-ee9d-49e9-b917-e8d84650f895 contoso:EMS False True
240622ac-b9b8-4d50-94e2-dad19a3bf4b5 contoso:EMS True True
Graph doesn’t have a straightforward way to show the result, but it can be seen from this API:
GET https://graph.microsoft.com/v1.0/users/e61ff361-5baf-41f0-b2fd-380a6a5e406a?
$select=licenseAssignmentStates
Output:
HTTP/1.1 200 OK
{
"value":[
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"id": "e61ff361-5baf-41f0-b2fd-380a6a5e406a",
"licenseAssignmentState":[
{
"skuId": "157870f6-e050-4b3c-ad5e-0f0a377c8f4d",
"disabledPlans":[],
"assignedByGroup": null, # assigned directly.
"state": "Active",
"error": "None"
},
{
"skuId": "1f3174e2-ee9d-49e9-b917-e8d84650f895",
"disabledPlans":[],
"assignedByGroup": "e61ff361-5baf-41f0-b2fd-380a6a5e406a", # assigned by this group.
"state": "Active",
"error": "None"
},
{
"skuId": "240622ac-b9b8-4d50-94e2-dad19a3bf4b5",
"disabledPlans":[
"e61ff361-5baf-41f0-b2fd-380a6a5e406a"
],
"assignedByGroup": "e61ff361-5baf-41f0-b2fd-380a6a5e406a",
"state": "Active",
"error": "None"
},
{
"skuId": "240622ac-b9b8-4d50-94e2-dad19a3bf4b5",
"disabledPlans":[],
"assignedByGroup": null, # It is the same license as the previous one. It means the license is
assigned directly once and inherited from group as well.
"state": " Active ",
"error": " None"
}
],
...
}
],
}
Remove direct licenses for users with group licenses

The purpose of this script is to remove unnecessary direct licenses from users who already inherit the same
license from a group; for example, as part of a transitioning to group-based licensing.
NOTE
It is important to first validate that the direct licenses to be removed do not enable more service functionality than the
inherited licenses. Otherwise, removing the direct license may disable access to services and data for users. Currently it is
not possible to check via PowerShell which services are enabled via inherited licenses vs direct. In the script, we specify the
minimum level of services we know are being inherited from groups and check against that to make sure users do not
unexpectedly lose access to services.
#BEGIN: Helper functions used by the script

function UserHasLicenseAssignedDirectly
{
$license = GetUserLicense $user $skuId
if ($license -ne $null)

{
#If the collection is empty, this means the license is assigned directly - this is the case for users
who have never been licensed via groups in the past
if ($license.GroupsAssigningLicense.Count -eq 0)
{
return $true
}
#If the collection contains the ID of the user object, this means the license is assigned directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
return $false
}
#Returns TRUE if the user is inheriting the license from a specific group
function UserHasLicenseAssignedFromThisGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
if ($license -ne $null)

{
{
#If the collection contains at least one ID not matching the user ID this means that the license
is inherited from a group.
#Note: the license may also be assigned directly in addition to being inherited
if ($assignmentSource -ieq $groupId)
{
return $true
}
}
return $false
}
return $false
}
#Returns the license object corresponding to the skuId. Returns NULL if not found
function GetUserLicense
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
{
{
return $license
}
}
}
return $null
}
#produces a list of disabled service plan names for a set of plans we want to leave enabled
function GetDisabledPlansForSKU
{
Param([string]$skuId, [string[]]$enabledPlans)
$allPlans = Get-MsolAccountSku | where {$_.AccountSkuId -ieq $skuId} | Select -ExpandProperty

ServiceStatus | Where {$_.ProvisioningStatus -ine "PendingActivation" -and $_.ServicePlan.TargetClass -ieq
"User"} | Select -ExpandProperty ServicePlan | Select -ExpandProperty ServiceName
$disabledPlans = $allPlans | Where {$enabledPlans -inotcontains $_}
return $disabledPlans
}
function GetUnexpectedEnabledPlansForUser
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [string[]]$expectedDisabledPlans)
$extraPlans = @();
if($license -ne $null)

{
$userDisabledPlans = $license.ServiceStatus | where {$_.ProvisioningStatus -ieq "Disabled"} | Select
-ExpandProperty ServicePlan | Select -ExpandProperty ServiceName
$extraPlans = $expectedDisabledPlans | where {$userDisabledPlans -notcontains $_}

}
return $extraPlans
}
#END: helper functions
#BEGIN: executing the script

#the group to be processed
$groupId = "48ca647b-7e4d-41e5-aa66-40cab1e19101"
#license to be removed - Office 365 E3

$skuId = "contoso:ENTERPRISEPACK"
#minimum set of service plans we know are inherited from groups - we want to make sure that there aren't any
users who have more services enabled
#which could mean that they may lose access after we remove direct licenses
$servicePlansFromGroups = ("EXCHANGE_S_ENTERPRISE", "SHAREPOINTENTERPRISE", "OFFICESUBSCRIPTION")
$expectedDisabledPlans = GetDisabledPlansForSKU $skuId $servicePlansFromGroups
#process all members in the group and get full info about each user in the group looping through group
members.
Get-MsolGroupMember -All -GroupObjectId $groupId | Get-MsolUser -ObjectId {$_.ObjectId} | Foreach {
$user = $_;
$operationResult = "";
#check if Direct license exists on the user

if (UserHasLicenseAssignedDirectly $user $skuId)
{
#check if the license is assigned from this group, as expected
if (UserHasLicenseAssignedFromThisGroup $user $skuId $groupId)
{
#check if there are any extra plans we didn't expect - we are being extra careful not to
remove unexpected services
$extraPlans = GetUnexpectedEnabledPlansForUser $user $skuId $expectedDisabledPlans
if ($extraPlans.Count -gt 0)
{
$operationResult = "User has extra plans that may be lost - license removal was skipped.
Extra plans: $extraPlans"
}
}
else
{
#remove the direct license from user
Set-MsolUserLicense -ObjectId $user.ObjectId -RemoveLicenses $skuId
$operationResult = "Removed direct license from user."
}
}
else
{
$operationResult = "User does not inherit this license from this group. License removal was
skipped."
}
}
else
{
$operationResult = "User has no direct license to remove. Skipping."
}
#format output
New-Object Object |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName OperationResult -NotePropertyValue $operationResult -
PassThru
} | Format-Table
#END: executing the script
Output:
UserId OperationResult
------ ---------------
7c7f860f-700a-462a-826c-f50633931362 Removed direct license from user.
0ddacdd5-0364-477d-9e4b-07eb6cdbc8ea User has extra plans that may be lost - license removal was skipped.
Extra plans: SHAREPOINTWAC
aadbe4da-c4b5-4d84-800a-9400f31d7371 User has no direct license to remove. Skipping.
NOTE
Please update the values for the variables $skuId and $groupId which is being targeted for removal of Direct Licenses
as per your test environment before running the above script.
Next steps
To learn more about the feature set for license management through groups, see the following articles:
Product names and service plan identifiers for
licensing
When managing licenses in the Azure portal or the Microsoft 365 admin center, you see product names that look
something like Office 365 E3. When you use PowerShell v1.0 cmdlets, the same product is identified using a
specific but less friendly name: ENTERPRISEPACK. When using PowerShell v2.0 cmdlets or Microsoft Graph, the
same product is identified using a GUID value: 6fd2c87f-b296-42f0-b197-1e91e994b900. The following table lists
the most commonly used Microsoft online service products and provides their various ID values. These tables are
for reference purposes and are accurate only as of the date when this article was last updated. Microsoft does not
plan to update them for newly added services periodically.
Product name : Used in management portals
String ID : Used by PowerShell v1.0 cmdlets when performing operations on licenses
GUID : GUID used by the Microsoft Graph API
Ser vice plans included : A list of service plans in the product that correspond to the string ID and GUID
Ser vice plans included (friendly names) : A list of service plans (friendly names) in the product that
correspond to the string ID and GUID
NOTE
This information is accurate as of April 28, 2020.
SERVIC E P L A N S
SERVIC E P L A N S IN C L UDED ( F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED N A M ES)
APP CONNECT IW SPZA_IW 8f0c5670-4e56- SPZA (0bfc98ed- APP CONNECT

4892-b06d- 1dbc-4a97-b246- (0bfc98ed-1dbc-
91c085d7004f 701754e48b17) 4a97-b246-
EXCHANGE_S_FOUND 701754e48b17)
ATION (113feb6c- EXCHANGE
3fe4-4440-bddc- FOUNDATION
54d774bf0318) (113feb6c-3fe4-
4440-bddc-
54d774bf0318)
AUDIO MCOMEETADV 0c266dff-15dd-4b49- MCOMEETADV AUDIO

CONFERENCING 8397-2bb16070ed52 (3e26ee1f-8a5f-4d52- CONFERENCING
aee2-b81ce45c8f40) (3e26ee1f-8a5f-4d52-
aee2-b81ce45c8f40)
AZURE ACTIVE AAD_BASIC 2b9c8e7c-319c- AAD_BASIC MICROSOFT AZURE

DIRECTORY BASIC 43a2-a2a0- (c4da7f8a-5ee2- ACTIVE DIRECTORY
48c5c6161de7 4c99-a7e1- BASIC (c4da7f8a-
87d2df57f6fe) 5ee2-4c99-a7e1-
87d2df57f6fe)
SERVIC E P L A N S
AZURE ACTIVE AAD_PREMIUM 078d2b04-f1bd- AAD_PREMIUM AZURE ACTIVE

DIRECTORY 4111-bbd4- (41781fb2-bc02- DIRECTORY
PREMIUM P1 b4b1b354cef4 4b7c-bd55- PREMIUM P1
b576c07bb09d) (41781fb2-bc02-
ADALLOM_S_DISCOV 4b7c-bd55-
ERY (932ad362-64a8- b576c07bb09d)
4783-9106- MICROSOFT AZURE
97849a1a30b9) MULTI-FACTOR
MFA_PREMIUM AUTHENTICATION
(8a256a2b-b617- (8a256a2b-b617-
496d-b51b- 496d-b51b-
e76466e88db0) e76466e88db0)
CLOUD APP
SECURITY DISCOVERY
(932ad362-64a8-
4783-9106-
97849a1a30b9)
AZURE ACTIVE AAD_PREMIUM_P2 84a661c4-e949- AAD_PREMIUM AZURE ACTIVE

DIRECTORY 4bd2-a560- (41781fb2-bc02- DIRECTORY
PREMIUM P2 ed7766fcaf2b 4b7c-bd55- PREMIUM P1
b576c07bb09d) (41781fb2-bc02-
AAD_PREMIUM_P2 4b7c-bd55-
(eec0eb4f-6444-4f95- b576c07bb09d)
aba0-50c24d67f998) MICROSOFT AZURE
ADALLOM_S_DISCOV MULTI-FACTOR
ERY (932ad362-64a8- AUTHENTICATION
4783-9106- (8a256a2b-b617-
97849a1a30b9) 496d-b51b-
MFA_PREMIUM e76466e88db0)
(8a256a2b-b617- CLOUD APP
496d-b51b- SECURITY DISCOVERY
e76466e88db0) (932ad362-64a8-
4783-9106-
97849a1a30b9)
AZURE ACTIVE
DIRECTORY
PREMIUM P2
(eec0eb4f-6444-4f95-
aba0-50c24d67f998)
AZURE RIGHTSMANAGEMEN c52ea49f-fe5d-4e95- RMS_S_ENTERPRISE AZURE

INFORMATION T 93ba-1de91d380f89 (bea4c11e-220a- INFORMATION
PROTECTION PLAN 1 4e6d-8eb8- PROTECTION
8ea15d019f90) PREMIUM P1
RMS_S_PREMIUM (6c57d4b6-3b23-
(6c57d4b6-3b23- 47a5-9bc9-
47a5-9bc9- 69f17b4947b3)
69f17b4947b3) MICROSOFT AZURE
ACTIVE DIRECTORY
RIGHTS (bea4c11e-
220a-4e6d-8eb8-
8ea15d019f90)
SERVIC E P L A N S
DYNAMICS 365 DYN365_ENTERPRISE ea126fc5-a19e-42e2- DYN365_ENTERPRISE_ MICROSOFT SOCIAL

CUSTOMER _PLAN1 a731-da9d437bffcf P1 (d56f3deb-50d8- ENGAGEMENT -
ENGAGEMENT PLAN 465a-bedb- SERVICE
ENTERPRISE EDITION f079817ccac1) DISCONTINUATION
FLOW_DYN_P2 (03acaee3-9492-
(b650d915-9886- 4f40-aed4-
424b-a08d- bcb6b32981b6)
633cede56f57) POWERAPPS FOR
NBENTERPRISE DYNAMICS 365
(03acaee3-9492- (0b03f40b-c404-
4f40-aed4- 40c3-8651-
bcb6b32981b6) 2aceb74365fa)
POWERAPPS_DYN_P2 SHAREPOINT ONLINE
(0b03f40b-c404- (PLAN 2) (5dbe027f-
40c3-8651- 2339-4123-9542-
2aceb74365fa) 606e4d348a72)
PROJECT_CLIENT_SUB FLOW FOR
SCRIPTION (fafd7243- DYNAMICS 365
e5c1-4a3a-9e40- (b650d915-9886-
495efcb1d3c3) 424b-a08d-
SHAREPOINT_PROJEC 633cede56f57)
T (fe71d6c3-a2ea- DYNAMICS 365
4499-9778- CUSTOMER
da042bf08063) ENGAGEMENT PLAN
SHAREPOINTENTERPR (d56f3deb-50d8-
ISE (5dbe027f-2339- 465a-bedb-
4123-9542- f079817ccac1)
606e4d348a72) OFFICE ONLINE
SHAREPOINTWAC (e95bec33-7c88-
(e95bec33-7c88- 4a70-8e19-
4a70-8e19- b10bd9d0c014)
b10bd9d0c014) PROJECT ONLINE
DESKTOP CLIENT
(fafd7243-e5c1-4a3a-
9e40-495efcb1d3c3)
PROJECT ONLINE
SERVICE (fe71d6c3-
a2ea-4499-9778-
da042bf08063)
SERVIC E P L A N S
DYNAMICS 365 FOR DYN365_ENTERPRISE 749742bf-0d37- DYN365_ENTERPRISE_ MICROSOFT SOCIAL

CUSTOMER SERVICE _CUSTOMER_SERVICE 4158-a120- CUSTOMER_SERVICE ENGAGEMENT -
ENTERPRISE EDITION 33567104deeb (99340b49-fb81- SERVICE
4b1e-976b- DISCONTINUATION
8f2ae8e9394f) (03acaee3-9492-
FLOW_DYN_APPS 4f40-aed4-
(7e6d7d78-73de- bcb6b32981b6)
46ba-83b1- PROJECT ONLINE
6d25117334ba) ESSENTIALS
NBENTERPRISE (1259157c-8581-
(03acaee3-9492- 4875-bca7-
4f40-aed4- 2ffb18c51bda)
bcb6b32981b6) SHAREPOINT ONLINE
POWERAPPS_DYN_AP (PLAN 2) (5dbe027f-
PS (874fc546-6efe- 2339-4123-9542-
4d22-90b8- 606e4d348a72)
5c4e7aa59f4b) FLOW FOR
PROJECT_ESSENTIALS DYNAMICS 365
(1259157c-8581- (7e6d7d78-73de-
4875-bca7- 46ba-83b1-
2ffb18c51bda) 6d25117334ba)
SHAREPOINTENTERPR POWERAPPS FOR
ISE (5dbe027f-2339- DYNAMICS 365
4123-9542- (874fc546-6efe-
606e4d348a72) 4d22-90b8-
SHAREPOINTWAC 5c4e7aa59f4b)
(e95bec33-7c88- DYNAMICS 365 FOR
4a70-8e19- CUSTOMER SERVICE
b10bd9d0c014) (99340b49-fb81-
4b1e-976b-
8f2ae8e9394f)
OFFICE ONLINE
(e95bec33-7c88-
4a70-8e19-
b10bd9d0c014)
DYNAMICS 365 FOR DYN365_FINANCIALS cc13a803-544e- DYN365_FINANCIALS FLOW FOR

FINANCIALS _BUSINESS_SKU 4464-b4e4- _BUSINESS DYNAMICS 365
BUSINESS EDITION 6d6169a138fa (920656a2-7dd8- (7e6d7d78-73de-
4c83-97b6- 46ba-83b1-
a356414dbd36) 6d25117334ba)
FLOW_DYN_APPS POWERAPPS FOR
(7e6d7d78-73de- DYNAMICS 365
46ba-83b1- (874fc546-6efe-
6d25117334ba) 4d22-90b8-
POWERAPPS_DYN_AP 5c4e7aa59f4b)
PS (874fc546-6efe- DYNAMICS 365 FOR
4d22-90b8- FINANCIALS
5c4e7aa59f4b) (920656a2-7dd8-
4c83-97b6-
a356414dbd36)
SERVIC E P L A N S
DYNAMICS 365 FOR DYN365_ENTERPRISE 8edc2cf8-6438-4fa9- DYN365_ENTERPRISE_ DYNAMICS 365

SALES AND _SALES_CUSTOMERSE b6e3-aa1660c640cc P1 (d56f3deb-50d8- CUSTOMER
CUSTOMER SERVICE RVICE 465a-bedb- ENGAGEMENT PLAN
ENTERPRISE EDITION f079817ccac1) (d56f3deb-50d8-
FLOW_DYN_APPS 465a-bedb-
(7e6d7d78-73de- f079817ccac1)
46ba-83b1- FLOW FOR
6d25117334ba) DYNAMICS 365
NBENTERPRISE (7e6d7d78-73de-
(03acaee3-9492- 46ba-83b1-
4f40-aed4- 6d25117334ba)
bcb6b32981b6) MICROSOFT SOCIAL
POWERAPPS_DYN_AP ENGAGEMENT -
PS (874fc546-6efe- SERVICE
4d22-90b8- DISCONTINUATION
5c4e7aa59f4b) (03acaee3-9492-
PROJECT_ESSENTIALS 4f40-aed4-
(1259157c-8581- bcb6b32981b6)
4875-bca7- POWERAPPS FOR
2ffb18c51bda) DYNAMICS 365
SHAREPOINTENTERPR (874fc546-6efe-
ISE (5dbe027f-2339- 4d22-90b8-
4123-9542- 5c4e7aa59f4b)
606e4d348a72) PROJECT ONLINE
SHAREPOINTWAC ESSENTIALS
(e95bec33-7c88- (1259157c-8581-
4a70-8e19- 4875-bca7-
b10bd9d0c014) 2ffb18c51bda)
SHAREPOINT ONLINE
(PLAN 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
OFFICE ONLINE
(e95bec33-7c88-
4a70-8e19-
b10bd9d0c014)
SERVIC E P L A N S
DYNAMICS 365 FOR DYN365_ENTERPRISE 1e1a282c-9c54- DYN365_ENTERPRISE_ DYNAMICS 365 FOR

SALES ENTERPRISE _SALES 43a2-9310- SALES (2da8e897- SALES (2da8e897-
EDITION 98ef728faace 7791-486b-b08f- 7791-486b-b08f-
cc63c8129df7) cc63c8129df7)
FLOW_DYN_APPS FLOW FOR
(7e6d7d78-73de- DYNAMICS 365
46ba-83b1- (7e6d7d78-73de-
6d25117334ba) 46ba-83b1-
NBENTERPRISE 6d25117334ba)
(03acaee3-9492- MICROSOFT SOCIAL
4f40-aed4- ENGAGEMENT -
bcb6b32981b6) SERVICE
POWERAPPS_DYN_AP DISCONTINUATION
PS (874fc546-6efe- (03acaee3-9492-
4d22-90b8- 4f40-aed4-
5c4e7aa59f4b) bcb6b32981b6)
PROJECT_ESSENTIALS POWERAPPS FOR
(1259157c-8581- DYNAMICS 365
4875-bca7- (874fc546-6efe-
2ffb18c51bda) 4d22-90b8-
SHAREPOINTENTERPR 5c4e7aa59f4b)
ISE (5dbe027f-2339- PROJECT ONLINE
4123-9542- ESSENTIALS
606e4d348a72) (1259157c-8581-
SHAREPOINTWAC 4875-bca7-
(e95bec33-7c88- 2ffb18c51bda)
4a70-8e19- SHAREPOINT ONLINE
b10bd9d0c014) (PLAN 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
OFFICE ONLINE
(e95bec33-7c88-
4a70-8e19-
b10bd9d0c014)
SERVIC E P L A N S
DYNAMICS 365 FOR DYN365_ENTERPRISE 8e7a3d30-d97d- DYN365_Enterprise_Ta DYNAMICS 365 FOR

TEAM MEMBERS _TEAM_MEMBERS 43ab-837c- lent_Attract_TeamMe TALENT - ATTRACT
ENTERPRISE EDITION d7701cef83dc mber (643d201a- EXPERIENCE TEAM
9884-45be-962a- MEMBER (643d201a-
06ba97062e5e) 9884-45be-962a-
DYN365_Enterprise_Ta 06ba97062e5e)
lent_Onboard_TeamM DYNAMICS 365 FOR
ember (f2f49eef-4b3f- TALENT - ONBOARD
4853-809a- EXPERIENCE
a055c6103fe0) (f2f49eef-4b3f-4853-
DYN365_ENTERPRISE_ 809a-a055c6103fe0)
TEAM_MEMBERS DYNAMICS 365 FOR
(6a54b05e-4fab- TEAM MEMBERS
40e7-9828- (6a54b05e-4fab-
428db3b336fa) 40e7-9828-
Dynamics_365_for_Op 428db3b336fa)
erations_Team_memb DYNAMICS_365_FOR
ers (f5aa7b45-8a36- _OPERATIONS_TEAM_
4cd1-bc37- MEMBERS (f5aa7b45-
5d06dea98645) 8a36-4cd1-bc37-
Dynamics_365_for_Ret 5d06dea98645)
ail_Team_members DYNAMICS 365 FOR
(c0454a3d-32b5- RETAIL TEAM
4740-b090- MEMBERS
78c32f48f0ad) (c0454a3d-32b5-
Dynamics_365_for_Tal 4740-b090-
ent_Team_members 78c32f48f0ad)
(d5156635-0704- DYNAMICS 365 FOR
4f66-8803- TALENT TEAM
93258f8b2678) MEMBERS
FLOW_DYN_TEAM (d5156635-0704-
(1ec58c70-f69c- 4f66-8803-
486a-8109- 93258f8b2678)
4b87ce86e449) FLOW FOR
POWERAPPS_DYN_TE DYNAMICS 365
AM (52e619e2-2730- (1ec58c70-f69c-
439a-b0d3- 486a-8109-
d09ab7e8b705) 4b87ce86e449)
PROJECT_ESSENTIALS POWERAPPS FOR
(1259157c-8581- DYNAMICS 365
4875-bca7- (52e619e2-2730-
2ffb18c51bda) 439a-b0d3-
SHAREPOINTENTERPR d09ab7e8b705)
ISE (5dbe027f-2339- PROJECT ONLINE
4123-9542- ESSENTIALS
606e4d348a72) (1259157c-8581-
SHAREPOINTWAC 4875-bca7-
(e95bec33-7c88- 2ffb18c51bda)
b10bd9d0c014) (PLAN 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
OFFICE ONLINE
(e95bec33-7c88-
4a70-8e19-
b10bd9d0c014)
SERVIC E P L A N S
DYNAMICS 365 UNF Dynamics_365_for_O ccba3cfe-71ef-423a- DDYN365_CDS_DYN_ COMMON DATA

OPS PLAN ENT perations bd87-b6df3dce59a9 P2 (d1142cfd-872e- SERVICE (d1142cfd-
EDITION 4e77-b6ff- 872e-4e77-b6ff-
d98ec5a51f66) d98ec5a51f66)
DYN365_TALENT_ENT DYNAMICS 365 FOR
ERPRISE (65a1ebf4- TALENT (65a1ebf4-
6732-4f00-9dcb- 6732-4f00-9dcb-
3d115ffdeecd) 3d115ffdeecd)
Dynamics_365_for_Op DYNAMICS_365_FOR
erations (95d2cd7b- _OPERATIONS
1007-484b-8595- (95d2cd7b-1007-
5e97e63fe189) 484b-8595-
Dynamics_365_for_Ret 5e97e63fe189)
ail (a9e39199-8369- DYNAMICS 365 FOR
444b-89c1- RETAIL (a9e39199-
5fe65ec45665) 8369-444b-89c1-
Dynamics_365_Hiring 5fe65ec45665)
_Free_PLAN Dynamics_365_Hiring
(f815ac79-c5dd-4bcc- _Free_PLAN
9b78-d97f7b817d0d) (f815ac79-c5dd-4bcc-
Dynamics_365_Onboa 9b78-d97f7b817d0d)
rding_Free_PLAN DYNAMICS 365 FOR
(300b8114-8555- TALENT: ONBOARD
4313-b861- (300b8114-8555-
0c115d820f50) 4313-b861-
FLOW_DYN_P2 0c115d820f50)
(b650d915-9886- FLOW FOR
424b-a08d- DYNAMICS
633cede56f57) 365(b650d915-9886-
POWERAPPS_DYN_P2 424b-a08d-
(0b03f40b-c404- 633cede56f57)
40c3-8651- POWERAPPS FOR
2aceb74365fa) DYNAMICS 365
(0b03f40b-c404-
40c3-8651-
2aceb74365fa)
SERVIC E P L A N S
ENTERPRISE EMS efccb6f7-5641-4e0e- AAD_PREMIUM AZURE ACTIVE

MOBILITY + bd10-b4976e1bf68e (41781fb2-bc02- DIRECTORY
SECURITY E3 4b7c-bd55- PREMIUM P1
b576c07bb09d) (41781fb2-bc02-
ERY (932ad362-64a8- b576c07bb09d)
4783-9106- CLOUD APP
97849a1a30b9) SECURITY DISCOVERY
INTUNE_A (c1ec4a95- (932ad362-64a8-
1f05-45b3-a911- 4783-9106-
aa3fa01094f5) 97849a1a30b9)
MFA_PREMIUM MICROSOFT INTUNE
(8a256a2b-b617- (c1ec4a95-1f05-
496d-b51b- 45b3-a911-
e76466e88db0) aa3fa01094f5)
RMS_S_ENTERPRISE MICROSOFT AZURE
(bea4c11e-220a- MULTI-FACTOR
4e6d-8eb8- AUTHENTICATION
8ea15d019f90) (8a256a2b-b617-
RMS_S_PREMIUM 496d-b51b-
(6c57d4b6-3b23- e76466e88db0)
47a5-9bc9- MICROSOFT AZURE
69f17b4947b3) ACTIVE DIRECTORY
RIGHTS (bea4c11e-
220a-4e6d-8eb8-
8ea15d019f90)
AZURE
INFORMATION
PROTECTION
PREMIUM P1
(6c57d4b6-3b23-
47a5-9bc9-
69f17b4947b3)
SERVIC E P L A N S
ENTERPRISE EMSPREMIUM b05e124f-c7cc-45a0- AAD_PREMIUM AZURE ACTIVE

MOBILITY + a6aa-8cf78c946968 (41781fb2-bc02- DIRECTORY
SECURITY E5 4b7c-bd55- PREMIUM P1
b576c07bb09d) (41781fb2-bc02-
(eec0eb4f-6444-4f95- b576c07bb09d)
aba0-50c24d67f998) AZURE ACTIVE
ADALLOM_S_STANDA DIRECTORY
LONE (2e2ddb96- PREMIUM P2
6af9-4b1d-a3f0- (eec0eb4f-6444-4f95-
d6ecfd22edb2) aba0-50c24d67f998)
ATA (14ab5db5-e6c4- MICROSOFT CLOUD
4b20-b4bc- APP SECURITY
13e36fd2227f) (2e2ddb96-6af9-
INTUNE_A (c1ec4a95- 4b1d-a3f0-
1f05-45b3-a911- d6ecfd22edb2)
aa3fa01094f5) AZURE ADVANCED
MFA_PREMIUM THREAT PROTECTION
(8a256a2b-b617- (14ab5db5-e6c4-
496d-b51b- 4b20-b4bc-
e76466e88db0) 13e36fd2227f)
RMS_S_ENTERPRISE MICROSOFT INTUNE
(bea4c11e-220a- (c1ec4a95-1f05-
4e6d-8eb8- 45b3-a911-
8ea15d019f90) aa3fa01094f5)
RMS_S_PREMIUM MICROSOFT AZURE
(6c57d4b6-3b23- MULTI-FACTOR
47a5-9bc9- AUTHENTICATION
69f17b4947b3) (8a256a2b-b617-
RMS_S_PREMIUM2 496d-b51b-
(5689bec4-755d- e76466e88db0)
4753-8b61- MICROSOFT AZURE
40975025187c) ACTIVE DIRECTORY
RIGHTS (bea4c11e-
220a-4e6d-8eb8-
8ea15d019f90)
AZURE
INFORMATION
PROTECTION
PREMIUM P1
(6c57d4b6-3b23-
47a5-9bc9-
69f17b4947b3)
AZURE
INFORMATION
PROTECTION
PREMIUM P2
(5689bec4-755d-
4753-8b61-
40975025187c)
EXCHANGE ONLINE EXCHANGESTANDAR 4b9405b0-7788- EXCHANGE_S_STAND EXCHANGE ONLINE

(PLAN 1) D 4568-add1- ARD (9aaf7827-d63c- (PLAN 1) (9aaf7827-
99614e613b69 4b61-89c3- d63c-4b61-89c3-
182f06f82e5c) 182f06f82e5c)
SERVIC E P L A N S
EXCHANGE ONLINE EXCHANGEENTERPRIS 19ec0d23-8335- EXCHANGE_S_ENTERP EXCHANGE ONLINE

(PLAN 2) E 4cbd-94ac- RISE (efb87545-963c- (PLAN 2)(efb87545-
6050e30712fa 4e0d-99df- 963c-4e0d-99df-
69c6916d9eb0) 69c6916d9eb0)
EXCHANGE ONLINE EXCHANGEARCHIVE_ ee02fd1b-340e- EXCHANGE_S_ARCHI EXCHANGE ONLINE

ARCHIVING FOR ADDON 4a4b-b355- VE_ADDON ARCHIVING FOR
EXCHANGE ONLINE 4a514e4c8943 (176a09a6-7ec5- EXCHANGE ONLINE
4039-ac02- (176a09a6-7ec5-
b2791c6ba793) 4039-ac02-
b2791c6ba793)
EXCHANGE ONLINE EXCHANGEARCHIVE 90b5e015-709a- EXCHANGE_S_ARCHI EXCHANGE ONLINE

ARCHIVING FOR 4b8b-b08e- VE (da040e0a-b393- ARCHIVING FOR
EXCHANGE SERVER 3200f994494c 4bea-bb76- EXCHANGE SERVER
928b3fa1cf5a) (da040e0a-b393-
4bea-bb76-
928b3fa1cf5a)
EXCHANGE ONLINE EXCHANGEESSENTIAL 7fc0182e-d107- EXCHANGE_S_STAND EXCHANGE ONLINE

ESSENTIALS S 4556-8329- ARD (9aaf7827-d63c- (PLAN 1) (9aaf7827-
7caaa511197b 4b61-89c3- d63c-4b61-89c3-
182f06f82e5c) 182f06f82e5c)
EXCHANGE ONLINE EXCHANGE_S_ESSENT e8f81a67-bd96- EXCHANGE_S_ESSENT EXCHANGE_S_ESSENT

ESSENTIALS IALS 4074-b108- IALS (1126bef5-da20- IALS (1126bef5-da20-
cf193eb9433b 4f07-b45e- 4f07-b45e-
ad25d2581aa8) ad25d2581aa8)
EXCHANGE ONLINE EXCHANGEDESKLESS 80b2d799-d2ba- EXCHANGE_S_DESKLE EXCHANGE ONLINE

KIOSK 4d2a-8842- SS (4a82b400-a79f- KIOSK (4a82b400-
fb0d0f3a4b82 41a4-b4e2- a79f-41a4-b4e2-
e94f5787b113) e94f5787b113)
EXCHANGE ONLINE EXCHANGETELCO cb0a98a8-11bc- EXCHANGE_B_STAND EXCHANGE ONLINE

POP 494c-83d9- ARD (90927877-dcff- POP (90927877-dcff-
c1b1ac65327e 4af6-b346- 4af6-b346-
2332c0b15bb7) 2332c0b15bb7)
INTUNE INTUNE_A 061f9ace-7d42- INTUNE_A (c1ec4a95- MICROSOFT INTUNE

4136-88ac- 1f05-45b3-a911- (c1ec4a95-1f05-
31dc755f143f aa3fa01094f5) 45b3-a911-
aa3fa01094f5)
SERVIC E P L A N S
Microsoft 365 A1 M365EDU_A1 b17653a4-2443- AAD_EDU (3a3976ce- Azure Active Directory

4e8c-a550- de18-4a87-a78e- for Education
18249dda78bb 5e9245e252df) (3a3976ce-de18-
INTUNE_EDU 4a87-a78e-
(da24caf9-af8e-485c- 5e9245e252df)
b7c8-e73336da2693) Intune for Education
INTUNE_A (c1ec4a95- (da24caf9-af8e-485c-
1f05-45b3-a911- b7c8-e73336da2693)
aa3fa01094f5) Microsoft Intune
WINDOWS_STORE (c1ec4a95-1f05-
(a420f25f-a7b3-4ff5- 45b3-a911-
a9d0-5d58f73b537d) aa3fa01094f5)
Windows Store
Service (a420f25f-
a7b3-4ff5-a9d0-
5d58f73b537d)
Microsoft 365 A3 for M365EDU_A3_FACUL 4b590615-0888- AAD_BASIC_EDU Azure Active Directory

faculty TY 425a-a965- (1d0f309f-fdf9-4b2a- Basic for EDU
b3bf7789848d 9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
AAD_PREMIUM 9ae7-9c48b91f1426)
(41781fb2-bc02- Azure Active Directory
4b7c-bd55- Premium P1
b576c07bb09d) (41781fb2-bc02-
RMS_S_PREMIUM 4b7c-bd55-
(6c57d4b6-3b23- b576c07bb09d)
47a5-9bc9- Azure Information
69f17b4947b3) Protection Premium
RMS_S_ENTERPRISE P1 (6c57d4b6-3b23-
(bea4c11e-220a- 47a5-9bc9-
4e6d-8eb8- 69f17b4947b3)
8ea15d019f90) Azure Rights
ADALLOM_S_DISCOV Management
ERY (932ad362-64a8- (bea4c11e-220a-
4783-9106- 4e6d-8eb8-
97849a1a30b9) 8ea15d019f90)
EducationAnalyticsP1 Cloud App Security
(a9b86446-fa4e- Discovery (932ad362-
498f-a92a- 64a8-4783-9106-
41b447e03337) 97849a1a30b9)
EXCHANGE_S_ENTERP Education Analytics
RISE (efb87545-963c- (a9b86446-fa4e-
4e0d-99df- 498f-a92a-
69c6916d9eb0) 41b447e03337)
FLOW_O365_P2 Exchange Online (Plan
(76846ad7-7776- 2) (efb87545-963c-
4c40-a281- 4e0d-99df-
a386362dd1b9) 69c6916d9eb0)
MIP_S_CLP1 Flow for Office 365
(5136a095-5cf0-4aff- (76846ad7-7776-
bec3-e84448b38ea5) 4c40-a281-
MYANALYTICS_P2 a386362dd1b9)
(33c4f319-9bdd- Information
48d6-9c4d- Protection for Office
410b750a4a5a) 365 - Standard
INTUNE_EDU (5136a095-5cf0-4aff-
(da24caf9-af8e-485c- bec3-e84448b38ea5)
b7c8-e73336da2693) Insights by
MFA_PREMIUM MyAnalytics
(8a256a2b-b617- (33c4f319-9bdd-
496d-b51b- 48d6-9c4d-
SERVIC E P L A N S
e76466e88db0)
SERVIC E P L A N S 410b750a4a5a)
IN C L UDED ( F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID MICROSOFTBOOKIN
IN C L UDED Intune
N A M ES)for Education
GS (199a5c09-e0ca- (da24caf9-af8e-485c-
4e37-8f7c- b7c8-e73336da2693)
b05d533e1ea2) Microsoft Azure
OFFICE_FORMS_PLAN Multi-Factor
_2 (9b5de886-f035- Authentication
4ff2-b3d8- (8a256a2b-b617-
c9127bea3620) 496d-b51b-
INTUNE_A (c1ec4a95- e76466e88db0)
1f05-45b3-a911- Microsoft Bookings
aa3fa01094f5) (199a5c09-e0ca-
KAIZALA_O365_P3 4e37-8f7c-
(aebd3021-9f8f-4bf8- b05d533e1ea2)
bbe3-0ed2f4f047a1) Microsoft Forms (Plan
PROJECTWORKMANA 2) (9b5de886-f035-
GEMENT (b737dad2- 4ff2-b3d8-
2f6c-4c65-90e3- c9127bea3620)
ca563267e8b9) Microsoft Intune
MICROSOFT_SEARCH (c1ec4a95-1f05-
(94065c59-bc8e- 45b3-a911-
4e8b-89e5- aa3fa01094f5)
5138d471eaff) Microsoft Kaizala Pro
Deskless (8c7d2df8- Plan 3 (aebd3021-
86f0-4902-b2ed- 9f8f-4bf8-bbe3-
a0458298f3b3) 0ed2f4f047a1)
STREAM_O365_E3 Microsoft Planner
(9e700747-8b1d- (b737dad2-2f6c-
45e5-ab8d- 4c65-90e3-
ef187ceec156) ca563267e8b9)
TEAMS1 (57ff2da0- Microsoft Search
773e-42df-b2af- (94065c59-bc8e-
ffb7a2317929) 4e8b-89e5-
MINECRAFT_EDUCATI 5138d471eaff)
ON_EDITION Microsoft StaffHub
(4c246bbc-f513- (8c7d2df8-86f0-
4311-beff- 4902-b2ed-
eba54c353256) a0458298f3b3)
INTUNE_O365 Microsoft Stream for
(882e1d05-acd1- O365 E3 SKU
4ccb-8708- (9e700747-8b1d-
6ee03664b117) 45e5-ab8d-
ADALLOM_S_O365 ef187ceec156)
(8c098270-9dd4- Microsoft Teams
4350-9b30- (57ff2da0-773e-42df-
ba4703f3b36b) b2af-ffb7a2317929)
OFFICESUBSCRIPTIO Minecraft Education
N (43de0ff5-c92c- Edition (4c246bbc-
492b-9116- f513-4311-beff-
175376d08c38) eba54c353256)
SHAREPOINTWAC_ED Mobile Device
U (e03c7e47-402c- Management for
463c-ab25- Office 365
949079bedb21) (882e1d05-acd1-
POWERAPPS_O365_P 4ccb-8708-
2 (c68f8d98-5534- 6ee03664b117)
41c8-bf36- Office 365 Advanced
22fa496fa792) Security Management
SCHOOL_DATA_SYNC (8c098270-9dd4-
_P2 (500b6a2a-7a50- 4350-9b30-
4f40-b5f9- ba4703f3b36b)
160e5b8c2f48) Office 365 ProPlus
SHAREPOINTENTERPR (43de0ff5-c92c-492b-
ISE_EDU (63038b2c- 9116-175376d08c38)
28d0-45f6-bc36- Office for the web
SERVIC E P L A N S
33062963b498)
SERVIC E P L A N S (Education)
P RO DUC T N A M E ST RIN G ID GUID MCOSTANDARD
IN C L UDED (e03c7e47-402c-
N A M ES)
(0feaeb32-d00e- 463c-ab25-
4d66-bd5a- 949079bedb21)
43b5b83db82c) PowerApps for Office
SWAY (a23b959c- 365 (c68f8d98-5534-
7ce8-4e57-9140- 41c8-bf36-
b90eb88a9e97) 22fa496fa792)
BPOS_S_TODO_2 School Data Sync
(c87f142c-d1e9- (Plan 2) (500b6a2a-
4363-8630- 7a50-4f40-b5f9-
aaea9c4d9ae5) 160e5b8c2f48)
WHITEBOARD_PLAN2 SharePoint Plan 2 for
(94a54592-cd8b- EDU (63038b2c-
425e-87c6- 28d0-45f6-bc36-
97868b000b91) 33062963b498)
Virtualization Rights Skype for Business
for Windows 10 Online (Plan 2)
(E3/E5+VDA) (0feaeb32-d00e-
(e7c91390-7625- 4d66-bd5a-
45be-94e0- 43b5b83db82c)
e16907e03118) Sway (a23b959c-
YAMMER_EDU 7ce8-4e57-9140-
(2078e8df-cff6-4290- b90eb88a9e97)
98cb-5408261a760a) To-Do (Plan 2)
(c87f142c-d1e9-
4363-8630-
aaea9c4d9ae5)
Whiteboard (Plan 2)
(94a54592-cd8b-
425e-87c6-
97868b000b91)
Windows 10
Enterprise (New)
(e7c91390-7625-
45be-94e0-
e16907e03118)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
Microsoft 365 A3 for M365EDU_A3_STUDE 7cfd9a2b-e110-4c39- AAD_BASIC_EDU Azure Active Directory
students NT bf20-c6a3f36a3121 (1d0f309f-fdf9-4b2a- Basic for EDU
9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
b576c07bb09d) (41781fb2-bc02-
RMS_S_PREMIUM 4b7c-bd55-
(6c57d4b6-3b23- b576c07bb09d)
47a5-9bc9- Azure Information
69f17b4947b3) Protection Premium
RMS_S_ENTERPRISE P1 (6c57d4b6-3b23-
(bea4c11e-220a- 47a5-9bc9-
4e6d-8eb8- 69f17b4947b3)
8ea15d019f90) Azure Rights
ADALLOM_S_DISCOV Management
ERY (932ad362-64a8- (bea4c11e-220a-
4783-9106- 4e6d-8eb8-
97849a1a30b9) 8ea15d019f90)
EducationAnalyticsP1 Cloud App Security
(a9b86446-fa4e- Discovery (932ad362-
498f-a92a- 64a8-4783-9106-
41b447e03337) 97849a1a30b9)
EXCHANGE_S_ENTERP Education Analytics
SERVIC E P L A N S
RISE
SERVIC (efb87545-963c-
E PLANS (a9b86446-fa4e-
P RO DUC T N A M E ST RIN G ID GUID 4e0d-99df-
IN C L UDED 498f-a92a-
N A M ES)
69c6916d9eb0) 41b447e03337)
FLOW_O365_P2 Exchange Online (Plan
(76846ad7-7776- 2) (efb87545-963c-
4c40-a281- 4e0d-99df-
a386362dd1b9) 69c6916d9eb0)
(5136a095-5cf0-4aff- (76846ad7-7776-
bec3-e84448b38ea5) 4c40-a281-
MYANALYTICS_P2 a386362dd1b9)
(33c4f319-9bdd- Information
48d6-9c4d- Protection for Office
410b750a4a5a) 365 - Standard
INTUNE_EDU (5136a095-5cf0-4aff-
(da24caf9-af8e-485c- bec3-e84448b38ea5)
b7c8-e73336da2693) Insights by
MFA_PREMIUM MyAnalytics
(8a256a2b-b617- (33c4f319-9bdd-
496d-b51b- 48d6-9c4d-
e76466e88db0) 410b750a4a5a)
MICROSOFTBOOKIN Intune for Education
GS (199a5c09-e0ca- (da24caf9-af8e-485c-
4e37-8f7c- b7c8-e73336da2693)
b05d533e1ea2) Microsoft Azure
_2 (9b5de886-f035- Authentication
4ff2-b3d8- (8a256a2b-b617-
c9127bea3620) 496d-b51b-
aa3fa01094f5) (199a5c09-e0ca-
KAIZALA_O365_P3 4e37-8f7c-
(aebd3021-9f8f-4bf8- b05d533e1ea2)
bbe3-0ed2f4f047a1) Microsoft Forms (Plan
PROJECTWORKMANA 2) (9b5de886-f035-
GEMENT (b737dad2- 4ff2-b3d8-
2f6c-4c65-90e3- c9127bea3620)
ca563267e8b9) Microsoft Intune
MICROSOFT_SEARCH (c1ec4a95-1f05-
(94065c59-bc8e- 45b3-a911-
4e8b-89e5- aa3fa01094f5)
5138d471eaff) Microsoft Kaizala Pro
Deskless (8c7d2df8- Plan 3 (aebd3021-
86f0-4902-b2ed- 9f8f-4bf8-bbe3-
a0458298f3b3) 0ed2f4f047a1)
STREAM_O365_E3 Microsoft Planner
(9e700747-8b1d- (b737dad2-2f6c-
45e5-ab8d- 4c65-90e3-
ef187ceec156) ca563267e8b9)
TEAMS1 (57ff2da0- Microsoft Search
773e-42df-b2af- (94065c59-bc8e-
ffb7a2317929) 4e8b-89e5-
MINECRAFT_EDUCATI 5138d471eaff)
ON_EDITION Microsoft StaffHub
(4c246bbc-f513- (8c7d2df8-86f0-
4311-beff- 4902-b2ed-
eba54c353256) a0458298f3b3)
(882e1d05-acd1- O365 E3 SKU
4ccb-8708- (9e700747-8b1d-
6ee03664b117) 45e5-ab8d-
ADALLOM_S_O365 ef187ceec156)
(8c098270-9dd4- Microsoft Teams
4350-9b30- (57ff2da0-773e-42df-
SERVIC E P L A N S
ba4703f3b36b)
SERVIC E P L A N S b2af-ffb7a2317929)
P RO DUC T N A M E ST RIN G ID GUID OFFICESUBSCRIPTIO
IN C L UDED Minecraft
N A M ES) Education
N (43de0ff5-c92c- Edition (4c246bbc-
492b-9116- f513-4311-beff-
175376d08c38) eba54c353256)
SHAREPOINTWAC_ED Mobile Device
U (e03c7e47-402c- Management for
463c-ab25- Office 365
949079bedb21) (882e1d05-acd1-
POWERAPPS_O365_P 4ccb-8708-
2 (c68f8d98-5534- 6ee03664b117)
41c8-bf36- Office 365 Advanced
22fa496fa792) Security Management
SCHOOL_DATA_SYNC (8c098270-9dd4-
_P2 (500b6a2a-7a50- 4350-9b30-
4f40-b5f9- ba4703f3b36b)
ISE_EDU (63038b2c- 9116-175376d08c38)
33062963b498) (Education)
MCOSTANDARD (e03c7e47-402c-
(0feaeb32-d00e- 463c-ab25-
4d66-bd5a- 949079bedb21)
43b5b83db82c) PowerApps for Office
SWAY (a23b959c- 365 (c68f8d98-5534-
7ce8-4e57-9140- 41c8-bf36-
b90eb88a9e97) 22fa496fa792)
BPOS_S_TODO_2 School Data Sync
(c87f142c-d1e9- (Plan 2) (500b6a2a-
4363-8630- 7a50-4f40-b5f9-
aaea9c4d9ae5) 160e5b8c2f48)
WHITEBOARD_PLAN2 SharePoint Plan 2 for
(94a54592-cd8b- EDU (63038b2c-
425e-87c6- 28d0-45f6-bc36-
97868b000b91) 33062963b498)
Virtualization Rights Skype for Business
for Windows 10 Online (Plan 2)
(E3/E5+VDA) (0feaeb32-d00e-
(e7c91390-7625- 4d66-bd5a-
45be-94e0- 43b5b83db82c)
e16907e03118) Sway (a23b959c-
YAMMER_EDU 7ce8-4e57-9140-
(2078e8df-cff6-4290- b90eb88a9e97)
98cb-5408261a760a) To-Do (Plan 2)
(c87f142c-d1e9-
4363-8630-
aaea9c4d9ae5)
Whiteboard (Plan 2)
(94a54592-cd8b-
425e-87c6-
97868b000b91)
Windows 10
Enterprise (New)
(e7c91390-7625-
45be-94e0-
e16907e03118)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
Microsoft 365 A5 for M365EDU_A5_FACUL e97c048c-37a4-45fb- AAD_BASIC_EDU Azure Active Directory
faculty TY ab50-922fbf07a370 (1d0f309f-fdf9-4b2a- Basic for EDU
9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
SERVIC E P L A N S
4b7c-bd55-
SERVIC E P L A N S Premium
IN C L UDEDP1( F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID b576c07bb09d)
IN C L UDED (41781fb2-bc02-
N A M ES)
(eec0eb4f-6444-4f95- b576c07bb09d)
aba0-50c24d67f998) Azure Active Directory
ATA (14ab5db5-e6c4- Premium P2
4b20-b4bc- (eec0eb4f-6444-4f95-
13e36fd2227f) aba0-50c24d67f998)
RMS_S_PREMIUM Azure Advanced
(6c57d4b6-3b23- Threat Protection
47a5-9bc9- (14ab5db5-e6c4-
69f17b4947b3) 4b20-b4bc-
RMS_S_PREMIUM2 13e36fd2227f)
(5689bec4-755d- Azure Information
4753-8b61- Protection Premium
40975025187c) P1 (6c57d4b6-3b23-
RMS_S_ENTERPRISE 47a5-9bc9-
(bea4c11e-220a- 69f17b4947b3)
4e6d-8eb8- Azure Information
8ea15d019f90) Protection Premium
LOCKBOX_ENTERPRIS P2 (5689bec4-755d-
E (9f431833-0334- 4753-8b61-
42de-a7dc- 40975025187c)
70aa40db46db) Azure Rights
EducationAnalyticsP1 Management
(a9b86446-fa4e- (bea4c11e-220a-
498f-a92a- 4e6d-8eb8-
41b447e03337) 8ea15d019f90)
EXCHANGE_S_ENTERP Customer Lockbox
RISE (efb87545-963c- (9f431833-0334-
4e0d-99df- 42de-a7dc-
69c6916d9eb0) 70aa40db46db)
FLOW_O365_P3 Education Analytics
(07699545-9485- (a9b86446-fa4e-
468e-95b6- 498f-a92a-
2fca3738be01) 41b447e03337)
INFORMATION_BARRI Exchange Online (Plan
ERS (c4801e8a-cb58- 2) (efb87545-963c-
4c35-aca6- 4e0d-99df-
f2dcc106f287) 69c6916d9eb0)
(efb0351d-3b08- (07699545-9485-
4503-993d- 468e-95b6-
383af8de41e3) 2fca3738be01)
MIP_S_CLP1 Information Barriers
(5136a095-5cf0-4aff- (c4801e8a-cb58-
bec3-e84448b38ea5) 4c35-aca6-
INTUNE_EDU f2dcc106f287)
(da24caf9-af8e-485c- Information
b7c8-e73336da2693) Protection for Office
M365_ADVANCED_A 365 - Premium
UDITING (2f442157- (efb0351d-3b08-
a11c-46b9-ae5b- 4503-993d-
6e39ff4e5849) 383af8de41e3)
MCOMEETADV Information
(3e26ee1f-8a5f-4d52- Protection for Office
aee2-b81ce45c8f40) 365 - Standard
MCOEV (4828c8ec- (5136a095-5cf0-4aff-
dc2e-4779-b502- bec3-e84448b38ea5)
87ac9ce28ab7) Intune for Education
MFA_PREMIUM (da24caf9-af8e-485c-
(8a256a2b-b617- b7c8-e73336da2693)
496d-b51b- Microsoft 365
e76466e88db0) Advanced Auditing
MICROSOFTBOOKIN (2f442157-a11c-
SERVIC E P L A N S
GS (199a5c09-e0ca-
SERVIC E PLANS 46b9-ae5b-
P RO DUC T N A M E ST RIN G ID GUID 4e37-8f7c-
IN C L UDED 6e39ff4e5849)
N A M ES)
b05d533e1ea2) Microsoft 365 Audio
ADALLOM_S_STANDA Conferencing
LONE (2e2ddb96- (3e26ee1f-8a5f-4d52-
6af9-4b1d-a3f0- aee2-b81ce45c8f40)
d6ecfd22edb2) Microsoft 365 Phone
WINDEFATP System (4828c8ec-
(871d91ec-ec1a- dc2e-4779-b502-
452b-a83f- 87ac9ce28ab7)
bd76c7d770ef) Microsoft Azure
_3 (96c1e14a-ef43- Authentication
418d-b115- (8a256a2b-b617-
9636cdaa8eed) 496d-b51b-
aa3fa01094f5) (199a5c09-e0ca-
KAIZALA_STANDALO 4e37-8f7c-
NE (0898bdbb-73b0- b05d533e1ea2)
471a-81e5- Microsoft Cloud App
20f1fe4dd66e) Security (2e2ddb96-
EXCHANGE_ANALYTI 6af9-4b1d-a3f0-
CS (34c0d7a0-a70f- d6ecfd22edb2)
4668-9238- Microsoft Defender
47f9fc208882) Advanced Threat
PROJECTWORKMANA Protection
GEMENT (b737dad2- (871d91ec-ec1a-
2f6c-4c65-90e3- 452b-a83f-
ca563267e8b9) bd76c7d770ef)
MICROSOFT_SEARCH Microsoft Forms (Plan
(94065c59-bc8e- 3) (96c1e14a-ef43-
4e8b-89e5- 418d-b115-
5138d471eaff) 9636cdaa8eed)
Deskless (8c7d2df8- Microsoft Intune
86f0-4902-b2ed- (c1ec4a95-1f05-
a0458298f3b3) 45b3-a911-
STREAM_O365_E5 aa3fa01094f5)
(6c6042f5-6f01- Microsoft Kaizala
4d67-b8c1- (0898bdbb-73b0-
eb99d36eed3e) 471a-81e5-
TEAMS1 (57ff2da0- 20f1fe4dd66e)
773e-42df-b2af- Microsoft MyAnalytics
ffb7a2317929) (Full) (34c0d7a0-a70f-
MINECRAFT_EDUCATI 4668-9238-
ON_EDITION 47f9fc208882)
(4c246bbc-f513- Microsoft Planner
4311-beff- (b737dad2-2f6c-
eba54c353256) 4c65-90e3-
INTUNE_O365 ca563267e8b9)
(882e1d05-acd1- Microsoft Search
4ccb-8708- (94065c59-bc8e-
6ee03664b117) 4e8b-89e5-
EQUIVIO_ANALYTICS 5138d471eaff)
(4de31727-a228- Microsoft StaffHub
4ec3-a5bf- (8c7d2df8-86f0-
8e45b5ca48cc) 4902-b2ed-
ADALLOM_S_O365 a0458298f3b3)
(8c098270-9dd4- Microsoft Stream for
4350-9b30- O365 E5 SKU
ba4703f3b36b) (6c6042f5-6f01-
ATP_ENTERPRISE 4d67-b8c1-
(f20fedf3-f3c3-43c3- eb99d36eed3e)
8267-2bfdd51c0939) Microsoft Teams
THREAT_INTELLIGENC (57ff2da0-773e-42df-
SERVIC E P L A N S
ESERVIC
(8e0c0a52-6a6c-
E PLANS b2af-ffb7a2317929)
P RO DUC T N A M E ST RIN G ID GUID 4d40-8370-
IN C L UDED Minecraft
N A M ES) Education
dd62790dcd70) Edition (4c246bbc-
PAM_ENTERPRISE f513-4311-beff-
(b1188c4c-1b36- eba54c353256)
4018-b48b- Mobile Device
ee07604f6feb) Management for
OFFICESUBSCRIPTIO Office 365
N (43de0ff5-c92c- (882e1d05-acd1-
492b-9116- 4ccb-8708-
175376d08c38) 6ee03664b117)
SAFEDOCS (bf6f5520- Office 365 Advanced
59e3-4f82-974b- eDiscovery
7dbbc4fd27c7) (4de31727-a228-
SHAREPOINTWAC_ED 4ec3-a5bf-
U (e03c7e47-402c- 8e45b5ca48cc)
463c-ab25- Office 365 Advanced
949079bedb21) Security Management
BI_AZURE_P2 (8c098270-9dd4-
(70d33638-9c74- 4350-9b30-
4d01-bfd3- ba4703f3b36b)
562de28bd4ba) Office 365 Advanced
POWERAPPS_O365_P Threat Protection
3 (9c0dab89-a30c- (Plan 1) (f20fedf3-
4117-86e7- f3c3-43c3-8267-
97bda240acd2) 2bfdd51c0939)
PREMIUM_ENCRYPTI Office 365 Advanced
ON (617b097b-4b93- Threat Protection
4ede-83de- (Plan 2) (8e0c0a52-
5f075bb5fb2f) 6a6c-4d40-8370-
SCHOOL_DATA_SYNC dd62790dcd70)
_P2 (500b6a2a-7a50- Office 365 Privileged
4f40-b5f9- Access Management
160e5b8c2f48) (b1188c4c-1b36-
SHAREPOINTENTERPR 4018-b48b-
ISE_EDU (63038b2c- ee07604f6feb)
28d0-45f6-bc36- Office 365 ProPlus
33062963b498) (43de0ff5-c92c-492b-
MCOSTANDARD 9116-175376d08c38)
(0feaeb32-d00e- Office 365 SafeDocs
4d66-bd5a- (bf6f5520-59e3-4f82-
43b5b83db82c) 974b-7dbbc4fd27c7)
SWAY (a23b959c- Office for the web
7ce8-4e57-9140- (Education)
b90eb88a9e97) (e03c7e47-402c-
BPOS_S_TODO_3 463c-ab25-
(3fb82609-8c27- 949079bedb21)
4f7b-bd51- Power BI Pro
30634711ee67) (70d33638-9c74-
WHITEBOARD_PLAN3 4d01-bfd3-
(4a51bca5-1eff-43f5- 562de28bd4ba)
878c-177680f191af) PowerApps for Office
Virtualization Rights 365 Plan 3
for Windows 10 (9c0dab89-a30c-
(E3/E5+VDA) 4117-86e7-
(e7c91390-7625- 97bda240acd2)
45be-94e0- Premium Encryption
e16907e03118) in Office 365
YAMMER_EDU (617b097b-4b93-
(2078e8df-cff6-4290- 4ede-83de-
98cb-5408261a760a) 5f075bb5fb2f)
School Data Sync
(Plan 2) (500b6a2a-
7a50-4f40-b5f9-
160e5b8c2f48)
SERVIC E P L A N S
SERVIC E P L A N S SharePoint
IN C L UDED (Plan 2 DLY
F RIEN for
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED EDU
N (63038b2c-
A M ES)
28d0-45f6-bc36-
33062963b498)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
Sway (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
To-Do (Plan 3)
(3fb82609-8c27-
4f7b-bd51-
30634711ee67)
Whiteboard (Plan 3)
(4a51bca5-1eff-43f5-
878c-177680f191af)
Windows 10
Enterprise (New)
(e7c91390-7625-
45be-94e0-
e16907e03118)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
Microsoft 365 A5 for M365EDU_A5_STUDE 46c119d4-0379- AAD_BASIC_EDU Azure Active Directory
students NT 4a9d-85e4- (1d0f309f-fdf9-4b2a- Basic for EDU
97c66d3f909e 9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
b576c07bb09d) (41781fb2-bc02-
(eec0eb4f-6444-4f95- b576c07bb09d)
aba0-50c24d67f998) Azure Active Directory
ATA (14ab5db5-e6c4- Premium P2
4b20-b4bc- (eec0eb4f-6444-4f95-
13e36fd2227f) aba0-50c24d67f998)
RMS_S_PREMIUM Azure Advanced
(6c57d4b6-3b23- Threat Protection
47a5-9bc9- (14ab5db5-e6c4-
69f17b4947b3) 4b20-b4bc-
RMS_S_PREMIUM2 13e36fd2227f)
(5689bec4-755d- Azure Information
4753-8b61- Protection Premium
40975025187c) P1 (6c57d4b6-3b23-
(bea4c11e-220a- 69f17b4947b3)
4e6d-8eb8- Azure Information
8ea15d019f90) Protection Premium
LOCKBOX_ENTERPRIS P2 (5689bec4-755d-
E (9f431833-0334- 4753-8b61-
42de-a7dc- 40975025187c)
70aa40db46db) Azure Rights
EducationAnalyticsP1 Management
(a9b86446-fa4e- (bea4c11e-220a-
498f-a92a- 4e6d-8eb8-
41b447e03337) 8ea15d019f90)
EXCHANGE_S_ENTERP Customer Lockbox
RISE (efb87545-963c- (9f431833-0334-
4e0d-99df- 42de-a7dc-
69c6916d9eb0) 70aa40db46db)
FLOW_O365_P3 Education Analytics
SERVIC E P L A N S
(07699545-9485-
SERVIC E P L A N S (a9b86446-fa4e-
P RO DUC T N A M E ST RIN G ID GUID 468e-95b6-
IN C L UDED 498f-a92a-
N A M ES)
2fca3738be01) 41b447e03337)
INFORMATION_BARRI Exchange Online (Plan
ERS (c4801e8a-cb58- 2) (efb87545-963c-
4c35-aca6- 4e0d-99df-
f2dcc106f287) 69c6916d9eb0)
(efb0351d-3b08- (07699545-9485-
4503-993d- 468e-95b6-
383af8de41e3) 2fca3738be01)
MIP_S_CLP1 Information Barriers
(5136a095-5cf0-4aff- (c4801e8a-cb58-
bec3-e84448b38ea5) 4c35-aca6-
INTUNE_EDU f2dcc106f287)
(da24caf9-af8e-485c- Information
b7c8-e73336da2693) Protection for Office
M365_ADVANCED_A 365 - Premium
UDITING (2f442157- (efb0351d-3b08-
a11c-46b9-ae5b- 4503-993d-
6e39ff4e5849) 383af8de41e3)
MCOMEETADV Information
(3e26ee1f-8a5f-4d52- Protection for Office
aee2-b81ce45c8f40) 365 - Standard
MCOEV (4828c8ec- (5136a095-5cf0-4aff-
dc2e-4779-b502- bec3-e84448b38ea5)
87ac9ce28ab7) Intune for Education
MFA_PREMIUM (da24caf9-af8e-485c-
(8a256a2b-b617- b7c8-e73336da2693)
496d-b51b- Microsoft 365
e76466e88db0) Advanced Auditing
MICROSOFTBOOKIN (2f442157-a11c-
GS (199a5c09-e0ca- 46b9-ae5b-
4e37-8f7c- 6e39ff4e5849)
b05d533e1ea2) Microsoft 365 Audio
ADALLOM_S_STANDA Conferencing
LONE (2e2ddb96- (3e26ee1f-8a5f-4d52-
6af9-4b1d-a3f0- aee2-b81ce45c8f40)
d6ecfd22edb2) Microsoft 365 Phone
WINDEFATP System (4828c8ec-
(871d91ec-ec1a- dc2e-4779-b502-
452b-a83f- 87ac9ce28ab7)
bd76c7d770ef) Microsoft Azure
_3 (96c1e14a-ef43- Authentication
418d-b115- (8a256a2b-b617-
9636cdaa8eed) 496d-b51b-
aa3fa01094f5) (199a5c09-e0ca-
KAIZALA_STANDALO 4e37-8f7c-
NE (0898bdbb-73b0- b05d533e1ea2)
471a-81e5- Microsoft Cloud App
20f1fe4dd66e) Security (2e2ddb96-
EXCHANGE_ANALYTI 6af9-4b1d-a3f0-
CS (34c0d7a0-a70f- d6ecfd22edb2)
4668-9238- Microsoft Defender
47f9fc208882) Advanced Threat
PROJECTWORKMANA Protection
GEMENT (b737dad2- (871d91ec-ec1a-
2f6c-4c65-90e3- 452b-a83f-
ca563267e8b9) bd76c7d770ef)
MICROSOFT_SEARCH Microsoft Forms (Plan
(94065c59-bc8e- 3) (96c1e14a-ef43-
4e8b-89e5- 418d-b115-
SERVIC E P L A N S
5138d471eaff)
SERVIC E P L A N S 9636cdaa8eed)
P RO DUC T N A M E ST RIN G ID GUID Deskless
IN C L UDED(8c7d2df8- Microsoft
N A M ES) Intune
86f0-4902-b2ed- (c1ec4a95-1f05-
a0458298f3b3) 45b3-a911-
STREAM_O365_E5 aa3fa01094f5)
(6c6042f5-6f01- Microsoft Kaizala
4d67-b8c1- (0898bdbb-73b0-
eb99d36eed3e) 471a-81e5-
TEAMS1 (57ff2da0- 20f1fe4dd66e)
773e-42df-b2af- Microsoft MyAnalytics
ffb7a2317929) (Full) (34c0d7a0-a70f-
MINECRAFT_EDUCATI 4668-9238-
ON_EDITION 47f9fc208882)
(4c246bbc-f513- Microsoft Planner
4311-beff- (b737dad2-2f6c-
eba54c353256) 4c65-90e3-
INTUNE_O365 ca563267e8b9)
(882e1d05-acd1- Microsoft Search
4ccb-8708- (94065c59-bc8e-
6ee03664b117) 4e8b-89e5-
EQUIVIO_ANALYTICS 5138d471eaff)
(4de31727-a228- Microsoft StaffHub
4ec3-a5bf- (8c7d2df8-86f0-
8e45b5ca48cc) 4902-b2ed-
ADALLOM_S_O365 a0458298f3b3)
(8c098270-9dd4- Microsoft Stream for
4350-9b30- O365 E5 SKU
ba4703f3b36b) (6c6042f5-6f01-
ATP_ENTERPRISE 4d67-b8c1-
(f20fedf3-f3c3-43c3- eb99d36eed3e)
8267-2bfdd51c0939) Microsoft Teams
THREAT_INTELLIGENC (57ff2da0-773e-42df-
E (8e0c0a52-6a6c- b2af-ffb7a2317929)
4d40-8370- Minecraft Education
dd62790dcd70) Edition (4c246bbc-
PAM_ENTERPRISE f513-4311-beff-
(b1188c4c-1b36- eba54c353256)
4018-b48b- Mobile Device
ee07604f6feb) Management for
OFFICESUBSCRIPTIO Office 365
N (43de0ff5-c92c- (882e1d05-acd1-
492b-9116- 4ccb-8708-
175376d08c38) 6ee03664b117)
59e3-4f82-974b- eDiscovery
7dbbc4fd27c7) (4de31727-a228-
SHAREPOINTWAC_ED 4ec3-a5bf-
U (e03c7e47-402c- 8e45b5ca48cc)
463c-ab25- Office 365 Advanced
949079bedb21) Security Management
BI_AZURE_P2 (8c098270-9dd4-
(70d33638-9c74- 4350-9b30-
4d01-bfd3- ba4703f3b36b)
562de28bd4ba) Office 365 Advanced
POWERAPPS_O365_P Threat Protection
3 (9c0dab89-a30c- (Plan 1)(f20fedf3-
4117-86e7- f3c3-43c3-8267-
97bda240acd2) 2bfdd51c0939)
PREMIUM_ENCRYPTI Office 365 Advanced
ON (617b097b-4b93- Threat Protection
4ede-83de- (Plan 2) (8e0c0a52-
5f075bb5fb2f) 6a6c-4d40-8370-
SCHOOL_DATA_SYNC dd62790dcd70)
_P2 (500b6a2a-7a50- Office 365 Privileged
4f40-b5f9- Access Management
SERVIC E P L A N S
160e5b8c2f48)
SERVIC E P L A N S (b1188c4c-1b36-
P RO DUC T N A M E ST RIN G ID GUID SHAREPOINTENTERPR
IN C L UDED 4018-b48b-
N A M ES)
ISE_EDU (63038b2c- ee07604f6feb)
28d0-45f6-bc36- Office 365 ProPlus
33062963b498) (43de0ff5-c92c-492b-
MCOSTANDARD 9116-175376d08c38)
(0feaeb32-d00e- Office 365 SafeDocs
4d66-bd5a- (bf6f5520-59e3-4f82-
43b5b83db82c) 974b-7dbbc4fd27c7)
SWAY (a23b959c- Office for the web
7ce8-4e57-9140- (Education)
b90eb88a9e97) (e03c7e47-402c-
BPOS_S_TODO_3 463c-ab25-
(3fb82609-8c27- 949079bedb21)
4f7b-bd51- Power BI Pro
30634711ee67) (70d33638-9c74-
WHITEBOARD_PLAN3 4d01-bfd3-
(4a51bca5-1eff-43f5- 562de28bd4ba)
878c-177680f191af) PowerApps for Office
Virtualization Rights 365 Plan 3
for Windows 10 (9c0dab89-a30c-
(E3/E5+VDA) 4117-86e7-
(e7c91390-7625- 97bda240acd2)
45be-94e0- Premium Encryption
e16907e03118) in Office 365
(2078e8df-cff6-4290- 4ede-83de-
98cb-5408261a760a) 5f075bb5fb2f)
School Data Sync
(Plan 2) (500b6a2a-
7a50-4f40-b5f9-
160e5b8c2f48)
SharePoint Plan 2 for
EDU (63038b2c-
28d0-45f6-bc36-
33062963b498)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
Sway (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
To-Do (Plan 3)
(3fb82609-8c27-
4f7b-bd51-
30634711ee67)
Whiteboard (Plan 3)
878c-177680f191af)
Windows 10
Enterprise (New)
(e7c91390-7625-
45be-94e0-
e16907e03118)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
SERVIC E P L A N S
MICROSOFT 365 O365_BUSINESS cdd28e44-67e3- FORMS_PLAN_E1 MICROSOFT FORMS

APPS FOR BUSINESS 425e-be4c- (159f4cd6-e380- (PLAN E1) (159f4cd6-
737fab2899d3 449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
OFFICE_BUSINESS OFFICE 365 BUSINESS
(094e7854-93fc- (094e7854-93fc-
4d55-b2c0- 4d55-b2c0-
3ab5369ebdc1) 3ab5369ebdc1)
ONEDRIVESTANDARD ONEDRIVESTANDARD
(13696edf-5a08- (13696edf-5a08-
49f6-8134- 49f6-8134-
03083ed8ba30) 03083ed8ba30)
SHAREPOINTWAC OFFICE ONLINE
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
SWAY (a23b959c- SWAY (a23b959c-
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
MICROSOFT 365 SMB_BUSINESS b214fe43-f5a3-4703- FORMS_PLAN_E1 MICROSOFT FORMS

APPS FOR BUSINESS beeb-fa97188220fc (159f4cd6-e380- (PLAN E1) (159f4cd6-
449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
OFFICE_BUSINESS OFFICE 365 BUSINESS
(094e7854-93fc- (094e7854-93fc-
4d55-b2c0- 4d55-b2c0-
3ab5369ebdc1) 3ab5369ebdc1)
(13696edf-5a08- (13696edf-5a08-
49f6-8134- 49f6-8134-
03083ed8ba30) 03083ed8ba30)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
MICROSOFT 365 OFFICESUBSCRIPTIO c2273bd0-dff7-4215- FORMS_PLAN_E1 MICROSOFT FORMS

APPS FOR N 9ef5-2c7bcfb06425 (159f4cd6-e380- (PLAN E1) (159f4cd6-
ENTERPRISE 449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
OFFICESUBSCRIPTIO OFFICESUBSCRIPTIO
N (43de0ff5-c92c- N (43de0ff5-c92c-
492b-9116- 492b-9116-
175376d08c38) 175376d08c38)
(13696edf-5a08- (13696edf-5a08-
49f6-8134- 49f6-8134-
03083ed8ba30) 03083ed8ba30)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
SERVIC E P L A N S
MICROSOFT 365 O365_BUSINESS_ESSE 3b555118-da6a- BPOS_S_TODO_1 BPOS_S_TODO_1

BUSINESS BASIC NTIALS 4418-894f- (5e62787c-c316- (5e62787c-c316-
7df1e2096870 451f-b873- 451f-b873-
1d05acd4d12c) 1d05acd4d12c)
EXCHANGE_S_STAND EXCHANGE ONLINE
ARD (9aaf7827-d63c- (PLAN 1) (9aaf7827-
4b61-89c3- d63c-4b61-89c3-
182f06f82e5c) 182f06f82e5c)
FLOW_O365_P1 FLOW FOR OFFICE
(0f9b09cb-62d1-4ff4- 365 (0f9b09cb-62d1-
9129-43f4996f83f4) 4ff4-9129-
FORMS_PLAN_E1 43f4996f83f4)
(159f4cd6-e380- MICROSOFT FORMS
449f-a816- (PLAN E1) (159f4cd6-
af1a9ef76344) e380-449f-a816-
MCOSTANDARD af1a9ef76344)
(0feaeb32-d00e- SKYPE FOR BUSINESS
4d66-bd5a- ONLINE (PLAN 2)
43b5b83db82c) (0feaeb32-d00e-
OFFICEMOBILE_SUBS 4d66-bd5a-
CRIPTION (c63d4d19- 43b5b83db82c)
e8cb-460e-b37c- OFFICEMOBILE_SUBS
4d6c34603745) CRIPTION (c63d4d19-
POWERAPPS_O365_P e8cb-460e-b37c-
1 (92f7a6f3-b89b- 4d6c34603745)
4bbd-8c30- POWERAPPS FOR
809e6da5ad1c) OFFICE 365
PROJECTWORKMANA (92f7a6f3-b89b-
GEMENT (b737dad2- 4bbd-8c30-
2f6c-4c65-90e3- 809e6da5ad1c)
ca563267e8b9) MICROSOFT
SHAREPOINTSTANDA PLANNER(b737dad2-
RD (c7699d2e-19aa- 2f6c-4c65-90e3-
44de-8edf- ca563267e8b9)
1736da088ca1) SHAREPOINTSTANDA
SHAREPOINTWAC RD (c7699d2e-19aa-
(e95bec33-7c88- 44de-8edf-
4a70-8e19- 1736da088ca1)
b10bd9d0c014) OFFICE ONLINE
SWAY (a23b959c- (e95bec33-7c88-
7ce8-4e57-9140- 4a70-8e19-
b90eb88a9e97) b10bd9d0c014)
TEAMS1 (57ff2da0- SWAY (a23b959c-
773e-42df-b2af- 7ce8-4e57-9140-
ffb7a2317929) b90eb88a9e97)
YAMMER_ENTERPRISE TEAMS1 (57ff2da0-
(7547a3fe-08ee- 773e-42df-b2af-
4ccb-b430- ffb7a2317929)
5077c5041653) YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
SERVIC E P L A N S
MICROSOFT 365 SMB_BUSINESS_ESSE dab7782a-93b1- BPOS_S_TODO_1 BPOS_S_TODO_1

BUSINESS BASIC NTIALS 4074-8bb1- (5e62787c-c316- (5e62787c-c316-
0e61318bea0b 451f-b873- 451f-b873-
ARD (9aaf7827-d63c- (PLAN 1) (9aaf7827-
4b61-89c3- d63c-4b61-89c3-
182f06f82e5c) 182f06f82e5c)
(0f9b09cb-62d1-4ff4- 365 (0f9b09cb-62d1-
9129-43f4996f83f4) 4ff4-9129-
FORMS_PLAN_E1 43f4996f83f4)
(159f4cd6-e380- MICROSOFT FORMS
449f-a816- (PLAN E1) (159f4cd6-
af1a9ef76344) e380-449f-a816-
MCOSTANDARD af1a9ef76344)
(0feaeb32-d00e- SKYPE FOR BUSINESS
4d66-bd5a- ONLINE (PLAN 2)
OFFICEMOBILE_SUBS 4d66-bd5a-
CRIPTION (c63d4d19- 43b5b83db82c)
e8cb-460e-b37c- OFFICEMOBILE_SUBS
4d6c34603745) CRIPTION (c63d4d19-
POWERAPPS_O365_P e8cb-460e-b37c-
1 (92f7a6f3-b89b- 4d6c34603745)
4bbd-8c30- POWERAPPS FOR
809e6da5ad1c) OFFICE 365
PROJECTWORKMANA (92f7a6f3-b89b-
GEMENT (b737dad2- 4bbd-8c30-
2f6c-4c65-90e3- 809e6da5ad1c)
ca563267e8b9) MICROSOFT
SHAREPOINTSTANDA PLANNER(b737dad2-
RD (c7699d2e-19aa- 2f6c-4c65-90e3-
44de-8edf- ca563267e8b9)
1736da088ca1) SHAREPOINTSTANDA
SHAREPOINTWAC RD (c7699d2e-19aa-
(e95bec33-7c88- 44de-8edf-
4a70-8e19- 1736da088ca1)
b10bd9d0c014) OFFICE ONLINE
SWAY (a23b959c- (e95bec33-7c88-
7ce8-4e57-9140- 4a70-8e19-
b90eb88a9e97) b10bd9d0c014)
TEAMS1 (57ff2da0- SWAY (a23b959c-
773e-42df-b2af- 7ce8-4e57-9140-
ffb7a2317929) b90eb88a9e97)
YAMMER_MIDSIZE TEAMS1 (57ff2da0-
(41bf139a-4e60- 773e-42df-b2af-
409f-9346- ffb7a2317929)
a1361efc6dfb) YAMMER_MIDSIZE
(41bf139a-4e60-
409f-9346-
a1361efc6dfb)
MICROSOFT 365 O365_BUSINESS_PRE f245ecc8-75af-4f8e- BPOS_S_TODO_1 BPOS_S_TODO_1

BUSINESS STANDARD MIUM b61f-27d8114de5f3 (5e62787c-c316- (5e62787c-c316-
451f-b873- 451f-b873-
Deskless (8c7d2df8- MICROSOFT
86f0-4902-b2ed- STAFFHUB (8c7d2df8-
a0458298f3b3) 86f0-4902-b2ed-
EXCHANGE_S_STAND a0458298f3b3)
SERVIC E P L A N S
ARD
SERVIC (9aaf7827-d63c-
E PLANS EXCHANGE
IN C L UDED ( FONLINE
RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID 4b61-89c3-
IN C L UDED (PLAN
N A M ES)1) (9aaf7827-
182f06f82e5c) d63c-4b61-89c3-
FLOW_O365_P1 182f06f82e5c)
(0f9b09cb-62d1-4ff4- FLOW FOR OFFICE
9129-43f4996f83f4) 365 (0f9b09cb-62d1-
FORMS_PLAN_E1 4ff4-9129-
(159f4cd6-e380- 43f4996f83f4)
449f-a816- MICROSOFT FORMS
af1a9ef76344) (PLAN E1) (159f4cd6-
MCOSTANDARD e380-449f-a816-
(0feaeb32-d00e- af1a9ef76344)
4d66-bd5a- SKYPE FOR BUSINESS
43b5b83db82c) ONLINE (PLAN 2)
MICROSOFTBOOKIN (0feaeb32-d00e-
GS (199a5c09-e0ca- 4d66-bd5a-
4e37-8f7c- 43b5b83db82c)
b05d533e1ea2) MICROSOFTBOOKIN
O365_SB_Relationship GS (199a5c09-e0ca-
_Management 4e37-8f7c-
(5bfe124c-bbdc- b05d533e1ea2)
4494-8835- OUTLOOK
f1297d457d79) CUSTOMER
OFFICE_BUSINESS MANAGER (5bfe124c-
(094e7854-93fc- bbdc-4494-8835-
4d55-b2c0- f1297d457d79)
3ab5369ebdc1) OFFICE 365 BUSINESS
POWERAPPS_O365_P (094e7854-93fc-
1 (92f7a6f3-b89b- 4d55-b2c0-
4bbd-8c30- 3ab5369ebdc1)
809e6da5ad1c) POWERAPPS FOR
PROJECTWORKMANA OFFICE 365
GEMENT (b737dad2- (92f7a6f3-b89b-
2f6c-4c65-90e3- 4bbd-8c30-
ca563267e8b9) 809e6da5ad1c)
SHAREPOINTSTANDA MICROSOFT
RD (c7699d2e-19aa- PLANNER(b737dad2-
44de-8edf- 2f6c-4c65-90e3-
1736da088ca1) ca563267e8b9)
SHAREPOINTWAC SHAREPOINTSTANDA
(e95bec33-7c88- RD (c7699d2e-19aa-
4a70-8e19- 44de-8edf-
b10bd9d0c014) 1736da088ca1)
SWAY (a23b959c- OFFICE ONLINE
7ce8-4e57-9140- (e95bec33-7c88-
b90eb88a9e97) 4a70-8e19-
TEAMS1 (57ff2da0- b10bd9d0c014)
773e-42df-b2af- SWAY (a23b959c-
ffb7a2317929) 7ce8-4e57-9140-
YAMMER_ENTERPRISE b90eb88a9e97)
(7547a3fe-08ee- TEAMS1 (57ff2da0-
4ccb-b430- 773e-42df-b2af-
5077c5041653) ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
MICROSOFT 365 SMB_BUSINESS_PREM ac5cef5d-921b-4f97- BPOS_S_TODO_1 BPOS_S_TODO_1

BUSINESS STANDARD IUM 9ef3-c99076e5470f (5e62787c-c316- (5e62787c-c316-
451f-b873- 451f-b873-
a0458298f3b3) 86f0-4902-b2ed-
SERVIC E P L A N S
EXCHANGE_S_STAND
SERVIC E P L A N S a0458298f3b3)
P RO DUC T N A M E ST RIN G ID GUID ARD
IN (9aaf7827-d63c-
C L UDED EXCHANGE
N A M ES) ONLINE
4b61-89c3- (PLAN 1) (9aaf7827-
182f06f82e5c) d63c-4b61-89c3-
FLOW_O365_P1 182f06f82e5c)
9129-43f4996f83f4) 365 (0f9b09cb-62d1-
(159f4cd6-e380- 43f4996f83f4)
af1a9ef76344) (PLAN E1) (159f4cd6-
MICROSOFTBOOKIN (0feaeb32-d00e-
GS (199a5c09-e0ca- 4d66-bd5a-
4e37-8f7c- 43b5b83db82c)
b05d533e1ea2) MICROSOFTBOOKIN
O365_SB_Relationship GS (199a5c09-e0ca-
_Management 4e37-8f7c-
(5bfe124c-bbdc- b05d533e1ea2)
4494-8835- OUTLOOK
f1297d457d79) CUSTOMER
OFFICE_BUSINESS MANAGER (5bfe124c-
(094e7854-93fc- bbdc-4494-8835-
4d55-b2c0- f1297d457d79)
3ab5369ebdc1) OFFICE 365 BUSINESS
POWERAPPS_O365_P (094e7854-93fc-
1 (92f7a6f3-b89b- 4d55-b2c0-
4bbd-8c30- 3ab5369ebdc1)
2f6c-4c65-90e3- 4bbd-8c30-
ca563267e8b9) 809e6da5ad1c)
44de-8edf- 2f6c-4c65-90e3-
1736da088ca1) ca563267e8b9)
(e95bec33-7c88- RD (c7699d2e-19aa-
4a70-8e19- 44de-8edf-
b10bd9d0c014) 1736da088ca1)
7ce8-4e57-9140- (e95bec33-7c88-
b90eb88a9e97) 4a70-8e19-
ffb7a2317929) 7ce8-4e57-9140-
YAMMER_MIDSIZE b90eb88a9e97)
(41bf139a-4e60- TEAMS1 (57ff2da0-
409f-9346- 773e-42df-b2af-
a1361efc6dfb) ffb7a2317929)
YAMMER_MIDSIZE
(41bf139a-4e60-
409f-9346-
a1361efc6dfb)
MICROSOFT 365 SPB cbdc14ab-d96c- AAD_SMB (de377cbc- AZURE ACTIVE

BUSINESS PREMIUM 4c30-b9f4- 0019-4ec2-b77c- DIRECTORY
6ada7cdc1d46 3f223947e102) (de377cbc-0019-
BPOS_S_TODO_1 4ec2-b77c-
(5e62787c-c316- 3f223947e102)
451f-b873- BPOS_S_TODO_1
SERVIC E P L A N S
1d05acd4d12c)
SERVIC E P L A N S (5e62787c-c316-
P RO DUC T N A M E ST RIN G ID GUID Deskless
IN C L UDED(8c7d2df8- 451f-b873-
N A M ES)
86f0-4902-b2ed- 1d05acd4d12c)
a0458298f3b3) MICROSOFT
EXCHANGE_S_ARCHI STAFFHUB (8c7d2df8-
VE_ADDON 86f0-4902-b2ed-
(176a09a6-7ec5- a0458298f3b3)
4039-ac02- EXCHANGE ONLINE
b2791c6ba793) ARCHIVING FOR
ARD (9aaf7827-d63c- (176a09a6-7ec5-
4b61-89c3- 4039-ac02-
182f06f82e5c) b2791c6ba793)
FLOW_O365_P1 EXCHANGE ONLINE
(0f9b09cb-62d1-4ff4- (PLAN 1) (9aaf7827-
9129-43f4996f83f4) d63c-4b61-89c3-
FORMS_PLAN_E1 182f06f82e5c)
(159f4cd6-e380- FLOW FOR OFFICE
449f-a816- 365 (0f9b09cb-62d1-
af1a9ef76344) 4ff4-9129-
INTUNE_A (c1ec4a95- 43f4996f83f4)
1f05-45b3-a911- MICROSOFT FORMS
aa3fa01094f5) (PLAN E1) (159f4cd6-
INTUNE_SMBIZ e380-449f-a816-
(8e9ff0ff-aa7a-4b20- af1a9ef76344)
83c1-2f636b600ac2) MICROSOFT INTUNE
MCOSTANDARD (c1ec4a95-1f05-
(0feaeb32-d00e- 45b3-a911-
4d66-bd5a- aa3fa01094f5)
43b5b83db82c) INTUNE_SMBIZ
MICROSOFTBOOKIN (8e9ff0ff-aa7a-4b20-
GS (199a5c09-e0ca- 83c1-2f636b600ac2)
4e37-8f7c- SKYPE FOR BUSINESS
b05d533e1ea2) ONLINE (PLAN 2)
O365_SB_Relationship (0feaeb32-d00e-
_Management 4d66-bd5a-
(5bfe124c-bbdc- 43b5b83db82c)
4494-8835- MICROSOFTBOOKIN
f1297d457d79) GS (199a5c09-e0ca-
OFFICE_BUSINESS 4e37-8f7c-
(094e7854-93fc- b05d533e1ea2)
4d55-b2c0- OUTLOOK
3ab5369ebdc1) CUSTOMER
POWERAPPS_O365_P MANAGER (5bfe124c-
1 (92f7a6f3-b89b- bbdc-4494-8835-
4bbd-8c30- f1297d457d79)
809e6da5ad1c) OFFICE 365 BUSINESS
PROJECTWORKMANA (094e7854-93fc-
GEMENT (b737dad2- 4d55-b2c0-
2f6c-4c65-90e3- 3ab5369ebdc1)
ca563267e8b9) POWERAPPS FOR
RMS_S_ENTERPRISE OFFICE 365
(bea4c11e-220a- (92f7a6f3-b89b-
4e6d-8eb8- 4bbd-8c30-
8ea15d019f90) 809e6da5ad1c)
RMS_S_PREMIUM MICROSOFT
(6c57d4b6-3b23- PLANNER(b737dad2-
47a5-9bc9- 2f6c-4c65-90e3-
69f17b4947b3) ca563267e8b9)
SHAREPOINTSTANDA MICROSOFT AZURE
RD (c7699d2e-19aa- ACTIVE DIRECTORY
44de-8edf- RIGHTS (bea4c11e-
1736da088ca1) 220a-4e6d-8eb8-
SHAREPOINTWAC 8ea15d019f90)
(e95bec33-7c88- AZURE
SERVIC E P L A N S
4a70-8e19-
SERVIC E P L A N S INFORMATION
P RO DUC T N A M E ST RIN G ID GUID b10bd9d0c014)
IN C L UDED PROTECTION
N A M ES)
STREAM_O365_E1 PREMIUM P1
(743dd19e-1ce3- (6c57d4b6-3b23-
4c62-a3ad- 47a5-9bc9-
49ba8f63a2f6) 69f17b4947b3)
SWAY (a23b959c- SHAREPOINTSTANDA
7ce8-4e57-9140- RD (c7699d2e-19aa-
b90eb88a9e97) 44de-8edf-
TEAMS1 (57ff2da0- 1736da088ca1)
773e-42df-b2af- OFFICE ONLINE
ffb7a2317929) (e95bec33-7c88-
WINBIZ (8e229017- 4a70-8e19-
d77b-43d5-9305- b10bd9d0c014)
903395523b99) MICROSOFT STREAM
YAMMER_ENTERPRISE FOR O365 E1 SKU
(7547a3fe-08ee- (743dd19e-1ce3-
4ccb-b430- 4c62-a3ad-
5077c5041653) 49ba8f63a2f6)
SWAY (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
WINDOWS 10
BUSINESS (8e229017-
d77b-43d5-9305-
903395523b99)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
MICROSOFT 365 E3 SPE_E3 05e9a617-0261- AAD_PREMIUM AZURE ACTIVE
4cee-bb44- (41781fb2-bc02- DIRECTORY
138d3ef5d965 4b7c-bd55- PREMIUM P1
b576c07bb09d) (41781fb2-bc02-
ERY (932ad362-64a8- b576c07bb09d)
4783-9106- CLOUD APP
97849a1a30b9) SECURITY DISCOVERY
BPOS_S_TODO_2 (932ad362-64a8-
(c87f142c-d1e9- 4783-9106-
4363-8630- 97849a1a30b9)
aaea9c4d9ae5) BPOS_S_TODO_2
Deskless (8c7d2df8- (c87f142c-d1e9-
86f0-4902-b2ed- 4363-8630-
a0458298f3b3) aaea9c4d9ae5)
EXCHANGE_S_ENTERP MICROSOFT
RISE (efb87545-963c- STAFFHUB (8c7d2df8-
4e0d-99df- 86f0-4902-b2ed-
69c6916d9eb0) a0458298f3b3)
(76846ad7-7776- (PLAN 2)(efb87545-
4c40-a281- 963c-4e0d-99df-
a386362dd1b9) 69c6916d9eb0)
FORMS_PLAN_E3 FLOW FOR OFFICE
(2789c901-c14e- 365 (76846ad7-
48ab-a76a- 7776-4c40-a281-
be334d9d793a) a386362dd1b9)
INTUNE_A (c1ec4a95- MICROSOFT FORMS
1f05-45b3-a911- (PLAN E3)
aa3fa01094f5) (2789c901-c14e-
MCOSTANDARD 48ab-a76a-
SERVIC E P L A N S
(0feaeb32-d00e-
SERVIC E P L A N S be334d9d793a)
P RO DUC T N A M E ST RIN G ID GUID 4d66-bd5a-
IN C L UDED MICROSOFT
N A M ES) INTUNE
43b5b83db82c) (c1ec4a95-1f05-
MFA_PREMIUM 45b3-a911-
(8a256a2b-b617- aa3fa01094f5)
496d-b51b- SKYPE FOR BUSINESS
e76466e88db0) ONLINE (PLAN 2)
OFFICESUBSCRIPTIO (0feaeb32-d00e-
N (43de0ff5-c92c- 4d66-bd5a-
492b-9116- 43b5b83db82c)
175376d08c38) MICROSOFT AZURE
POWERAPPS_O365_P MULTI-FACTOR
2 (c68f8d98-5534- AUTHENTICATION
41c8-bf36- (8a256a2b-b617-
22fa496fa792) 496d-b51b-
PROJECTWORKMANA e76466e88db0)
GEMENT (b737dad2- OFFICESUBSCRIPTIO
2f6c-4c65-90e3- N (43de0ff5-c92c-
ca563267e8b9) 492b-9116-
RMS_S_ENTERPRISE 175376d08c38)
(bea4c11e-220a- POWERAPPS FOR
4e6d-8eb8- OFFICE
8ea15d019f90) 365(c68f8d98-5534-
RMS_S_PREMIUM 41c8-bf36-
(6c57d4b6-3b23- 22fa496fa792)
47a5-9bc9- MICROSOFT
69f17b4947b3) PLANNER(b737dad2-
SHAREPOINTENTERPR 2f6c-4c65-90e3-
ISE (5dbe027f-2339- ca563267e8b9)
4123-9542- MICROSOFT AZURE
606e4d348a72) ACTIVE DIRECTORY
SHAREPOINTWAC RIGHTS (bea4c11e-
(e95bec33-7c88- 220a-4e6d-8eb8-
4a70-8e19- 8ea15d019f90)
b10bd9d0c014) AZURE
STREAM_O365_E3 INFORMATION
(9e700747-8b1d- PROTECTION
45e5-ab8d- PREMIUM P1
ef187ceec156) (6c57d4b6-3b23-
SWAY (a23b959c- 47a5-9bc9-
7ce8-4e57-9140- 69f17b4947b3)
b90eb88a9e97) SHAREPOINT ONLINE
TEAMS1 (57ff2da0- (PLAN 2) (5dbe027f-
773e-42df-b2af- 2339-4123-9542-
ffb7a2317929) 606e4d348a72)
WIN10_PRO_ENT_SUB OFFICE ONLINE
(21b439ba-a0ca- (e95bec33-7c88-
424f-a6cc- 4a70-8e19-
52f954a5b111) b10bd9d0c014)
YAMMER_ENTERPRISE MICROSOFT STREAM
(7547a3fe-08ee- FOR O365 E3 SKU
4ccb-b430- (9e700747-8b1d-
5077c5041653) 45e5-ab8d-
ef187ceec156)
SWAY (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
WINDOWS 10
ENTERPRISE
(21b439ba-a0ca-
424f-a6cc-
52f954a5b111)
SERVIC E P L A N S
SERVIC E P L A N S YAMMER_ENTERPRISE
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED (7547a3fe-08ee-
N A M ES)
4ccb-b430-
5077c5041653)
Microsoft 365 E5 SPE_E5 06ebc4ee-1bb5- MCOMEETADV Audio Conferencing
47dd-8120- (3e26ee1f-8a5f-4d52- (3e26ee1f-8a5f-4d52-
11324bc54e06 aee2-b81ce45c8f40) aee2-b81ce45c8f40)
AAD_PREMIUM Azure Active Directory
(41781fb2-bc02- Premium P1
4b7c-bd55- (41781fb2-bc02-
b576c07bb09d) 4b7c-bd55-
AAD_PREMIUM_P2 b576c07bb09d)
(eec0eb4f-6444-4f95- Azure Active Directory
aba0-50c24d67f998) Premium P2
ATA (14ab5db5-e6c4- (eec0eb4f-6444-4f95-
4b20-b4bc- aba0-50c24d67f998)
13e36fd2227f) Azure Advanced
RMS_S_PREMIUM Threat Protection
(6c57d4b6-3b23- (14ab5db5-e6c4-
47a5-9bc9- 4b20-b4bc-
69f17b4947b3) 13e36fd2227f)
RMS_S_PREMIUM2 Azure Information
(5689bec4-755d- Protection Premium
4753-8b61- P1 (6c57d4b6-3b23-
40975025187c) 47a5-9bc9-
LOCKBOX_ENTERPRIS 69f17b4947b3)
E (9f431833-0334- Azure Information
42de-a7dc- Protection Premium
70aa40db46db) P2 (5689bec4-755d-
EXCHANGE_S_ENTERP 4753-8b61-
RISE (efb87545-963c- 40975025187c)
4e0d-99df- Customer Lockbox
69c6916d9eb0) (9f431833-0334-
FLOW_O365_P3 42de-a7dc-
(07699545-9485- 70aa40db46db)
468e-95b6- Exchange Online (Plan
2fca3738be01) 2) (efb87545-963c-
INFORMATION_BARRI 4e0d-99df-
ERS (c4801e8a-cb58- 69c6916d9eb0)
4c35-aca6- Flow for Office 365
f2dcc106f287) (07699545-9485-
MIP_S_CLP2 468e-95b6-
(efb0351d-3b08- 2fca3738be01)
4503-993d- Information Barriers
383af8de41e3) (c4801e8a-cb58-
MIP_S_CLP1 4c35-aca6-
(5136a095-5cf0-4aff- f2dcc106f287)
bec3-e84448b38ea5) Information
MYANALYTICS_P2 Protection for Office
(33c4f319-9bdd- 365 - Premium
48d6-9c4d- (efb0351d-3b08-
410b750a4a5a) 4503-993d-
RMS_S_ENTERPRISE 383af8de41e3)
(bea4c11e-220a- Information
4e6d-8eb8- Protection for Office
8ea15d019f90) 365 - Standard
MFA_PREMIUM (5136a095-5cf0-4aff-
(8a256a2b-b617- bec3-e84448b38ea5)
496d-b51b- Insights by
e76466e88db0) MyAnalytics
ADALLOM_S_STANDA (33c4f319-9bdd-
LONE (2e2ddb96- 48d6-9c4d-
6af9-4b1d-a3f0- 410b750a4a5a)
d6ecfd22edb2) Microsoft Azure
WINDEFATP Active Directory
SERVIC E P L A N S
(871d91ec-ec1a-
SERVIC E P L A N S Rights (bea4c11e-
P RO DUC T N A M E ST RIN G ID GUID 452b-a83f-
IN C L UDED 220a-4e6d-8eb8-
N A M ES)
bd76c7d770ef) 8ea15d019f90)
FORMS_PLAN_E5 Microsoft Azure
(e212cbc7-0961- Multi-Factor
4c40-9825- Authentication
01117710dcb1) (8a256a2b-b617-
INTUNE_A (c1ec4a95- 496d-b51b-
1f05-45b3-a911- e76466e88db0)
aa3fa01094f5) Microsoft Cloud App
KAIZALA_STANDALO Security (2e2ddb96-
NE (0898bdbb-73b0- 6af9-4b1d-a3f0-
471a-81e5- d6ecfd22edb2)
20f1fe4dd66e) Microsoft Defender
EXCHANGE_ANALYTI Advanced Threat
CS (34c0d7a0-a70f- Protection
4668-9238- (871d91ec-ec1a-
47f9fc208882) 452b-a83f-
PROJECTWORKMANA bd76c7d770ef)
GEMENT (b737dad2- Microsoft Forms (Plan
2f6c-4c65-90e3- E5) (e212cbc7-0961-
ca563267e8b9) 4c40-9825-
MICROSOFT_SEARCH 01117710dcb1)
(94065c59-bc8e- Microsoft Intune
4e8b-89e5- (c1ec4a95-1f05-
5138d471eaff) 45b3-a911-
Deskless (8c7d2df8- aa3fa01094f5)
86f0-4902-b2ed- Microsoft Kaizala
a0458298f3b3) (0898bdbb-73b0-
STREAM_O365_E5 471a-81e5-
(6c6042f5-6f01- 20f1fe4dd66e)
4d67-b8c1- Microsoft MyAnalytics
eb99d36eed3e) (Full) (34c0d7a0-a70f-
TEAMS1 (57ff2da0- 4668-9238-
773e-42df-b2af- 47f9fc208882)
ffb7a2317929) Microsoft Planner
INTUNE_O365 (b737dad2-2f6c-
(882e1d05-acd1- 4c65-90e3-
4ccb-8708- ca563267e8b9)
6ee03664b117) Microsoft Search
EQUIVIO_ANALYTICS (94065c59-bc8e-
(4de31727-a228- 4e8b-89e5-
4ec3-a5bf- 5138d471eaff)
8e45b5ca48cc) Microsoft StaffHub
ADALLOM_S_O365 (8c7d2df8-86f0-
(8c098270-9dd4- 4902-b2ed-
4350-9b30- a0458298f3b3)
ba4703f3b36b) Microsoft Stream for
ATP_ENTERPRISE O365 E5 SKU
(f20fedf3-f3c3-43c3- (6c6042f5-6f01-
8267-2bfdd51c0939) 4d67-b8c1-
THREAT_INTELLIGENC eb99d36eed3e)
E (8e0c0a52-6a6c- Microsoft Teams
4d40-8370- (57ff2da0-773e-42df-
dd62790dcd70) b2af-ffb7a2317929)
PAM_ENTERPRISE Mobile Device
(b1188c4c-1b36- Management for
4018-b48b- Office 365
ee07604f6feb) (882e1d05-acd1-
OFFICESUBSCRIPTIO 4ccb-8708-
N (43de0ff5-c92c- 6ee03664b117)
492b-9116- Office 365 Advanced
175376d08c38) eDiscovery
SHAREPOINTWAC (4de31727-a228-
(e95bec33-7c88- 4ec3-a5bf-
SERVIC E P L A N S
4a70-8e19-
SERVIC E P L A N S 8e45b5ca48cc)
IN C L UDED Office
N 365 Advanced
A M ES)
MCOEV (4828c8ec- Security Management
dc2e-4779-b502- (8c098270-9dd4-
87ac9ce28ab7) 4350-9b30-
BI_AZURE_P2 ba4703f3b36b)
(70d33638-9c74- Office 365 Advanced
4d01-bfd3- Threat Protection
562de28bd4ba) (Plan 1) (f20fedf3-
POWERAPPS_O365_P f3c3-43c3-8267-
3 (9c0dab89-a30c- 2bfdd51c0939)
4117-86e7- Office 365 Advanced
97bda240acd2) Threat Protection
PREMIUM_ENCRYPTI (Plan 2) (8e0c0a52-
ON (617b097b-4b93- 6a6c-4d40-8370-
4ede-83de- dd62790dcd70)
5f075bb5fb2f) Office 365 Privileged
SHAREPOINTENTERPR Access Management
ISE (5dbe027f-2339- (b1188c4c-1b36-
4123-9542- 4018-b48b-
606e4d348a72) ee07604f6feb)
MCOSTANDARD Office 365 ProPlus
(0feaeb32-d00e- (43de0ff5-c92c-492b-
4d66-bd5a- 9116-175376d08c38)
43b5b83db82c) Office Online
SWAY (a23b959c- (e95bec33-7c88-
7ce8-4e57-9140- 4a70-8e19-
b90eb88a9e97) b10bd9d0c014)
BPOS_S_TODO_3 Phone System
(3fb82609-8c27- (4828c8ec-dc2e-
4f7b-bd51- 4779-b502-
30634711ee67) 87ac9ce28ab7)
WHITEBOARD_PLAN3 Power BI Pro
(4a51bca5-1eff-43f5- (70d33638-9c74-
878c-177680f191af) 4d01-bfd3-
WIN10_PRO_ENT_SUB 562de28bd4ba)
(21b439ba-a0ca- PowerApps for Office
424f-a6cc- 365 Plan 3
52f954a5b111) (9c0dab89-a30c-
YAMMER_ENTERPRISE 4117-86e7-
(7547a3fe-08ee- 97bda240acd2)
4ccb-b430- Premium Encryption
5077c5041653) in Office 365
(617b097b-4b93-
4ede-83de-
5f075bb5fb2f)
SharePoint Online
(Plan 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
Sway (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
To-Do (Plan 3)
(3fb82609-8c27-
4f7b-bd51-
30634711ee67)
Whiteboard (Plan 3)
878c-177680f191af)
SERVIC E P L A N S
SERVIC E P L A N S Windows
IN C L UDED10
( F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED Enterprise
N A M ES) (Original)
(21b439ba-a0ca-
424f-a6cc-
52f954a5b111)
Yammer Enterprise
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
Microsoft 365 SPE_E3_USGOV_DOD d61d61cc-f992-433f- AAD_PREMIUM Azure Active Directory
E3_USGOV_DOD a577-5bd016037eeb (41781fb2-bc02- Premium P1
4b7c-bd55- (41781fb2-bc02-
b576c07bb09d) 4b7c-bd55-
RMS_S_PREMIUM b576c07bb09d)
(6c57d4b6-3b23- Azure Information
47a5-9bc9- Protection Premium
69f17b4947b3) P1 (6c57d4b6-3b23-
EXCHANGE_S_ENTERP 47a5-9bc9-
RISE (efb87545-963c- 69f17b4947b3)
4e0d-99df- Exchange Online (Plan
69c6916d9eb0) 2) (efb87545-963c-
RMS_S_ENTERPRISE 4e0d-99df-
(bea4c11e-220a- 69c6916d9eb0)
4e6d-8eb8- Microsoft Azure
8ea15d019f90) Active Directory
MFA_PREMIUM Rights (bea4c11e-
(8a256a2b-b617- 220a-4e6d-8eb8-
496d-b51b- 8ea15d019f90)
e76466e88db0) Microsoft Azure
INTUNE_A (c1ec4a95- Multi-Factor
1f05-45b3-a911- Authentication
aa3fa01094f5) (8a256a2b-b617-
STREAM_O365_E3 496d-b51b-
(9e700747-8b1d- e76466e88db0)
45e5-ab8d- Microsoft Intune
ef187ceec156) (c1ec4a95-1f05-
TEAMS_AR_DOD 45b3-a911-
(fd500458-c24c- aa3fa01094f5)
478e-856c- Microsoft Stream for
a6067a8376cd) O365 E3 SKU
OFFICESUBSCRIPTIO (9e700747-8b1d-
N (43de0ff5-c92c- 45e5-ab8d-
492b-9116- ef187ceec156)
175376d08c38) Microsoft Teams for
SHAREPOINTWAC DOD (AR) (fd500458-
(e95bec33-7c88- c24c-478e-856c-
4a70-8e19- a6067a8376cd)
b10bd9d0c014) Office 365 ProPlus
ISE (5dbe027f-2339- 9116-175376d08c38)
4123-9542- Office Online
606e4d348a72) (e95bec33-7c88-
MCOSTANDARD 4a70-8e19-
(0feaeb32-d00e- b10bd9d0c014)
4d66-bd5a- SharePoint Online
43b5b83db82c) (Plan 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
SERVIC E P L A N S
Microsoft 365 SPE_E3_USGOV_GCC ca9d1dd9-dfe9-4fef- AAD_PREMIUM Azure Active Directory

E3_USGOV_GCCHIGH HIGH b97c-9bc1ea3c3658 (41781fb2-bc02- Premium P1
4b7c-bd55- (41781fb2-bc02-
b576c07bb09d) 4b7c-bd55-
69f17b4947b3) P1(6c57d4b6-3b23-
ADALLOM_S_DISCOV 47a5-9bc9-
ERY (932ad362-64a8- 69f17b4947b3)
4783-9106- Cloud App Security
97849a1a30b9) Discovery (932ad362-
EXCHANGE_S_ENTERP 64a8-4783-9106-
RISE (efb87545-963c- 97849a1a30b9)
69c6916d9eb0) 2) (efb87545-963c-
RMS_S_ENTERPRISE 4e0d-99df-
(bea4c11e-220a- 69c6916d9eb0)
4e6d-8eb8- Microsoft Azure
8ea15d019f90) Active Directory
MFA_PREMIUM Rights (bea4c11e-
(8a256a2b-b617- 220a-4e6d-8eb8-
496d-b51b- 8ea15d019f90)
aa3fa01094f5) (8a256a2b-b617-
PROJECTWORKMANA 496d-b51b-
GEMENT (b737dad2- e76466e88db0)
2f6c-4c65-90e3- Microsoft Intune
ca563267e8b9) (c1ec4a95-1f05-
STREAM_O365_E3 45b3-a911-
(9e700747-8b1d- aa3fa01094f5)
45e5-ab8d- Microsoft Planner
ef187ceec156) (b737dad2-2f6c-
TEAMS_AR_GCCHIGH 4c65-90e3-
(9953b155-8aef- ca563267e8b9)
4c56-92f3- Microsoft Stream for
72b0487fce41) O365 E3 SKU
OFFICESUBSCRIPTIO (9e700747-8b1d-
N (43de0ff5-c92c- 45e5-ab8d-
492b-9116- ef187ceec156)
175376d08c38) Microsoft Teams for
SHAREPOINTWAC GCCHigh (AR)
(e95bec33-7c88- (9953b155-8aef-
4a70-8e19- 4c56-92f3-
b10bd9d0c014) 72b0487fce41)
SHAREPOINTENTERPR Office 365 ProPlus
ISE (5dbe027f-2339- (43de0ff5-c92c-492b-
4123-9542- 9116-175376d08c38)
606e4d348a72) Office Online
MCOSTANDARD (e95bec33-7c88-
(0feaeb32-d00e- 4a70-8e19-
4d66-bd5a- b10bd9d0c014)
43b5b83db82c) SharePoint Online
(Plan 2) (5dbe027f-
2339-4123-9542-
606e4d348a72)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
SERVIC E P L A N S
SERVIC E P L A N S 4d66-bd5a-
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED 43b5b83db82c)
N A M ES)
Microsoft 365 E5 INFORMATION_PROT 184efa21-98c3- RMS_S_PREMIUM2 Azure Information
Compliance ECTION_COMPLIANC 4e5d-95ab- (5689bec4-755d- Protection Premium
E d07053a96e67 4753-8b61- P2 (5689bec4-755d-
40975025187c) 4753-8b61-
LOCKBOX_ENTERPRIS 40975025187c)
E (9f431833-0334- Customer Lockbox
42de-a7dc- (9f431833-0334-
70aa40db46db) 42de-a7dc-
INFORMATION_BARRI 70aa40db46db)
ERS (c4801e8a-cb58- Information Barriers
4c35-aca6- (c4801e8a-cb58-
f2dcc106f287) 4c35-aca6-
MIP_S_CLP2 f2dcc106f287)
(efb0351d-3b08- Information
4503-993d- Protection for Office
383af8de41e3) 365 - Premium
M365_ADVANCED_A (efb0351d-3b08-
UDITING (2f442157- 4503-993d-
a11c-46b9-ae5b- 383af8de41e3)
6e39ff4e5849) Microsoft 365
EQUIVIO_ANALYTICS Advanced Auditing
(4de31727-a228- (2f442157-a11c-
4ec3-a5bf- 46b9-ae5b-
8e45b5ca48cc) 6e39ff4e5849)
PAM_ENTERPRISE Office 365 Advanced
(b1188c4c-1b36- eDiscovery
4018-b48b- (4de31727-a228-
ee07604f6feb) 4ec3-a5bf-
PREMIUM_ENCRYPTI 8e45b5ca48cc)
ON (617b097b-4b93- Office 365 Privileged
4ede-83de- Access Management
5f075bb5fb2f) (b1188c4c-1b36-
4018-b48b-
ee07604f6feb)
Premium Encryption
in Office 365
(617b097b-4b93-
4ede-83de-
5f075bb5fb2f)
SERVIC E P L A N S
Microsoft 365 E5 IDENTITY_THREAT_PR 26124093-3d78- AAD_PREMIUM_P2 Azure Active Directory

Security OTECTION 432b-b5dc- (eec0eb4f-6444-4f95- Premium P2
48bf992543d5 aba0-50c24d67f998) (eec0eb4f-6444-4f95-
ATA (14ab5db5-e6c4- aba0-50c24d67f998)
4b20-b4bc- Azure Advanced
13e36fd2227f) Threat Protection
ADALLOM_S_STANDA (14ab5db5-e6c4-
LONE (2e2ddb96- 4b20-b4bc-
6af9-4b1d-a3f0- 13e36fd2227f)
d6ecfd22edb2) Microsoft Cloud App
WINDEFATP Security (2e2ddb96-
(871d91ec-ec1a- 6af9-4b1d-a3f0-
452b-a83f- d6ecfd22edb2)
bd76c7d770ef) Microsoft Defender
ATP_ENTERPRISE Advanced Threat
(f20fedf3-f3c3-43c3- Protection
8267-2bfdd51c0939) (871d91ec-ec1a-
THREAT_INTELLIGENC 452b-a83f-
E (8e0c0a52-6a6c- bd76c7d770ef)
4d40-8370- Office 365 Advanced
dd62790dcd70) Threat Protection
SAFEDOCS (bf6f5520- (Plan 1) (f20fedf3-
59e3-4f82-974b- f3c3-43c3-8267-
7dbbc4fd27c7) 2bfdd51c0939)
Office 365 Advanced
Threat Protection
(Plan 2) (8e0c0a52-
6a6c-4d40-8370-
dd62790dcd70)
Office 365 SafeDocs
(bf6f5520-59e3-4f82-
974b-7dbbc4fd27c7)
Microsoft 365 E5 IDENTITY_THREAT_PR 44ac31e7-2999- WINDEFATP Microsoft Defender

Security for EMS E5 OTECTION_FOR_EMS_ 4304-ad94- (871d91ec-ec1a- Advanced Threat
E5 c948886741d4 452b-a83f- Protection
bd76c7d770ef) (871d91ec-ec1a-
ATP_ENTERPRISE 452b-a83f-
(f20fedf3-f3c3-43c3- bd76c7d770ef)
8267-2bfdd51c0939) Office 365 Advanced
THREAT_INTELLIGENC Threat Protection
E (8e0c0a52-6a6c- (Plan 1) (f20fedf3-
4d40-8370- f3c3-43c3-8267-
dd62790dcd70) 2bfdd51c0939)
59e3-4f82-974b- Threat Protection
7dbbc4fd27c7) (Plan 2) (8e0c0a52-
6a6c-4d40-8370-
dd62790dcd70)
Office 365 SafeDocs
(bf6f5520-59e3-4f82-
974b-7dbbc4fd27c7)
SERVIC E P L A N S
Microsoft 365 F1 M365_F1 44575883-256e- AAD_PREMIUM Azure Active Directory

4a79-9da4- (41781fb2-bc02- Premium P1
ebe9acabe2b2 4b7c-bd55- (41781fb2-bc02-
b576c07bb09d) 4b7c-bd55-
69f17b4947b3) P1 (6c57d4b6-3b23-
RMS_S_ENTERPRISE_G 47a5-9bc9-
OV (6a76346d-5d6e- 69f17b4947b3)
4051-9fe3- Azure Rights
ed3f312b5597) Management
ADALLOM_S_DISCOV (6a76346d-5d6e-
ERY (932ad362-64a8- 4051-9fe3-
4783-9106- ed3f312b5597)
97849a1a30b9) Cloud App Security
EXCHANGE_S_FOUND Discovery (932ad362-
ATION (113feb6c- 64a8-4783-9106-
3fe4-4440-bddc- 97849a1a30b9)
54d774bf0318) Exchange Foundation
MFA_PREMIUM (113feb6c-3fe4-
(8a256a2b-b617- 4440-bddc-
496d-b51b- 54d774bf0318)
aa3fa01094f5) (8a256a2b-b617-
PROJECTWORKMANA 496d-b51b-
GEMENT (b737dad2- e76466e88db0)
2f6c-4c65-90e3- Microsoft Intune
ca563267e8b9) (c1ec4a95-1f05-
STREAM_O365_K 45b3-a911-
(3ffba0d2-38e5- aa3fa01094f5)
4d5e-8ec0- Microsoft Planner
98f2b05c09d9) (b737dad2-2f6c-
TEAMS1 (57ff2da0- 4c65-90e3-
773e-42df-b2af- ca563267e8b9)
ffb7a2317929) Microsoft Stream for
INTUNE_O365 O365 K SKU
(882e1d05-acd1- (3ffba0d2-38e5-
4ccb-8708- 4d5e-8ec0-
6ee03664b117) 98f2b05c09d9)
SHAREPOINTDESKLES Microsoft Teams
S (902b47e5-dcb2- (57ff2da0-773e-42df-
4fdc-858b- b2af-ffb7a2317929)
c63a90a2bdb9) Mobile Device
MCOIMP (afc06cb0- Management for
b4f4-4473-8286- Office 365
d644f70d8faf) (882e1d05-acd1-
YAMMER_ENTERPRISE 4ccb-8708-
(7547a3fe-08ee- 6ee03664b117)
4ccb-b430- SharePoint Online
5077c5041653) Kiosk (902b47e5-
dcb2-4fdc-858b-
c63a90a2bdb9)
Skype for Business
Online (Plan 1)
(afc06cb0-b4f4-4473-
8286-d644f70d8faf)
Yammer Enterprise
(7547a3fe-08ee-
SERVIC E P L A N S
SERVIC E P L A N S 4ccb-b430-
P RO DUC T N A M E ST RIN G ID GUID IN C L UDED 5077c5041653)
N A M ES)
Microsoft 365 F3 SPE_F1 66b55226-6b4f- AAD_PREMIUM Azure Active Directory
492c-910c- (41781fb2-bc02- Premium P1
a3b7a3c9d993 4b7c-bd55- (41781fb2-bc02-
b576c07bb09d) 4b7c-bd55-
69f17b4947b3) P1 (6c57d4b6-3b23-
(bea4c11e-220a- 69f17b4947b3)
4e6d-8eb8- Azure Rights
8ea15d019f90) Management
ADALLOM_S_DISCOV (bea4c11e-220a-
ERY (932ad362-64a8- 4e6d-8eb8-
4783-9106- 8ea15d019f90)
97849a1a30b9) Cloud App Security
EXCHANGE_S_DESKLE Discovery (932ad362-
SS (4a82b400-a79f- 64a8-4783-9106-
41a4-b4e2- 97849a1a30b9)
e94f5787b113) Exchange Online Kiosk
FLOW_O365_S1 (4a82b400-a79f-
(bd91b1a4-9f94-4ecf- 41a4-b4e2-
b45b-3a65e5c8128a) e94f5787b113)
MFA_PREMIUM Flow for Office 365 K1
(8a256a2b-b617- (bd91b1a4-9f94-4ecf-
496d-b51b- b45b-3a65e5c8128a)
FORMS_PLAN_K Multi-Factor
(f07046bd-2a3c- Authentication
4b96-b0be- (8a256a2b-b617-
dea79d7cbfb8) 496d-b51b-
1f05-45b3-a911- Microsoft Forms (Plan
aa3fa01094f5) F1) (f07046bd-2a3c-
KAIZALA_O365_P1 4b96-b0be-
(73b2a583-6a59- dea79d7cbfb8)
42e3-8e83- Microsoft Intune
54db46bc3278) (c1ec4a95-1f05-
PROJECTWORKMANA 45b3-a911-
GEMENT (b737dad2- aa3fa01094f5)
2f6c-4c65-90e3- Microsoft Kaizala Pro
ca563267e8b9) Plan 1 (73b2a583-
MICROSOFT_SEARCH 6a59-42e3-8e83-
(94065c59-bc8e- 54db46bc3278)
4e8b-89e5- Microsoft Planner
5138d471eaff) (b737dad2-2f6c-
Deskless (8c7d2df8- 4c65-90e3-
86f0-4902-b2ed- ca563267e8b9)
a0458298f3b3) Microsoft Search
STREAM_O365_K (94065c59-bc8e-
(3ffba0d2-38e5- 4e8b-89e5-
4d5e-8ec0- 5138d471eaff)
98f2b05c09d9) Microsoft StaffHub
TEAMS1 (57ff2da0- (8c7d2df8-86f0-
773e-42df-b2af- 4902-b2ed-
ffb7a2317929) a0458298f3b3)
(882e1d05-acd1- O365 K SKU
4ccb-8708- (3ffba0d2-38e5-
6ee03664b117) 4d5e-8ec0-
SHAREPOINTWAC 98f2b05c09d9)
(e95bec33-7c88- Microsoft Teams
SERVIC E P L A N S
4a70-8e19-
SERVIC E P L A N S (57ff2da0-773e-42df-
IN C L UDED b2af-ffb7a2317929)
N A M ES)
OFFICEMOBILE_SUBS Mobile Device
CRIPTION (c63d4d19- Management for
e8cb-460e-b37c- Office 365
4d6c34603745) (882e1d05-acd1-
POWERAPPS_O365_S 4ccb-8708-
1 (e0287f9f-e222- 6ee03664b117)
4f98-9a83- Office for the web
f379e249159a) (e95bec33-7c88-
SHAREPOINTDESKLES 4a70-8e19-
S (902b47e5-dcb2- b10bd9d0c014)
4fdc-858b- Office Mobile Apps for
c63a90a2bdb9) Office 365
MCOIMP (afc06cb0- (c63d4d19-e8cb-
b4f4-4473-8286- 460e-b37c-
d644f70d8faf) 4d6c34603745)
SWAY (a23b959c- PowerApps for Office
7ce8-4e57-9140- 365 K1 (e0287f9f-
b90eb88a9e97) e222-4f98-9a83-
BPOS_S_TODO_FIRSTL f379e249159a)
INE (80873e7a-cd2a- SharePoint Online
4e67-b061- Kiosk (902b47e5-
1b5381a676a5) dcb2-4fdc-858b-
WHITEBOARD_FIRSTLI c63a90a2bdb9)
NE1 (36b29273- Skype for Business
c6d0-477a-aca6- Online (Plan 1)
6fbe24f538e3) (afc06cb0-b4f4-4473-
WIN10_ENT_LOC_F1 8286-d644f70d8faf)
(e041597c-9c7f- Sway (a23b959c-
4ed9-99b0- 7ce8-4e57-9140-
2663301576f7) b90eb88a9e97)
YAMMER_ENTERPRISE To-Do (Firstline)
(7547a3fe-08ee- (80873e7a-cd2a-
4ccb-b430- 4e67-b061-
5077c5041653) 1b5381a676a5)
Whiteboard (Firstline)
(36b29273-c6d0-
477a-aca6-
6fbe24f538e3)
Windows 10
Enterprise E3 (local
only) (e041597c-9c7f-
4ed9-99b0-
2663301576f7)
Yammer Enterprise
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
Microsoft Defender WIN_DEF_ATP 111046dd-295b- EXCHANGE_S_FOUND Exchange Foundation
Advanced Threat 4d6d-9724- ATION (113feb6c- (113feb6c-3fe4-
Protection d52ac90bd1f2 3fe4-4440-bddc- 4440-bddc-
54d774bf0318) 54d774bf0318)
WINDEFATP Microsoft Defender
(871d91ec-ec1a- Advanced Threat
452b-a83f- Protection
452b-a83f-
bd76c7d770ef)
SERVIC E P L A N S
MICROSOFT CRMPLAN2 906af65a-2970- CRMPLAN2 MICROSOFT

DYNAMICS CRM 46d5-9b58- (bf36ca64-95c6- DYNAMICS CRM
ONLINE BASIC 4e9aa50f0657 4918-9275- ONLINE
eb9f4ce2c04f) BASIC(bf36ca64-
FLOW_DYN_APPS 95c6-4918-9275-
(7e6d7d78-73de- eb9f4ce2c04f)
46ba-83b1- FLOW FOR
POWERAPPS_DYN_AP (7e6d7d78-73de-
PS (874fc546-6efe- 46ba-83b1-
4d22-90b8- 6d25117334ba)
5c4e7aa59f4b) POWERAPPS FOR
DYNAMICS 365
(874fc546-6efe-
4d22-90b8-
5c4e7aa59f4b)
MICROSOFT CRMSTANDARD d17b27af-3f49-4822- CRMSTANDARD MICROSOFT

DYNAMICS CRM 99f9-56a661538792 (f9646fb2-e3b2- DYNAMICS CRM
ONLINE 4309-95de- ONLINE
dc4833737456) PROFESSIONAL(f9646
FLOW_DYN_APPS fb2-e3b2-4309-
(7e6d7d78-73de- 95de-dc4833737456)
46ba-83b1- FLOW FOR
MDM_SALES_COLLAB (7e6d7d78-73de-
ORATION (3413916e- 46ba-83b1-
ee66-4071-be30- 6d25117334ba)
6f94d4adfeda) MICROSOFT
NBPROFESSIONALFO DYNAMICS
RCRM (3e58e97c- MARKETING SALES
9abe-ebab-cd5f- COLLABORATION -
d543d1529634) ELIGIBILITY CRITERIA
POWERAPPS_DYN_AP APPLY (3413916e-
PS (874fc546-6efe- ee66-4071-be30-
4d22-90b8- 6f94d4adfeda)
5c4e7aa59f4b) MICROSOFT SOCIAL
ENGAGEMENT
PROFESSIONAL -
ELIGIBILITY CRITERIA
APPLY (3e58e97c-
9abe-ebab-cd5f-
d543d1529634)
POWERAPPS FOR
DYNAMICS 365
(874fc546-6efe-
4d22-90b8-
5c4e7aa59f4b)
MS IMAGINE IT_ACADEMY_AD ba9a34de-4489- IT_ACADEMY_AD MS IMAGINE

ACADEMY 469d-879c- (d736def0-1fde-43f0- ACADEMY
0f0f145321cd a5be-e3f8b2de6e41) (d736def0-1fde-43f0-
a5be-e3f8b2de6e41)
Office 365 A5 for ENTERPRISEPREMIUM a4585165-0533- AAD_BASIC_EDU Azure Active Directory

faculty _FACULTY 458a-97e3- (1d0f309f-fdf9-4b2a- Basic for EDU
c400570268c4 9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
RMS_S_ENTERPRISE 9ae7-9c48b91f1426)
(bea4c11e-220a- Azure Rights
4e6d-8eb8- Management
SERVIC E P L A N S
8ea15d019f90)
SERVIC E P L A N S (bea4c11e-220a-
P RO DUC T N A M E ST RIN G ID GUID LOCKBOX_ENTERPRIS
IN C L UDED 4e6d-8eb8-
N A M ES)
E (9f431833-0334- 8ea15d019f90)
42de-a7dc- Customer Lockbox
70aa40db46db) (9f431833-0334-
EducationAnalyticsP1 42de-a7dc-
(a9b86446-fa4e- 70aa40db46db)
498f-a92a- Education Analytics
41b447e03337) (a9b86446-fa4e-
EXCHANGE_S_ENTERP 498f-a92a-
RISE (efb87545-963c- 41b447e03337)
69c6916d9eb0) 2) (efb87545-963c-
FLOW_O365_P3 4e0d-99df-
(07699545-9485- 69c6916d9eb0)
468e-95b6- Flow for Office 365
2fca3738be01) (07699545-9485-
INFORMATION_BARRI 468e-95b6-
ERS (c4801e8a-cb58- 2fca3738be01)
4c35-aca6- Information Barriers
f2dcc106f287) (c4801e8a-cb58-
(efb0351d-3b08- f2dcc106f287)
4503-993d- Information
383af8de41e3) Protection for Office
MIP_S_CLP1 365 - Premium
(5136a095-5cf0-4aff- (efb0351d-3b08-
bec3-e84448b38ea5) 4503-993d-
M365_ADVANCED_A 383af8de41e3)
UDITING (2f442157- Information
a11c-46b9-ae5b- Protection for Office
6e39ff4e5849) 365 - Standard
MCOMEETADV (5136a095-5cf0-4aff-
(3e26ee1f-8a5f-4d52- bec3-e84448b38ea5)
aee2-b81ce45c8f40) Microsoft 365
MCOEV (4828c8ec- Advanced Auditing
dc2e-4779-b502- (2f442157-a11c-
87ac9ce28ab7) 46b9-ae5b-
MICROSOFTBOOKIN 6e39ff4e5849)
GS (199a5c09-e0ca- Microsoft 365 Audio
4e37-8f7c- Conferencing
b05d533e1ea2) (3e26ee1f-8a5f-4d52-
COMMUNICATIONS_ aee2-b81ce45c8f40)
COMPLIANCE Microsoft 365 Phone
(41fcdd7d-4733- System (4828c8ec-
4863-9cf4- dc2e-4779-b502-
c65b83ce2df4) 87ac9ce28ab7)
COMMUNICATIONS_ Microsoft Bookings
DLP (6dc145d6- (199a5c09-e0ca-
95dd-4191-b9c3- 4e37-8f7c-
185575ee6f6b) b05d533e1ea2)
CUSTOMER_KEY Microsoft
(6db1f1db-2b46- Communications
403f-be40- Compliance
e39395f08dbb) (41fcdd7d-4733-
DATA_INVESTIGATION 4863-9cf4-
S (46129a58-a698- c65b83ce2df4)
46f0-aa5b- Microsoft
17f6586297d9) Communications DLP
OFFICE_FORMS_PLAN (6dc145d6-95dd-
_3 (96c1e14a-ef43- 4191-b9c3-
418d-b115- 185575ee6f6b)
9636cdaa8eed) Microsoft Customer
INFO_GOVERNANCE Key (6db1f1db-2b46-
(e26c2fcc-ab91-4a61- 403f-be40-
SERVIC E P L A N S
b35c-03cdc8dddf66)
SERVIC E P L A N S e39395f08dbb)
P RO DUC T N A M E ST RIN G ID GUID KAIZALA_STANDALO
IN C L UDED Microsoft
N A M ES) Data
NE (0898bdbb-73b0- Investigations
471a-81e5- (46129a58-a698-
20f1fe4dd66e) 46f0-aa5b-
EXCHANGE_ANALYTI 17f6586297d9)
CS (34c0d7a0-a70f- Microsoft Forms (Plan
4668-9238- 3) (96c1e14a-ef43-
47f9fc208882) 418d-b115-
PROJECTWORKMANA 9636cdaa8eed)
GEMENT (b737dad2- Microsoft Information
2f6c-4c65-90e3- Governance
ca563267e8b9) (e26c2fcc-ab91-4a61-
RECORDS_MANAGEM b35c-03cdc8dddf66)
ENT (65cc641f-cccd- Microsoft Kaizala
4643-97e0- (0898bdbb-73b0-
a17e3045e541) 471a-81e5-
MICROSOFT_SEARCH 20f1fe4dd66e)
(94065c59-bc8e- Microsoft MyAnalytics
4e8b-89e5- (Full) (34c0d7a0-a70f-
5138d471eaff) 4668-9238-
Deskless (8c7d2df8- 47f9fc208882)
86f0-4902-b2ed- Microsoft Planner
a0458298f3b3) (b737dad2-2f6c-
STREAM_O365_E5 4c65-90e3-
(6c6042f5-6f01- ca563267e8b9)
4d67-b8c1- Microsoft Records
eb99d36eed3e) Management
TEAMS1 (57ff2da0- (65cc641f-cccd-4643-
773e-42df-b2af- 97e0-a17e3045e541)
ffb7a2317929) Microsoft Search
INTUNE_O365 (94065c59-bc8e-
(882e1d05-acd1- 4e8b-89e5-
4ccb-8708- 5138d471eaff)
6ee03664b117) Microsoft StaffHub
EQUIVIO_ANALYTICS (8c7d2df8-86f0-
(4de31727-a228- 4902-b2ed-
4ec3-a5bf- a0458298f3b3)
8e45b5ca48cc) Microsoft Stream for
ADALLOM_S_O365 O365 E5 SKU
(8c098270-9dd4- (6c6042f5-6f01-
4350-9b30- 4d67-b8c1-
ba4703f3b36b) eb99d36eed3e)
ATP_ENTERPRISE Microsoft Teams
(f20fedf3-f3c3-43c3- (57ff2da0-773e-42df-
8267-2bfdd51c0939) b2af-ffb7a2317929)
THREAT_INTELLIGENC Mobile Device
E (8e0c0a52-6a6c- Management for
4d40-8370- Office 365
dd62790dcd70) (882e1d05-acd1-
PAM_ENTERPRISE 4ccb-8708-
(b1188c4c-1b36- 6ee03664b117)
4018-b48b- Office 365 Advanced
ee07604f6feb) eDiscovery
OFFICESUBSCRIPTIO (4de31727-a228-
N (43de0ff5-c92c- 4ec3-a5bf-
492b-9116- 8e45b5ca48cc)
175376d08c38) Office 365 Advanced
SHAREPOINTWAC_ED Security Management
U (e03c7e47-402c- (8c098270-9dd4-
463c-ab25- 4350-9b30-
949079bedb21) ba4703f3b36b)
BI_AZURE_P2 Office 365 Advanced
(70d33638-9c74- Threat Protection
4d01-bfd3- (Plan 1) (f20fedf3-
SERVIC E P L A N S
562de28bd4ba)
SERVIC E P L A N S f3c3-43c3-8267-
P RO DUC T N A M E ST RIN G ID GUID POWERAPPS_O365_P
IN C L UDED 2bfdd51c0939)
N A M ES)
3 (9c0dab89-a30c- Office 365 Advanced
4117-86e7- Threat Protection
97bda240acd2) (Plan 2) (8e0c0a52-
PREMIUM_ENCRYPTI 6a6c-4d40-8370-
ON (617b097b-4b93- dd62790dcd70)
4ede-83de- Office 365 Privileged
5f075bb5fb2f) Access Management
SCHOOL_DATA_SYNC (b1188c4c-1b36-
_P2 (500b6a2a-7a50- 4018-b48b-
4f40-b5f9- ee07604f6feb)
ISE_EDU (63038b2c- 9116-175376d08c38)
(0feaeb32-d00e- 463c-ab25-
4d66-bd5a- 949079bedb21)
43b5b83db82c) Power BI Pro
SWAY (a23b959c- (70d33638-9c74-
7ce8-4e57-9140- 4d01-bfd3-
b90eb88a9e97) 562de28bd4ba)
BPOS_S_TODO_3 PowerApps for Office
(3fb82609-8c27- 365 Plan 3
4f7b-bd51- (9c0dab89-a30c-
30634711ee67) 4117-86e7-
WHITEBOARD_PLAN3 97bda240acd2)
(4a51bca5-1eff-43f5- Premium Encryption
878c-177680f191af) in Office 365
(2078e8df-cff6-4290- 4ede-83de-
98cb-5408261a760a) 5f075bb5fb2f)
School Data Sync
(Plan 2) (500b6a2a-
7a50-4f40-b5f9-
160e5b8c2f48)
EDU (63038b2c-
28d0-45f6-bc36-
33062963b498)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
Sway (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
To-Do (Plan 3)
(3fb82609-8c27-
4f7b-bd51-
30634711ee67)
Whiteboard (Plan 3)
878c-177680f191af)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
Office 365 A5 for ENTERPRISEPREMIUM ee656612-49fa- AAD_BASIC_EDU Azure Active Directory
students _STUDENT 43e5-b67e- (1d0f309f-fdf9-4b2a- Basic for EDU
cb1fdf7699df 9ae7-9c48b91f1426) (1d0f309f-fdf9-4b2a-
RMS_S_ENTERPRISE 9ae7-9c48b91f1426)
(bea4c11e-220a- Azure Rights
SERVIC E P L A N S
4e6d-8eb8-
SERVIC E P L A N S Management
P RO DUC T N A M E ST RIN G ID GUID 8ea15d019f90)
IN C L UDED (bea4c11e-220a-
N A M ES)
LOCKBOX_ENTERPRIS 4e6d-8eb8-
E (9f431833-0334- 8ea15d019f90)
42de-a7dc- Customer Lockbox
70aa40db46db) (9f431833-0334-
EducationAnalyticsP1 42de-a7dc-
(a9b86446-fa4e- 70aa40db46db)
498f-a92a- Education Analytics
41b447e03337) (a9b86446-fa4e-
EXCHANGE_S_ENTERP 498f-a92a-
RISE (efb87545-963c- 41b447e03337)
69c6916d9eb0) 2) (efb87545-963c-
FLOW_O365_P3 4e0d-99df-
(07699545-9485- 69c6916d9eb0)
468e-95b6- Flow for Office 365
2fca3738be01) (07699545-9485-
INFORMATION_BARRI 468e-95b6-
ERS (c4801e8a-cb58- 2fca3738be01)
4c35-aca6- Information Barriers
f2dcc106f287) (c4801e8a-cb58-
(efb0351d-3b08- f2dcc106f287)
4503-993d- Information
383af8de41e3) Protection for Office
MIP_S_CLP1 365 - Premium
(5136a095-5cf0-4aff- (efb0351d-3b08-
bec3-e84448b38ea5) 4503-993d-
M365_ADVANCED_A 383af8de41e3)
UDITING (2f442157- Information
a11c-46b9-ae5b- Protection for Office
6e39ff4e5849) 365 - Standard
MCOMEETADV (5136a095-5cf0-4aff-
(3e26ee1f-8a5f-4d52- bec3-e84448b38ea5)
aee2-b81ce45c8f40) Microsoft 365
MCOEV (4828c8ec- Advanced Auditing
dc2e-4779-b502- (2f442157-a11c-
87ac9ce28ab7) 46b9-ae5b-
MICROSOFTBOOKIN 6e39ff4e5849)
GS (199a5c09-e0ca- Microsoft 365 Audio
4e37-8f7c- Conferencing
b05d533e1ea2) (3e26ee1f-8a5f-4d52-
COMMUNICATIONS_ aee2-b81ce45c8f40)
COMPLIANCE Microsoft 365 Phone
(41fcdd7d-4733- System (4828c8ec-
4863-9cf4- dc2e-4779-b502-
c65b83ce2df4) 87ac9ce28ab7)
COMMUNICATIONS_ Microsoft Bookings
DLP (6dc145d6- (199a5c09-e0ca-
95dd-4191-b9c3- 4e37-8f7c-
185575ee6f6b) b05d533e1ea2)
CUSTOMER_KEY Microsoft
(6db1f1db-2b46- Communications
403f-be40- Compliance
e39395f08dbb) (41fcdd7d-4733-
DATA_INVESTIGATION 4863-9cf4-
S (46129a58-a698- c65b83ce2df4)
46f0-aa5b- Microsoft
17f6586297d9) Communications DLP
OFFICE_FORMS_PLAN (6dc145d6-95dd-
_3 (96c1e14a-ef43- 4191-b9c3-
418d-b115- 185575ee6f6b)
9636cdaa8eed) Microsoft Customer
INFO_GOVERNANCE Key (6db1f1db-2b46-
SERVIC E P L A N S
(e26c2fcc-ab91-4a61-
SERVIC E P L A N S 403f-be40-
P RO DUC T N A M E ST RIN G ID GUID b35c-03cdc8dddf66)
IN C L UDED e39395f08dbb)
N A M ES)
KAIZALA_STANDALO Microsoft Data
NE (0898bdbb-73b0- Investigations
471a-81e5- (46129a58-a698-
20f1fe4dd66e) 46f0-aa5b-
EXCHANGE_ANALYTI 17f6586297d9)
CS (34c0d7a0-a70f- Microsoft Forms (Plan
4668-9238- 3) (96c1e14a-ef43-
47f9fc208882) 418d-b115-
PROJECTWORKMANA 9636cdaa8eed)
GEMENT (b737dad2- Microsoft Information
2f6c-4c65-90e3- Governance
ca563267e8b9) (e26c2fcc-ab91-4a61-
RECORDS_MANAGEM b35c-03cdc8dddf66)
ENT (65cc641f-cccd- Microsoft Kaizala
4643-97e0- (0898bdbb-73b0-
a17e3045e541) 471a-81e5-
MICROSOFT_SEARCH 20f1fe4dd66e)
(94065c59-bc8e- Microsoft MyAnalytics
4e8b-89e5- (Full) (34c0d7a0-a70f-
5138d471eaff) 4668-9238-
Deskless (8c7d2df8- 47f9fc208882)
86f0-4902-b2ed- Microsoft Planner
a0458298f3b3) (b737dad2-2f6c-
STREAM_O365_E5 4c65-90e3-
(6c6042f5-6f01- ca563267e8b9)
4d67-b8c1- Microsoft Records
eb99d36eed3e) Management
TEAMS1 (57ff2da0- (65cc641f-cccd-4643-
773e-42df-b2af- 97e0-a17e3045e541)
ffb7a2317929) Microsoft Search
INTUNE_O365 (94065c59-bc8e-
(882e1d05-acd1- 4e8b-89e5-
4ccb-8708- 5138d471eaff)
6ee03664b117) Microsoft StaffHub
EQUIVIO_ANALYTICS (8c7d2df8-86f0-
(4de31727-a228- 4902-b2ed-
4ec3-a5bf- a0458298f3b3)
8e45b5ca48cc) Microsoft Stream for
ADALLOM_S_O365 O365 E5 SKU
(8c098270-9dd4- (6c6042f5-6f01-
4350-9b30- 4d67-b8c1-
ba4703f3b36b) eb99d36eed3e)
ATP_ENTERPRISE Microsoft Teams
(f20fedf3-f3c3-43c3- (57ff2da0-773e-42df-
8267-2bfdd51c0939) b2af-ffb7a2317929)
THREAT_INTELLIGENC Mobile Device
E (8e0c0a52-6a6c- Management for
4d40-8370- Office 365
dd62790dcd70) (882e1d05-acd1-
PAM_ENTERPRISE 4ccb-8708-
(b1188c4c-1b36- 6ee03664b117)
4018-b48b- Office 365 Advanced
ee07604f6feb) eDiscovery
OFFICESUBSCRIPTIO (4de31727-a228-
N (43de0ff5-c92c- 4ec3-a5bf-
492b-9116- 8e45b5ca48cc)
175376d08c38) Office 365 Advanced
SHAREPOINTWAC_ED Security Management
U (e03c7e47-402c- (8c098270-9dd4-
463c-ab25- 4350-9b30-
949079bedb21) ba4703f3b36b)
BI_AZURE_P2 Office 365 Advanced
(70d33638-9c74- Threat Protection
SERVIC E P L A N S
4d01-bfd3-
SERVIC E P L A N S (Plan 1) (f20fedf3-
P RO DUC T N A M E ST RIN G ID GUID 562de28bd4ba)
IN C L UDED f3c3-43c3-8267-
N A M ES)
POWERAPPS_O365_P 2bfdd51c0939)
3 (9c0dab89-a30c- Office 365 Advanced
4117-86e7- Threat Protection
97bda240acd2) (Plan 2) (8e0c0a52-
PREMIUM_ENCRYPTI 6a6c-4d40-8370-
ON (617b097b-4b93- dd62790dcd70)
4ede-83de- Office 365 Privileged
5f075bb5fb2f) Access Management
SCHOOL_DATA_SYNC (b1188c4c-1b36-
_P2 (500b6a2a-7a50- 4018-b48b-
4f40-b5f9- ee07604f6feb)
ISE_EDU (63038b2c- 9116-175376d08c38)
(0feaeb32-d00e- 463c-ab25-
4d66-bd5a- 949079bedb21)
43b5b83db82c) Power BI Pro
SWAY (a23b959c- (70d33638-9c74-
7ce8-4e57-9140- 4d01-bfd3-
b90eb88a9e97) 562de28bd4ba)
BPOS_S_TODO_3 PowerApps for Office
(3fb82609-8c27- 365 Plan 3
4f7b-bd51- (9c0dab89-a30c-
30634711ee67) 4117-86e7-
WHITEBOARD_PLAN3 97bda240acd2)
(4a51bca5-1eff-43f5- Premium Encryption
878c-177680f191af) in Office 365
(2078e8df-cff6-4290- 4ede-83de-
98cb-5408261a760a) 5f075bb5fb2f)
School Data Sync
(Plan 2) (500b6a2a-
7a50-4f40-b5f9-
160e5b8c2f48)
EDU (63038b2c-
28d0-45f6-bc36-
33062963b498)
Skype for Business
Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
Sway (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
To-Do (Plan 3)
(3fb82609-8c27-
4f7b-bd51-
30634711ee67)
Whiteboard (Plan 3)
878c-177680f191af)
Yammer for Academic
(2078e8df-cff6-4290-
98cb-5408261a760a)
SERVIC E P L A N S
Office 365 Advanced EQUIVIO_ANALYTICS 1b1b1f7a-8355- LOCKBOX_ENTERPRIS Customer Lockbox

Compliance 43b6-829f- E (9f431833-0334- (9f431833-0334-
336cfccb744c 42de-a7dc- 42de-a7dc-
70aa40db46db) 70aa40db46db)
INFORMATION_BARRI Information Barriers
ERS (c4801e8a-cb58- (c4801e8a-cb58-
4c35-aca6- 4c35-aca6-
f2dcc106f287) f2dcc106f287)
MIP_S_CLP2 Information
(efb0351d-3b08- Protection for Office
4503-993d- 365 - Premium
383af8de41e3) (efb0351d-3b08-
EQUIVIO_ANALYTICS 4503-993d-
(4de31727-a228- 383af8de41e3)
4ec3-a5bf- Office 365 Advanced
8e45b5ca48cc) eDiscovery
PAM_ENTERPRISE (4de31727-a228-
(b1188c4c-1b36- 4ec3-a5bf-
4018-b48b- 8e45b5ca48cc)
ee07604f6feb) Office 365 Privileged
PREMIUM_ENCRYPTI Access Management
ON (617b097b-4b93- (b1188c4c-1b36-
4ede-83de- 4018-b48b-
5f075bb5fb2f) ee07604f6feb)
Premium Encryption
in Office 365
(617b097b-4b93-
4ede-83de-
5f075bb5fb2f)
Office 365 Advanced ATP_ENTERPRISE 4ef96642-f096-40de- ATP_ENTERPRISE Office 365 Advanced

Threat Protection a3e9-d83fb2f90211 (f20fedf3-f3c3-43c3- Threat Protection
(Plan 1) 8267-2bfdd51c0939) (Plan 1) (f20fedf3-
f3c3-43c3-8267-
2bfdd51c0939)
SERVIC E P L A N S
OFFICE 365 E1 STANDARDPACK 18181a46-0d4e- BPOS_S_TODO_1 BPOS_S_TODO_1

45cd-891e- (5e62787c-c316- (5e62787c-c316-
60aabd171b4e 451f-b873- 451f-b873-
a0458298f3b3) 86f0-4902-b2ed-
EXCHANGE_S_STAND a0458298f3b3)
ARD (9aaf7827-d63c- EXCHANGE ONLINE
4b61-89c3- (PLAN 1) (9aaf7827-
182f06f82e5c) d63c-4b61-89c3-
FLOW_O365_P1 182f06f82e5c)
9129-43f4996f83f4) 365 (0f9b09cb-62d1-
(159f4cd6-e380- 43f4996f83f4)
af1a9ef76344) (PLAN E1) (159f4cd6-
OFFICEMOBILE_SUBS (0feaeb32-d00e-
CRIPTION (c63d4d19- 4d66-bd5a-
e8cb-460e-b37c- 43b5b83db82c)
4d6c34603745) OFFICEMOBILE_SUBS
POWERAPPS_O365_P CRIPTION (c63d4d19-
1 (92f7a6f3-b89b- e8cb-460e-b37c-
4bbd-8c30- 4d6c34603745)
2f6c-4c65-90e3- 4bbd-8c30-
ca563267e8b9) 809e6da5ad1c)
44de-8edf- 2f6c-4c65-90e3-
1736da088ca1) ca563267e8b9)
(e95bec33-7c88- RD (c7699d2e-19aa-
4a70-8e19- 44de-8edf-
b10bd9d0c014) 1736da088ca1)
STREAM_O365_E1 OFFICE ONLINE
(743dd19e-1ce3- (e95bec33-7c88-
4c62-a3ad- 4a70-8e19-
49ba8f63a2f6) b10bd9d0c014)
SWAY (a23b959c- MICROSOFT STREAM
7ce8-4e57-9140- FOR O365 E1 SKU
b90eb88a9e97) (743dd19e-1ce3-
TEAMS1 (57ff2da0- 4c62-a3ad-
773e-42df-b2af- 49ba8f63a2f6)
ffb7a2317929) SWAY (a23b959c-
YAMMER_ENTERPRISE 7ce8-4e57-9140-
(7547a3fe-08ee- b90eb88a9e97)
4ccb-b430- TEAMS1 (57ff2da0-
5077c5041653)) 773e-42df-b2af-
ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653))
5077c5041653))
SERVIC E P L A N S
OFFICE 365 E2 STANDARDWOFFPAC 6634e0ce-1a9f-428c- SERVIC E PLANS
BPOS_S_TODO_1(5e6 IN C L UDED ( F RIEN DLY
BPOS_S_TODO_1
K a498-f84ec7b8aa2e 2787c-c316-451f- (5e62787c-c316-
b873-1d05acd4d12c) 451f-b873-
Deskless (8c7d2df8- 1d05acd4d12c)
86f0-4902-b2ed- MICROSOFT
a0458298f3b3) STAFFHUB (8c7d2df8-
EXCHANGE_S_STAND 86f0-4902-b2ed-
ARD (9aaf7827-d63c- a0458298f3b3)
4b61-89c3- EXCHANGE ONLINE
182f06f82e5c) (PLAN 1) (9aaf7827-
FLOW_O365_P1 d63c-4b61-89c3-
(0f9b09cb-62d1-4ff4- 182f06f82e5c)
9129-43f4996f83f4) FLOW FOR OFFICE
FORMS_PLAN_E1 365 (0f9b09cb-62d1-
(159f4cd6-e380- 4ff4-9129-
449f-a816- 43f4996f83f4)
af1a9ef76344) MICROSOFT FORMS
MCOSTANDARD (PLAN E1) (159f4cd6-
(0feaeb32-d00e- e380-449f-a816-
4d66-bd5a- af1a9ef76344)
43b5b83db82c) SKYPE FOR BUSINESS
POWERAPPS_O365_P ONLINE (PLAN 2)
1 (92f7a6f3-b89b- (0feaeb32-d00e-
4bbd-8c30- 4d66-bd5a-
809e6da5ad1c) 43b5b83db82c)
PROJECTWORKMANA POWERAPPS FOR
GEMENT (b737dad2- OFFICE 365
2f6c-4c65-90e3- (92f7a6f3-b89b-
ca563267e8b9) 4bbd-8c30-
SHAREPOINTSTANDA 809e6da5ad1c)
RD (c7699d2e-19aa- MICROSOFT
44de-8edf- PLANNER(b737dad2-
1736da088ca1) 2f6c-4c65-90e3-
SHAREPOINTWAC ca563267e8b9)
(e95bec33-7c88- SHAREPOINTSTANDA
4a70-8e19- RD (c7699d2e-19aa-
b10bd9d0c014) 44de-8edf-
STREAM_O365_E1 1736da088ca1)
(743dd19e-1ce3- OFFICE ONLINE
4c62-a3ad- (e95bec33-7c88-
49ba8f63a2f6) 4a70-8e19-
SWAY (a23b959c- b10bd9d0c014)
7ce8-4e57-9140- MICROSOFT STREAM
b90eb88a9e97) FOR O365 E1 SKU
TEAMS1 (57ff2da0- (743dd19e-1ce3-
773e-42df-b2af- 4c62-a3ad-
ffb7a2317929) 49ba8f63a2f6)
YAMMER_ENTERPRISE SWAY (a23b959c-
(7547a3fe-08ee- 7ce8-4e57-9140-
4ccb-b430- b90eb88a9e97)
5077c5041653) TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
OFFICE 365 E3 ENTERPRISEPACK 6fd2c87f-b296-42f0- BPOS_S_TODO_2 BPOS_S_TODO_2

b197-1e91e994b900 (c87f142c-d1e9- (c87f142c-d1e9-
4363-8630- 4363-8630-
aaea9c4d9ae5) aaea9c4d9ae5)
SERVIC E P L A N S
a0458298f3b3)
SERVIC E P L A N S 86f0-4902-b2ed-
P RO DUC T N A M E ST RIN G ID GUID EXCHANGE_S_ENTERP
IN C L UDED a0458298f3b3)
N A M ES)
RISE (efb87545-963c- EXCHANGE ONLINE
4e0d-99df- (PLAN 2)(efb87545-
69c6916d9eb0) 963c-4e0d-99df-
FLOW_O365_P2 69c6916d9eb0)
(76846ad7-7776- FLOW FOR OFFICE
4c40-a281- 365 (76846ad7-
a386362dd1b9) 7776-4c40-a281-
FORMS_PLAN_E3 a386362dd1b9)
(2789c901-c14e- MICROSOFT FORMS
48ab-a76a- (PLAN E3)
be334d9d793a) (2789c901-c14e-
(0feaeb32-d00e- be334d9d793a)
N (43de0ff5-c92c- 4d66-bd5a-
492b-9116- 43b5b83db82c)
175376d08c38) OFFICESUBSCRIPTIO
POWERAPPS_O365_P N (43de0ff5-c92c-
2 (c68f8d98-5534- 492b-9116-
41c8-bf36- 175376d08c38)
22fa496fa792) POWERAPPS FOR
PROJECTWORKMANA OFFICE
GEMENT (b737dad2- 365(c68f8d98-5534-
2f6c-4c65-90e3- 41c8-bf36-
ca563267e8b9) 22fa496fa792)
RMS_S_ENTERPRISE MICROSOFT
(bea4c11e-220a- PLANNER(b737dad2-
4e6d-8eb8- 2f6c-4c65-90e3-
8ea15d019f90) ca563267e8b9)
SHAREPOINTENTERPR MICROSOFT AZURE
ISE (5dbe027f-2339- ACTIVE DIRECTORY
4123-9542- RIGHTS (bea4c11e-
606e4d348a72) 220a-4e6d-8eb8-
SHAREPOINTWAC 8ea15d019f90)
(e95bec33-7c88- SHAREPOINT ONLINE
4a70-8e19- (PLAN 2) (5dbe027f-
b10bd9d0c014) 2339-4123-9542-
STREAM_O365_E3 606e4d348a72)
(9e700747-8b1d- OFFICE ONLINE
45e5-ab8d- (e95bec33-7c88-
ef187ceec156) 4a70-8e19-
7ce8-4e57-9140- MICROSOFT STREAM
b90eb88a9e97) FOR O365 E3 SKU
TEAMS1 (57ff2da0- (9e700747-8b1d-
773e-42df-b2af- 45e5-ab8d-
ffb7a2317929) ef187ceec156)
(7547a3fe-08ee- 7ce8-4e57-9140-
4ccb-b430- b90eb88a9e97)
5077c5041653) TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
SERVIC E P L A N S
OFFICE 365 E3 DEVELOPERPACK 189a915c-fe4f-4ffa- BPOS_S_TODO_3 BPOS_S_TODO_3

DEVELOPER bde4-85b9628d07a0 (3fb82609-8c27- (3fb82609-8c27-
4f7b-bd51- 4f7b-bd51-
30634711ee67) 30634711ee67)
EXCHANGE_S_ENTERP EXCHANGE ONLINE
RISE (efb87545-963c- (PLAN 2)(efb87545-
4e0d-99df- 963c-4e0d-99df-
69c6916d9eb0) 69c6916d9eb0)
(76846ad7-7776- 365 (76846ad7-
4c40-a281- 7776-4c40-a281-
a386362dd1b9) a386362dd1b9)
FORMS_PLAN_E5 MICROSOFT FORMS
(e212cbc7-0961- (PLAN E5)(e212cbc7-
4c40-9825- 0961-4c40-9825-
01117710dcb1) 01117710dcb1)
MCOSTANDARD SKYPE FOR BUSINESS
(0feaeb32-d00e- ONLINE (PLAN 2)
4d66-bd5a- (0feaeb32-d00e-
43b5b83db82c) 4d66-bd5a-
OFFICESUBSCRIPTIO 43b5b83db82c)
N (43de0ff5-c92c- OFFICESUBSCRIPTIO
492b-9116- N (43de0ff5-c92c-
175376d08c38) 492b-9116-
POWERAPPS_O365_P 175376d08c38)
2 (c68f8d98-5534- POWERAPPS FOR
41c8-bf36- OFFICE
22fa496fa792) 365(c68f8d98-5534-
PROJECTWORKMANA 41c8-bf36-
GEMENT (b737dad2- 22fa496fa792)
2f6c-4c65-90e3- MICROSOFT
ca563267e8b9) PLANNER(b737dad2-
SHAREPOINT_S_DEVE 2f6c-4c65-90e3-
LOPER (a361d6e2- ca563267e8b9)
509e-4e25-a8ad- SHAREPOINT_S_DEVE
950060064ef4) LOPER (a361d6e2-
SHAREPOINTWAC_DE 509e-4e25-a8ad-
VELOPER (527f7cdd- 950060064ef4)
0e86-4c47-b879- OFFICE ONLINE FOR
f5fd357a3ac6) DEVELOPER
STREAM_O365_E5 (527f7cdd-0e86-
(6c6042f5-6f01- 4c47-b879-
4d67-b8c1- f5fd357a3ac6)
eb99d36eed3e) MICROSOFT STREAM
SWAY (a23b959c- FOR O365 E5 SKU
7ce8-4e57-9140- (6c6042f5-6f01-
b90eb88a9e97) 4d67-b8c1-
TEAMS1 (57ff2da0- eb99d36eed3e)
ffb7a2317929) 7ce8-4e57-9140-
b90eb88a9e97)
TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
SERVIC E P L A N S
Office 365 ENTERPRISEPACK_US b107e5a3-3e60- EXCHANGE_S_ENTERP Exchange Online (Plan

E3_USGOV_DOD GOV_DOD 4c0d-a184- RISE (efb87545-963c- 2) (efb87545-963c-
a7e4395eb44c 4e0d-99df- 4e0d-99df-
69c6916d9eb0) 69c6916d9eb0)
RMS_S_ENTERPRISE Microsoft Azure
(bea4c11e-220a- Active Directory
4e6d-8eb8- Rights (bea4c11e-
8ea15d019f90) 220a-4e6d-8eb8-
STREAM_O365_E3 8ea15d019f90)
(9e700747-8b1d- Microsoft Stream for
45e5-ab8d- O365 E3 SKU
ef187ceec156) (9e700747-8b1d-
TEAMS_AR_DOD 45e5-ab8d-
(fd500458-c24c- ef187ceec156)
478e-856c- Microsoft Teams for
a6067a8376cd) DOD (AR) (fd500458-
OFFICESUBSCRIPTIO c24c-478e-856c-
N (43de0ff5-c92c- a6067a8376cd)
492b-9116- Office 365 ProPlus
175376d08c38) (43de0ff5-c92c-492b-
SHAREPOINTWAC 9116-175376d08c38)
(e95bec33-7c88- Office Online
4a70-8e19- (e95bec33-7c88-
b10bd9d0c014) 4a70-8e19-
SHAREPOINTENTERPR b10bd9d0c014)
ISE (5dbe027f-2339- SharePoint Online
4123-9542- (Plan 2) (5dbe027f-
606e4d348a72) 2339-4123-9542-
MCOSTANDARD 606e4d348a72)
(0feaeb32-d00e- Skype for Business
4d66-bd5a- Online (Plan 2)
4d66-bd5a-
43b5b83db82c)
SERVIC E P L A N S
Office 365 ENTERPRISEPACK_US aea38a85-9bd5- EXCHANGE_S_ENTERP Exchange Online (Plan

E3_USGOV_GCCHIGH GOV_GCCHIGH 4981-aa00- RISE (efb87545-963c- 2) (efb87545-963c-
616b411205bf 4e0d-99df- 4e0d-99df-
69c6916d9eb0) 69c6916d9eb0)
RMS_S_ENTERPRISE Microsoft Azure
(bea4c11e-220a- Active Directory
4e6d-8eb8- Rights (bea4c11e-
8ea15d019f90) 220a-4e6d-8eb8-
PROJECTWORKMANA 8ea15d019f90)
GEMENT (b737dad2- Microsoft Planner
2f6c-4c65-90e3- (b737dad2-2f6c-
ca563267e8b9) 4c65-90e3-
STREAM_O365_E3 ca563267e8b9)
(9e700747-8b1d- Microsoft Stream for
45e5-ab8d- O365 E3 SKU
ef187ceec156) (9e700747-8b1d-
TEAMS_AR_GCCHIGH 45e5-ab8d-
(9953b155-8aef- ef187ceec156)
4c56-92f3- Microsoft Teams for
72b0487fce41) GCCHigh (AR)
OFFICESUBSCRIPTIO (9953b155-8aef-
N (43de0ff5-c92c- 4c56-92f3-
492b-9116- 72b0487fce41)
175376d08c38) Office 365 ProPlus
SHAREPOINTWAC (43de0ff5-c92c-492b-
(e95bec33-7c88- 9116-175376d08c38)
4a70-8e19- Office Online
b10bd9d0c014) (e95bec33-7c88-
SHAREPOINTENTERPR 4a70-8e19-
ISE (5dbe027f-2339- b10bd9d0c014)
4123-9542- SharePoint Online
606e4d348a72) (Plan 2) (5dbe027f-
MCOSTANDARD 2339-4123-9542-
(0feaeb32-d00e- 606e4d348a72)
4d66-bd5a- Skype for Business
43b5b83db82c) Online (Plan 2)
(0feaeb32-d00e-
4d66-bd5a-
43b5b83db82c)
OFFICE 365 E4 ENTERPRISEWITHSCA 1392051d-0cb9- BPOS_S_TODO_2 BPOS_S_TODO_2

L 4b7a-88d5- (c87f142c-d1e9- (c87f142c-d1e9-
621fee5e8711 4363-8630- 4363-8630-
aaea9c4d9ae5) aaea9c4d9ae5)
a0458298f3b3) 86f0-4902-b2ed-
EXCHANGE_S_ENTERP a0458298f3b3)
RISE (efb87545-963c- EXCHANGE ONLINE
4e0d-99df- (PLAN 2)(efb87545-
69c6916d9eb0) 963c-4e0d-99df-
FLOW_O365_P2 69c6916d9eb0)
(76846ad7-7776- FLOW FOR OFFICE
4c40-a281- 365 (76846ad7-
a386362dd1b9) 7776-4c40-a281-
FORMS_PLAN_E3 a386362dd1b9)
(2789c901-c14e- MICROSOFT FORMS
48ab-a76a- (PLAN E3)
be334d9d793a) (2789c901-c14e-
(0feaeb32-d00e- be334d9d793a)
SERVIC E P L A N S
4d66-bd5a-
SERVIC E P L A N S SKYPE FOR( BUSINESS
IN C L UDED F RIEN DLY
P RO DUC T N A M E ST RIN G ID GUID 43b5b83db82c)
IN C L UDED ONLINE
N A M ES) (PLAN 2)
MCOVOICECONF (0feaeb32-d00e-
(27216c54-caf8- 4d66-bd5a-
4d0d-97e2- 43b5b83db82c)
517afb5c08f6) SKYPE FOR BUSINESS
OFFICESUBSCRIPTIO ONLINE (PLAN 3)
N (43de0ff5-c92c- (27216c54-caf8-
492b-9116- 4d0d-97e2-
175376d08c38) 517afb5c08f6)
POWERAPPS_O365_P OFFICESUBSCRIPTIO
2 (c68f8d98-5534- N (43de0ff5-c92c-
41c8-bf36- 492b-9116-
22fa496fa792) 175376d08c38)
PROJECTWORKMANA POWERAPPS FOR
GEMENT (b737dad2- OFFICE
2f6c-4c65-90e3- 365(c68f8d98-5534-
ca563267e8b9) 41c8-bf36-
RMS_S_ENTERPRISE 22fa496fa792)
(bea4c11e-220a- MICROSOFT
4e6d-8eb8- PLANNER(b737dad2-
8ea15d019f90) 2f6c-4c65-90e3-
SHAREPOINTENTERPR ca563267e8b9)
ISE (5dbe027f-2339- MICROSOFT AZURE
4123-9542- ACTIVE DIRECTORY
606e4d348a72) RIGHTS (bea4c11e-
SHAREPOINTWAC 220a-4e6d-8eb8-
(e95bec33-7c88- 8ea15d019f90)
b10bd9d0c014) (PLAN 2) (5dbe027f-
STREAM_O365_E3 2339-4123-9542-
(9e700747-8b1d- 606e4d348a72)
45e5-ab8d- OFFICE ONLINE
ef187ceec156) (e95bec33-7c88-
SWAY (a23b959c- 4a70-8e19-
7ce8-4e57-9140- b10bd9d0c014)
b90eb88a9e97) MICROSOFT STREAM
TEAMS1 (57ff2da0- FOR O365 E3 SKU
773e-42df-b2af- (9e700747-8b1d-
ffb7a2317929) 45e5-ab8d-
YAMMER_ENTERPRISE ef187ceec156)
(7547a3fe-08ee- SWAY (a23b959c-
4ccb-b430- 7ce8-4e57-9140-
5077c5041653) b90eb88a9e97)
TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
OFFICE 365 E5 ENTERPRISEPREMIUM c7df2760-2c81-4ef7- ADALLOM_S_O365 OFFICE 365 CLOUD

b578-5b5392b571df (8c098270-9dd4- APP SECURITY
4350-9b30- (8c098270-9dd4-
ba4703f3b36b) 4350-9b30-
(70d33638-9c74- POWER BI PRO
4d01-bfd3- (70d33638-9c74-
562de28bd4ba) 4d01-bfd3-
BPOS_S_TODO_3 562de28bd4ba)
(3fb82609-8c27- BPOS_S_TODO_3
4f7b-bd51- (3fb82609-8c27-
30634711ee67) 4f7b-bd51-
Deskless (8c7d2df8- 30634711ee67)
SERVIC E P L A N S
86f0-4902-b2ed-
SERVIC E P L A N S MICROSOFT
P RO DUC T N A M E ST RIN G ID GUID a0458298f3b3)
IN C L UDED STAFFHUB
N A M ES) (8c7d2df8-
EQUIVIO_ANALYTICS 86f0-4902-b2ed-
(4de31727-a228- a0458298f3b3)
4ec3-a5bf- OFFICE 365
8e45b5ca48cc) ADVANCED
EXCHANGE_ANALYTI EDISCOVERY
CS (34c0d7a0-a70f- (4de31727-a228-
4668-9238- 4ec3-a5bf-
47f9fc208882) 8e45b5ca48cc)
EXCHANGE_S_ENTERP EXCHANGE_ANALYTI
RISE (efb87545-963c- CS (34c0d7a0-a70f-
4e0d-99df- 4668-9238-
69c6916d9eb0) 47f9fc208882)
(07699545-9485- (PLAN 2)(efb87545-
468e-95b6- 963c-4e0d-99df-
2fca3738be01) 69c6916d9eb0)
(e212cbc7-0961- 365 (07699545-
4c40-9825- 9485-468e-95b6-
01117710dcb1) 2fca3738be01)
LOCKBOX_ENTERPRIS MICROSOFT FORMS
E (9f431833-0334- (PLAN E5)(e212cbc7-
42de-a7dc- 0961-4c40-9825-
70aa40db46db) 01117710dcb1)
MCOEV (4828c8ec- LOCKBOX_ENTERPRIS
dc2e-4779-b502- E (9f431833-0334-
87ac9ce28ab7) 42de-a7dc-
MCOMEETADV 70aa40db46db)
(3e26ee1f-8a5f-4d52- PHONE SYSTEM
aee2-b81ce45c8f40) (4828c8ec-dc2e-
MCOSTANDARD 4779-b502-
(0feaeb32-d00e- 87ac9ce28ab7)
4d66-bd5a- AUDIO
43b5b83db82c) CONFERENCING
MICROSOFTBOOKIN (3e26ee1f-8a5f-4d52-
GS (199a5c09-e0ca- aee2-b81ce45c8f40)
4e37-8f7c- SKYPE FOR BUSINESS
b05d533e1ea2) ONLINE (PLAN 2)
N (43de0ff5-c92c- 4d66-bd5a-
492b-9116- 43b5b83db82c)
175376d08c38) MICROSOFTBOOKIN
POWERAPPS_O365_P GS (199a5c09-e0ca-
3 (9c0dab89-a30c- 4e37-8f7c-
4117-86e7- b05d533e1ea2)
97bda240acd2) OFFICESUBSCRIPTIO
PROJECTWORKMANA N (43de0ff5-c92c-
GEMENT (b737dad2- 492b-9116-
2f6c-4c65-90e3- 175376d08c38)
ca563267e8b9) POWERAPPS FOR
RMS_S_ENTERPRISE OFFICE 365
(bea4c11e-220a- (9c0dab89-a30c-
4e6d-8eb8- 4117-86e7-
8ea15d019f90) 97bda240acd2)
SHAREPOINTENTERPR MICROSOFT
ISE (5dbe027f-2339- PLANNER(b737dad2-
4123-9542- 2f6c-4c65-90e3-
606e4d348a72) ca563267e8b9)
SHAREPOINTWAC MICROSOFT AZURE
(e95bec33-7c88- ACTIVE DIRECTORY
4a70-8e19- RIGHTS (bea4c11e-
b10bd9d0c014) 220a-4e6d-8eb8-
STREAM_O365_E5 8ea15d019f90)
SERVIC E P L A N S
(6c6042f5-6f01-
SERVIC E P L A N S SHAREPOINT ONLINE
P RO DUC T N A M E ST RIN G ID GUID 4d67-b8c1-
IN C L UDED (PLAN
N A M ES)2) (5dbe027f-
eb99d36eed3e) 2339-4123-9542-
SWAY (a23b959c- 606e4d348a72)
7ce8-4e57-9140- OFFICE ONLINE
b90eb88a9e97) (e95bec33-7c88-
TEAMS1 (57ff2da0- 4a70-8e19-
773e-42df-b2af- b10bd9d0c014)
ffb7a2317929) MICROSOFT STREAM
THREAT_INTELLIGENC FOR O365 E5 SKU
E (8e0c0a52-6a6c- (6c6042f5-6f01-
4d40-8370- 4d67-b8c1-
dd62790dcd70) eb99d36eed3e)
(7547a3fe-08ee- 7ce8-4e57-9140-
4ccb-b430- b90eb88a9e97)
5077c5041653) TEAMS1 (57ff2da0-
773e-42df-b2af-
ffb7a2317929)
OFFICE 365
ADVANCED THREAT
PROTECTION (PLAN
2) (8e0c0a52-6a6c-
4d40-8370-
dd62790dcd70)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
OFFICE 365 E5 ENTERPRISEPREMIUM 26d45bd9-adf1- ADALLOM_S_O365 OFFICE 365 CLOUD
WITHOUT AUDIO _NOPSTNCONF 46cd-a9e1- (8c098270-9dd4- APP SECURITY
CONFERENCING 51e9a5524128 4350-9b30- (8c098270-9dd4-
ba4703f3b36b) 4350-9b30-
(70d33638-9c74- POWER BI PRO
4d01-bfd3- (70d33638-9c74-
562de28bd4ba) 4d01-bfd3-
BPOS_S_TODO_3 562de28bd4ba)
(3fb82609-8c27- BPOS_S_TODO_3
4f7b-bd51- (3fb82609-8c27-
30634711ee67) 4f7b-bd51-
Deskless (8c7d2df8- 30634711ee67)
86f0-4902-b2ed- MICROSOFT
a0458298f3b3) STAFFHUB (8c7d2df8-
EQUIVIO_ANALYTICS 86f0-4902-b2ed-
(4de31727-a228- a0458298f3b3)
4ec3-a5bf- OFFICE 365
8e45b5ca48cc) ADVANCED
EXCHANGE_ANALYTI EDISCOVERY
CS (34c0d7a0-a70f- (4de31727-a228-
4668-9238- 4ec3-a5bf-
47f9fc208882) 8e45b5ca48cc)
EXCHANGE_S_ENTERP EXCHANGE_ANALYTI
RISE (efb87545-963c- CS (34c0d7a0-a70f-
4e0d-99df- 4668-9238-
69c6916d9eb0) 47f9fc208882)
(07699545-9485- (PLAN 2)(efb87545-
468e-95b6- 963c-4e0d-99df-
2fca3738be01) 69c6916d9eb0)
(e212cbc7-0961- 365 (07699545-
4c40-9825- 9485-468e-95b6-
01117710dcb1) 2fca3738be01)
SERVIC E P L A N S
LOCKBOX_ENTERPRIS
SERVIC E P L A N S MICROSOFT FORMS
P RO DUC T N A M E ST RIN G ID GUID E (9f431833-0334-
IN C L UDED (PLAN
N A M ES)E5)(e212cbc7-
42de-a7dc- 0961-4c40-9825-
70aa40db46db) 01117710dcb1)
MCOEV (4828c8ec- LOCKBOX_ENTERPRIS
dc2e-4779-b502- E (9f431833-0334-
87ac9ce28ab7) 42de-a7dc-
MCOSTANDARD 70aa40db46db)
(0feaeb32-d00e- PHONE SYSTEM
4d66-bd5a- (4828c8ec-dc2e-
43b5b83db82c) 4779-b502-
OFFICESUBSCRIPTIO 87ac9ce28ab7)
N (43de0ff5-c92c- SKYPE FOR BUSINESS
492b-9116- ONLINE (PLAN 2)
175376d08c38) (0feaeb32-d00e-
POWERAPPS_O365_P 4d66-bd5a-
3 (9c0dab89-a30c- 43b5b83db82c)
4117-86e7- OFFICESUBSCRIPTIO
97bda240acd2) N (43de0ff5-c92c-
PROJECTWORKMANA 492b-9116-
GEMENT (b737dad2- 175376d08c38)
2f6c-4c65-90e3- POWERAPPS FOR
ca563267e8b9) OFFICE 365
RMS_S_ENTERPRISE (9c0dab89-a30c-
(bea4c11e-220a- 4117-86e7-
4e6d-8eb8- 97bda240acd2)
8ea15d019f90) MICROSOFT
SHAREPOINTENTERPR PLANNER(b737dad2-
ISE (5dbe027f-2339- 2f6c-4c65-90e3-
4123-9542- ca563267e8b9)
606e4d348a72) MICROSOFT AZURE
SHAREPOINTWAC ACTIVE DIRECTORY
(e95bec33-7c88- RIGHTS (bea4c11e-
4a70-8e19- 220a-4e6d-8eb8-
b10bd9d0c014) 8ea15d019f90)
STREAM_O365_E5 SHAREPOINT ONLINE
(6c6042f5-6f01- (PLAN 2) (5dbe027f-
4d67-b8c1- 2339-4123-9542-
eb99d36eed3e) 606e4d348a72)
7ce8-4e57-9140- (e95bec33-7c88-
b90eb88a9e97) 4a70-8e19-
773e-42df-b2af- MICROSOFT STREAM
ffb7a2317929) FOR O365 E5 SKU
THREAT_INTELLIGENC (6c6042f5-6f01-
E (8e0c0a52-6a6c- 4d67-b8c1-
4d40-8370- eb99d36eed3e)
dd62790dcd70) SWAY (a23b959c-
(7547a3fe-08ee- b90eb88a9e97)
5077c5041653) 773e-42df-b2af-
ffb7a2317929)
OFFICE 365
ADVANCED THREAT
PROTECTION (PLAN
2) (8e0c0a52-6a6c-
4d40-8370-
dd62790dcd70)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
SERVIC E P L A N S
OFFICE 365 F1 DESKLESSPACK 4b585984-651b- BPOS_S_TODO_FIRSTL BPOS_S_TODO_FIRSTL

448a-9e53- INE (80873e7a-cd2a- INE (80873e7a-cd2a-
3b10f069cf7f 4e67-b061- 4e67-b061-
1b5381a676a5) 1b5381a676a5)
a0458298f3b3) 86f0-4902-b2ed-
EXCHANGE_S_DESKLE a0458298f3b3)
SS (4a82b400-a79f- EXCHANGE ONLINE
41a4-b4e2- KIOSK (4a82b400-
e94f5787b113) a79f-41a4-b4e2-
FLOW_O365_S1 e94f5787b113)
(bd91b1a4-9f94-4ecf- FLOW FOR OFFICE
b45b-3a65e5c8128a) 365 K1 (bd91b1a4-
FORMS_PLAN_K 9f94-4ecf-b45b-
(f07046bd-2a3c- 3a65e5c8128a)
4b96-b0be- MICROSOFT FORMS
dea79d7cbfb8) (PLAN K) (f07046bd-
MCOIMP (afc06cb0- 2a3c-4b96-b0be-
b4f4-4473-8286- dea79d7cbfb8)
d644f70d8faf) SKYPE FOR BUSINESS
OFFICEMOBILE_SUBS ONLINE (PLAN 1)
CRIPTION (c63d4d19- (afc06cb0-b4f4-4473-
e8cb-460e-b37c- 8286-d644f70d8faf)
4d6c34603745) OFFICE MOBILE APPS
POWERAPPS_O365_S FOR OFFICE 365
1 (e0287f9f-e222- (c63d4d19-e8cb-
4f98-9a83- 460e-b37c-
f379e249159a) 4d6c34603745)
SHAREPOINTDESKLES POWERAPPS FOR
S (902b47e5-dcb2- OFFICE 365 K1
4fdc-858b- (e0287f9f-e222-4f98-
c63a90a2bdb9) 9a83-f379e249159a)
SHAREPOINTWAC SHAREPOINT ONLINE
(e95bec33-7c88- KIOSK (902b47e5-
4a70-8e19- dcb2-4fdc-858b-
b10bd9d0c014) c63a90a2bdb9)
STREAM_O365_K OFFICE ONLINE
(3ffba0d2-38e5- (e95bec33-7c88-
4d5e-8ec0- 4a70-8e19-
98f2b05c09d9) b10bd9d0c014)
SWAY (a23b959c- MICROSOFT STREAM
7ce8-4e57-9140- FOR O365 K SKU
b90eb88a9e97) (3ffba0d2-38e5-
TEAMS1 (57ff2da0- 4d5e-8ec0-
773e-42df-b2af- 98f2b05c09d9)
ffb7a2317929) SWAY (a23b959c-
(7547a3fe-08ee- b90eb88a9e97)
5077c5041653) 773e-42df-b2af-
ffb7a2317929)
YAMMER_ENTERPRISE
(7547a3fe-08ee-
4ccb-b430-
5077c5041653)
SERVIC E P L A N S
OFFICE 365 MIDSIZE MIDSIZEPACK 04a7fb0d-32e0- EXCHANGE_S_STAND EXCHANGE ONLINE

BUSINESS 4241-b4f5- ARD_MIDMARKET PLAN 1(fc52cc4b-
3f7618cd1162 (fc52cc4b-ed7d- ed7d-472d-bbe7-
472d-bbe7- b081c23ecc56)
b081c23ecc56) SKYPE FOR BUSINESS
MCOSTANDARD_MID ONLINE (PLAN 2)
MARKET (b2669e95- FOR
76ef-4e7e-a367- MIDSIZE(b2669e95-
002f60a39f3e) 76ef-4e7e-a367-
OFFICESUBSCRIPTIO 002f60a39f3e)
N (43de0ff5-c92c- OFFICESUBSCRIPTIO
492b-9116- N (43de0ff5-c92c-
175376d08c38) 492b-9116-
SHAREPOINTENTERPR 175376d08c38)
ISE_MIDMARKET SHAREPOINTENTERPR
(6b5b6a67-fc72-4a1f- ISE_MIDMARKET
a2b5-beecf05de761) (6b5b6a67-fc72-4a1f-
SHAREPOINTWAC a2b5-beecf05de761)
(e95bec33-7c88- OFFICE ONLINE
4a70-8e19- (e95bec33-7c88-
b10bd9d0c014) 4a70-8e19-
7ce8-4e57-9140- SWAY (a23b959c-
b90eb88a9e97) 7ce8-4e57-9140-
YAMMER_MIDSIZE b90eb88a9e97)
(41bf139a-4e60- YAMMER_MIDSIZE
409f-9346- (41bf139a-4e60-
a1361efc6dfb) 409f-9346-
a1361efc6dfb)
OFFICE 365 SMALL LITEPACK bd09678e-b83c- EXCHANGE_L_STAND EXCHANGE ONLINE

BUSINESS 4d3f-aaba- ARD (d42bdbd6- (P1)(d42bdbd6-c335-
3dad4abd128b c335-4231-ab3d- 4231-ab3d-
c8f348d5aff5) c8f348d5aff5)
MCOLITE (70710b6b- SKYPE FOR BUSINESS
3ab4-4a38-9f6d- ONLINE (PLAN P1)
9f169461650a) (70710b6b-3ab4-
SHAREPOINTLITE 4a38-9f6d-
(a1f3d0a8-84c0- 9f169461650a)
4ae0-bae4- SHAREPOINTLITE
685917b8ab48) (a1f3d0a8-84c0-
SWAY (a23b959c- 4ae0-bae4-
7ce8-4e57-9140- 685917b8ab48)
b90eb88a9e97) SWAY (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
SERVIC E P L A N S
OFFICE 365 SMALL LITEPACK_P2 fc14ec4a-4169-49a4- EXCHANGE_L_STAND EXCHANGE ONLINE

BUSINESS PREMIUM a51e-2c852931814b ARD (d42bdbd6- (P1)(d42bdbd6-c335-
c335-4231-ab3d- 4231-ab3d-
c8f348d5aff5) c8f348d5aff5)
MCOLITE (70710b6b- SKYPE FOR BUSINESS
3ab4-4a38-9f6d- ONLINE (PLAN P1)
9f169461650a) (70710b6b-3ab4-
OFFICE_PRO_PLUS_S 4a38-9f6d-
UBSCRIPTION_SMBIZ 9f169461650a)
(8ca59559-e2ca- OFFICE_PRO_PLUS_S
470b-b7dd- UBSCRIPTION_SMBIZ
afd8c0dee963) (8ca59559-e2ca-
SHAREPOINTLITE 470b-b7dd-
(a1f3d0a8-84c0- afd8c0dee963)
4ae0-bae4- SHAREPOINTLITE
685917b8ab48) (a1f3d0a8-84c0-
SWAY (a23b959c- 4ae0-bae4-
7ce8-4e57-9140- 685917b8ab48)
b90eb88a9e97) SWAY (a23b959c-
7ce8-4e57-9140-
b90eb88a9e97)
ONEDRIVE FOR WACONEDRIVESTAN e6778190-713e- FORMS_PLAN_E1 MICROSOFT FORMS

BUSINESS (PLAN 1) DARD 4e4f-9119- (159f4cd6-e380- (PLAN E1) (159f4cd6-
8b8238de25df 449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
(13696edf-5a08- (13696edf-5a08-
49f6-8134- 49f6-8134-
03083ed8ba30) 03083ed8ba30)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
ONEDRIVE FOR WACONEDRIVEENTER ed01faf2-1d88-4947- ONEDRIVEENTERPRIS ONEDRIVEENTERPRIS

BUSINESS (PLAN 2) PRISE ae91-45ca18703a96 E (afcafa6a-d966- E (afcafa6a-d966-
4462-918c- 4462-918c-
ec0b4e0fe642) ec0b4e0fe642)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
POWER APPS PER POWERAPPS_PER_US b30411f5-fea1-4a59-

USER PLAN ER 9ad9-3db7c7ead579
SERVIC E P L A N S
POWER BI FOR POWER_BI_ADDON 45bc2c81-6072- BI_AZURE_P1 MICROSOFT POWER

OFFICE 365 ADD-ON 436a-9b0b- (2125cfd7-2110- BI REPORTING AND
3b12eefbc402 4567-83c4- ANALYTICS PLAN 1
c1cd5275163d) (2125cfd7-2110-
SQL_IS_SSIM 4567-83c4-
(fc0a60aa-feee-4746- c1cd5275163d)
a0e3-aecfe81a38dd) MICROSOFT POWER
BI INFORMATION
SERVICES PLAN
1(fc0a60aa-feee-
4746-a0e3-
aecfe81a38dd)
POWER BI PRO POWER_BI_PRO f8a1db68-be16- BI_AZURE_P2 POWER BI PRO

40ed-86d5- (70d33638-9c74- (70d33638-9c74-
cb42ce701560 4d01-bfd3- 4d01-bfd3-
562de28bd4ba) 562de28bd4ba)
PROJECT FOR OFFICE PROJECTCLIENT a10d5e58-74da- PROJECT_CLIENT_SUB PROJECT_CLIENT_SUB

365 4312-95c8- SCRIPTION (fafd7243- SCRIPTION (fafd7243-
76be4e5b75a0 e5c1-4a3a-9e40- e5c1-4a3a-9e40-
495efcb1d3c3) 495efcb1d3c3)
PROJECT ONLINE PROJECTESSENTIALS 776df282-9fc0-4862- FORMS_PLAN_E1 MICROSOFT FORMS

ESSENTIALS 99e2-70e561b9909e (159f4cd6-e380- (PLAN E1) (159f4cd6-
449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
PROJECT_ESSENTIALS PROJECT ONLINE
(1259157c-8581- ESSENTIALS
4875-bca7- (1259157c-8581-
2ffb18c51bda) 4875-bca7-
SHAREPOINTENTERPR 2ffb18c51bda)
ISE (5dbe027f-2339- SHAREPOINT ONLINE
4123-9542- (PLAN 2) (5dbe027f-
606e4d348a72) 2339-4123-9542-
SHAREPOINTWAC 606e4d348a72)
(e95bec33-7c88- OFFICE ONLINE
4a70-8e19- (e95bec33-7c88-
b10bd9d0c014) 4a70-8e19-
7ce8-4e57-9140- SWAY (a23b959c-
b90eb88a9e97) 7ce8-4e57-9140-
b90eb88a9e97)
SERVIC E P L A N S
PROJECT ONLINE PROJECTPREMIUM 09015f9f-377f-4538- PROJECT_CLIENT_SUB PROJECT_CLIENT_SUB

PREMIUM bbb5-f75ceb09358a SCRIPTION (fafd7243- SCRIPTION (fafd7243-
e5c1-4a3a-9e40- e5c1-4a3a-9e40-
SHAREPOINT_PROJEC SHAREPOINT_PROJEC
T (fe71d6c3-a2ea- T (fe71d6c3-a2ea-
4499-9778- 4499-9778-
da042bf08063) da042bf08063)
SHAREPOINTENTERPR SHAREPOINT ONLINE
ISE (5dbe027f-2339- (PLAN 2) (5dbe027f-
4123-9542- 2339-4123-9542-
606e4d348a72) 606e4d348a72)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
PROJECT ONLINE PROJECTONLINE_PLA 2db84718-652c- FORMS_PLAN_E1 MICROSOFT FORMS

PREMIUM WITHOUT N_1 47a7-860c- (159f4cd6-e380- (PLAN E1) (159f4cd6-
PROJECT CLIENT f10d8abbdae3 449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
4499-9778- 4499-9778-
da042bf08063) da042bf08063)
4123-9542- 2339-4123-9542-
606e4d348a72) 606e4d348a72)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
PROJECT ONLINE PROJECTPROFESSION 53818b1b-4a27- PROJECT_CLIENT_SUB PROJECT_CLIENT_SUB

PROFESSIONAL AL 454b-8896- SCRIPTION (fafd7243- SCRIPTION (fafd7243-
0dba576410e6 e5c1-4a3a-9e40- e5c1-4a3a-9e40-
4499-9778- 4499-9778-
da042bf08063) da042bf08063)
4123-9542- 2339-4123-9542-
606e4d348a72) 606e4d348a72)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
SERVIC E P L A N S
PROJECT ONLINE PROJECTONLINE_PLA f82a60b8-1ee3-4cfb- FORMS_PLAN_E1 MICROSOFT FORMS

WITH PROJECT FOR N_2 a4fe-1c6a53c2656c (159f4cd6-e380- (PLAN E1) (159f4cd6-
OFFICE 365 449f-a816- e380-449f-a816-
af1a9ef76344) af1a9ef76344)
PROJECT_CLIENT_SUB PROJECT_CLIENT_SUB
SCRIPTION (fafd7243- SCRIPTION (fafd7243-
e5c1-4a3a-9e40- e5c1-4a3a-9e40-
4499-9778- 4499-9778-
da042bf08063) da042bf08063)
4123-9542- 2339-4123-9542-
606e4d348a72) 606e4d348a72)
(e95bec33-7c88- (e95bec33-7c88-
4a70-8e19- 4a70-8e19-
b10bd9d0c014) b10bd9d0c014)
7ce8-4e57-9140- 7ce8-4e57-9140-
b90eb88a9e97) b90eb88a9e97)
SHAREPOINT ONLINE SHAREPOINTSTANDA 1fc08a02-8b3d- SHAREPOINTSTANDA SHAREPOINTSTANDA

(PLAN 1) RD 43b9-831e- RD (c7699d2e-19aa- RD (c7699d2e-19aa-
f76859e04e1a 44de-8edf- 44de-8edf-
1736da088ca1) 1736da088ca1)
SHAREPOINT ONLINE SHAREPOINTENTERPR a9732ec9-17d9- SHAREPOINTENTERPR SHAREPOINT ONLINE

(PLAN 2) ISE 494c-a51c- ISE (5dbe027f-2339- (PLAN 2) (5dbe027f-
d6b45b384dcb 4123-9542- 2339-4123-9542-
606e4d348a72) 606e4d348a72)
MICROSOFT 365 MCOEV e43b5b99-8dfb-405f- MCOEV (4828c8ec- PHONE SYSTEM

PHONE SYSTEM 9987-dc307f34bcbd dc2e-4779-b502- (4828c8ec-dc2e-
87ac9ce28ab7) 4779-b502-
87ac9ce28ab7)
SKYPE FOR BUSINESS MCOIMP b8b749f8-a4ef-4887- MCOIMP (afc06cb0- SKYPE FOR BUSINESS
ONLINE (PLAN 1) 9539-c95b1eaa5db7 b4f4-4473-8286- ONLINE (PLAN 1)
d644f70d8faf) (afc06cb0-b4f4-4473-
8286-d644f70d8faf)
SKYPE FOR BUSINESS MCOSTANDARD d42c793f-6c78-4f43- MCOSTANDARD SKYPE FOR BUSINESS

ONLINE (PLAN 2) 92ca-e8f6a02b035f (0feaeb32-d00e- ONLINE (PLAN 2)
4d66-bd5a- (0feaeb32-d00e-
43b5b83db82c) 4d66-bd5a-
43b5b83db82c)
SKYPE FOR BUSINESS MCOPSTN2 d3b4fe1f-9992-4930- MCOPSTN2 DOMESTIC AND

PSTN DOMESTIC 8acb-ca6ec609365e (5a10155d-f5c1- INTERNATIONAL
AND INTERNATIONAL 411a-a8ec- CALLING PLAN
CALLING e99aae125390) (5a10155d-f5c1-
411a-a8ec-
e99aae125390)
SERVIC E P L A N S
SKYPE FOR BUSINESS MCOPSTN1 0dab259f-bf13-4952- MCOPSTN1 DOMESTIC CALLING

PSTN DOMESTIC b7f8-7db8f131b28d (4ed3ff63-69d7-4fb7- PLAN (4ed3ff63-
CALLING b984-5aec7f605ca8) 69d7-4fb7-b984-
5aec7f605ca8)
SKYPE FOR BUSINESS MCOPSTN5 54a152dc-90de- MCOPSTN5 DOMESTIC CALLING

PSTN DOMESTIC 4996-93d2- (54a152dc-90de- PLAN (54a152dc-
CALLING (120 bc47e670fc06 4996-93d2- 90de-4996-93d2-
Minutes) bc47e670fc06) bc47e670fc06)
VISIO ONLINE PLAN VISIOONLINE_PLAN1 4b244418-9658- ONEDRIVE_BASIC ONEDRIVE_BASIC

1 4451-a2b8- (da792a53-cbc0- (da792a53-cbc0-
b5e2b364e9bd 4184-a10d- 4184-a10d-
e544dd34b3c1) e544dd34b3c1)
VISIOONLINE VISIOONLINE
(2bdbaf8f-738f-4ac7- (2bdbaf8f-738f-4ac7-
9234-3c3ee2ce7d0f) 9234-3c3ee2ce7d0f)
VISIO Online Plan 2 VISIOCLIENT c5928f49-12ba-48f7- ONEDRIVE_BASIC ONEDRIVE_BASIC

ada3-0d743a3601d5 (da792a53-cbc0- (da792a53-cbc0-
4184-a10d- 4184-a10d-
e544dd34b3c1) e544dd34b3c1)
VISIO_CLIENT_SUBSC VISIO_CLIENT_SUBSC
RIPTION (663a804f- RIPTION (663a804f-
1c30-4ff0-9915- 1c30-4ff0-9915-
9db84f0d1cea) 9db84f0d1cea)
VISIOONLINE VISIOONLINE
(2bdbaf8f-738f-4ac7- (2bdbaf8f-738f-4ac7-
9234-3c3ee2ce7d0f) 9234-3c3ee2ce7d0f)
WINDOWS 10 WIN10_PRO_ENT_SU cb10e6cd-9da4- WIN10_PRO_ENT_SUB WINDOWS 10

ENTERPRISE E3 B 4992-867b- (21b439ba-a0ca- ENTERPRISE
67546b1db821 424f-a6cc- (21b439ba-a0ca-
52f954a5b111) 424f-a6cc-
52f954a5b111)
Windows 10 WIN10_VDA_E5 488ba24a-39a9- EXCHANGE_S_FOUND Exchange Foundation

Enterprise E5 4473-8ee5- ATION (113feb6c- (113feb6c-3fe4-
19291e71b002 3fe4-4440-bddc- 4440-bddc-
54d774bf0318) 54d774bf0318)
WINDEFATP Microsoft Defender
(871d91ec-ec1a- Advanced Threat
452b-a83f- Protection
Virtualization Rights 452b-a83f-
for Windows 10 bd76c7d770ef)
(E3/E5+VDA) Windows 10
(e7c91390-7625- Enterprise (New)
45be-94e0- (e7c91390-7625-
e16907e03118) 45be-94e0-
e16907e03118)
Service plans that cannot be assigned at the same time

Some products contain service plans that cannot be assigned to the same user at the same time. For example, if
you have Office 365 E1 and Office 365 E3 in your tenant, and you try to assign both licenses to the same user, the
operation fails. This is because the E3 product contains the following service plans that conflict with their E1
counterparts:
When using group-based licensing, you experience this error condition. When using PowerShell, you see the
MutuallyExclusiveViolation error.
This section lists the most common service plans that are mutually exclusive, grouped by service type. You can use
this information to plan your license deployment and avoid assignment errors. These tables are for reference
purposes and are accurate only as of the date when this article was last updated. Microsoft does not plan to update
them for newly added services periodically.
Service: Azure Active Directory
NOTE
All service plans related to Azure Active Directory can now be assigned together, to the same user. This simplifies certain
license management scenarios, such as moving users from Azure AD Basic to Azure AD Premium P1.
Service: Dynamics CRM

The following service plans cannot be assigned together:
SERVIC E P L A N N A M E GUID
CRMPLAN1 119cf168-b6cf-41fb-b82e-7fee7bae5814
CRMPLAN2 bf36ca64-95c6-4918-9275-eb9f4ce2c04f
CRMSTANDARD f9646fb2-e3b2-4309-95de-dc4833737456
DYN365_ENTERPRISE_CUSTOMER_SERVICE 99340b49-fb81-4b1e-976b-8f2ae8e9394f
DYN365_ENTERPRISE_P1 d56f3deb-50d8-465a-bedb-f079817ccac1
DYN365_ENTERPRISE_P1_IW 056a5f80-b4e0-4983-a8be-7ad254a113c9
DYN365_ENTERPRISE_SALES 2da8e897-7791-486b-b08f-cc63c8129df7
DYN365_ENTERPRISE_TEAM_MEMBERS 6a54b05e-4fab-40e7-9828-428db3b336fa
EMPLOYEE_SELF_SERVICE ba5f0cfa-d54a-4ea0-8cf4-a7e1dc4423d8
Service: Exchange Online

EXCHANGE_B_STANDARD 90927877-dcff-4af6-b346-2332c0b15bb7
EXCHANGE_L_STANDARD d42bdbd6-c335-4231-ab3d-c8f348d5aff5
EXCHANGE_S_ARCHIVE da040e0a-b393-4bea-bb76-928b3fa1cf5a
EXCHANGE_S_DESKLESS 4a82b400-a79f-41a4-b4e2-e94f5787b113
EXCHANGE_S_ENTERPRISE efb87545-963c-4e0d-99df-69c6916d9eb0
EXCHANGE_S_ESSENTIALS 1126bef5-da20-4f07-b45e-ad25d2581aa8
EXCHANGE_S_STANDARD 9aaf7827-d63c-4b61-89c3-182f06f82e5c
EXCHANGE_S_STANDARD_MIDMARKET fc52cc4b-ed7d-472d-bbe7-b081c23ecc56
Service: Intune
INTUNE_A c1ec4a95-1f05-45b3-a911-aa3fa01094f5
INTUNE_A_VL 3e170737-c728-4eae-bbb9-3f3360f7184c
INTUNE_B 2dc63b8a-df3d-448f-b683-8655877c9360
Service: SharePoint Online

ONEDRIVEENTERPRISE afcafa6a-d966-4462-918c-ec0b4e0fe642
SHAREPOINT_S_DEVELOPER a361d6e2-509e-4e25-a8ad-950060064ef4
SHAREPOINTDESKLESS 902b47e5-dcb2-4fdc-858b-c63a90a2bdb9
SHAREPOINTENTERPRISE 5dbe027f-2339-4123-9542-606e4d348a72
SHAREPOINTENTERPRISE_EDU 63038b2c-28d0-45f6-bc36-33062963b498
SHAREPOINTENTERPRISE_MIDMARKET 6b5b6a67-fc72-4a1f-a2b5-beecf05de761
SHAREPOINTLITE a1f3d0a8-84c0-4ae0-bae4-685917b8ab48
SHAREPOINTSTANDARD c7699d2e-19aa-44de-8edf-1736da088ca1
SHAREPOINTSTANDARD_EDU 0a4983bb-d3e5-4a09-95d8-b2d0127b3df5
SHAREPOINTSTANDARD_YAMMERSHADOW 4c9efd0c-8de7-4c71-8295-9f5fdb0dd048
Service: Skype for Business

MCOIMP afc06cb0-b4f4-4473-8286-d644f70d8faf
MCOSTANDARD_MIDMARKET b2669e95-76ef-4e7e-a367-002f60a39f3e
MCOSTANDARD 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
MCOLITE 70710b6b-3ab4-4a38-9f6d-9f169461650a
MCOPSTN1 4ed3ff63-69d7-4fb7-b984-5aec7f605ca8
MCOPSTN2 5a10155d-f5c1-411a-a8ec-e99aae125390
MCOPSTN5 54a152dc-90de-4996-93d2-bc47e670fc06
Service: Yammer
YAMMER_ENTERPRISE 7547a3fe-08ee-4ccb-b430-5077c5041653
YAMMER_EDU 2078e8df-cff6-4290-98cb-5408261a760a
YAMMER_MIDSIZE 41bf139a-4e60-409f-9346-a1361efc6dfb
Next steps
To learn more about the feature set for license management through groups, see the following:
PowerShell examples for group-based licensing in Azure AD
Administrator role permissions in Azure Active
Directory
Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in
less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning
administrative roles, resetting user passwords, managing user licenses, and managing domain names. The
default user permissions can be changed only in user settings in Azure AD.
Limit use of Global administrator

Users who are assigned to the Global administrator role can read and modify every administrative setting in
your Azure AD organization. By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant
is created and the user is made a member of the Global Administrators role. When you add a subscription to
an existing tenant, you aren't assigned to the Global Administrator role. Only Global administrators and
Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we
recommend that you assign this role to the fewest possible people in your organization.
As a best practice, we recommend that you assign this role to fewer than five people in your organization. If
you have more than five admins assigned to the Global Administrator role in your organization, here are some
ways to reduce its use.
Find the role you need
If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of
the roles based on role categories. Check out our new Type filter for Azure AD Roles and administrators to
show you only the roles in the selected type.
A role exists now that didn't exist when you assigned the Global administrator role
It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not
an option when you elevated some users to Global administrator. Over time, we are rolling out additional roles
that accomplish tasks that only the Global administrator role could do before. You can see these reflected in the
following Available roles.
Assign or remove administrator roles

To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign
administrator roles in Azure Active Directory.
NOTE
If you have an Azure AD premium P2 license and you're already a Privileged Identity Management (PIM) user, all role
management tasks are performed in Privilege Identity Management and not in Azure AD.
Available roles
The following administrator roles are available:
Application Administrator
Users in this role can create and manage all aspects of enterprise applications, application registrations, and
application proxy settings. Note that users assigned to this role are not added as owners when creating new
application registrations or enterprise applications.
This role also grants the ability to consent to delegated permissions and application permissions, with the
exception of permissions on the Microsoft Graph API.
IMPORTANT
This exception means that you can still consent to permissions for other apps (for example, non-Microsoft apps or apps
that you have registered), but not to permissions on Azure AD itself. You can still request these permissions as part of
the app registration, but granting (that is, consenting to) these permissions requires an Azure AD admin. This means
that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can
write to the entire directory and through that app's permissions elevate themselves to become a global admin.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an
application, and use those credentials to impersonate the application’s identity. If the application’s identity has been
granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this
role could perform those actions while impersonating the application. This ability to impersonate the application’s
identity may be an elevation of privilege over what the user can do via their role assignments. It is important to
understand that assigning a user to the Application Administrator role gives them the ability to impersonate an
application’s identity.
Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to
No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps
accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners
when creating new application registrations or enterprise applications.
Authentication Administrator
Users with this role can set or reset non-password credentials for some users and can update passwords for all
users. Authentication administrators can require users who are non-administrators or assigned to some roles
to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke
remember MFA on the device , which prompts for MFA on the next sign-in. These actions apply only to
users who are non-administrators or who are assigned one or more of the following roles:
Directory Readers
Guest Inviter
Message Center Reader
Reports Reader
The Privileged authentication administrator role has permission can force re-registration and multi-factor
authentication for all users.
IMPORTANT
Users with this role can change credentials for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to
assume that user's identity and permissions. For example:
Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those
apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators.
Through this path an Authentication Administrator may be able to assume the identity of an application owner and
then further assume the identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant
access to sensitive or private information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center,
and human resources systems.
Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive
or private information.
Azure DevOps Administrator

Users with this role can manage the Azure DevOps policy to restrict new Azure DevOps organization creation
to a set of configurable users or groups. Users in this role can manage this policy through any Azure DevOps
organization that is backed the company's Azure AD organization.
All enterprise Azure DevOps policies can be managed by users in this role.
Azure Information Protection Administrator
Users with this role have all permissions in the Azure Information Protection service. This role allows
configuring labels for the Azure Information Protection policy, managing protection templates, and activating
protection. This role does not grant any permissions in Identity Protection Center, Privileged Identity
Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center.
B2C IEF Keyset Administrator
User can create and manage policy keys and secrets for token encryption, token signatures, and claim
encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover
secrets as needed without impacting existing applications. This user can see the full content of these secrets
and their expiration dates even after their creation.
IMPORTANT
This is a sensitive role. The keyset administrator role should be carefully audited and assigned with care during pre-
production and production.
B2C IEF Policy Administrator
Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and
therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization.
By editing policies, this user can establish direct federation with external identity providers, change the
directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to
complete an authentication, create new users, send user data to external systems including full migrations, and
edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role
cannot change the encryption keys or edit the secrets used for federation in the organization.
IMPORTANT
The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for
organizations in production. Activities by these users should be closely audited, especially for organizations in
production.
Billing Administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Cloud Application Administrator
Users in this role have the same permissions as the Application Administrator role, excluding the ability to
manage application proxy. This role grants the ability to create and manage all aspects of enterprise
applications and application registrations. This role also grants the ability to consent to delegated permissions,
and application permissions excluding Microsoft Graph and Azure AD Graph. Users assigned to this role are
not added as owners when creating new application registrations or enterprise applications.
IMPORTANT
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an
application, and use those credentials to impersonate the application’s identity. If the application’s identity has been
granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this
role could perform those actions while impersonating the application. This ability to impersonate the application’s
identity may be an elevation of privilege over what the user can do via their role assignments. It is important to
understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an
application’s identity.
Cloud Device Administrator

Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if
present) in the Azure portal. The role does not grant permissions to manage any other properties on the
device.
Compliance Administrator
Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance
center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Assignees can also
manage all features within the Exchange admin center and Teams & Skype for Business admin centers and
create support tickets for Azure and Microsoft 365. More information is available at About Office 365 admin
roles.
IN C A N DO
Microsoft 365 compliance center Protect and manage your organization's data across
Microsoft 365 services
Manage compliance alerts
IN C A N DO
Compliance Manager Track, assign, and verify your organization's regulatory

compliance activities
Office 365 Security & Compliance Center Manage data governance

Perform legal and data investigation
Manage Data Subject Request
This role has the same permissions as the Compliance

Administrator RoleGroup in Office 365 Security &
Compliance Center role-based access control.
Intune View all Intune audit data
Cloud App Security Has read-only permissions and can manage alerts
Can create and modify file policies and allow file governance
actions
Can view all the built-in reports under Data Management
Compliance Data Administrator

Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365
admin center, and Azure. Users can also track compliance data within the Exchange admin center, Compliance
Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft
365.
IN C A N DO
Microsoft 365 compliance center Monitor compliance-related policies across Microsoft 365
services
Manage compliance alerts
Compliance Manager Track, assign, and verify your organization's regulatory

compliance activities
Office 365 Security & Compliance Center Manage data governance

Perform legal and data investigation
Manage Data Subject Request
This role has the same permissions as the Compliance Data

Administrator RoleGroup in Office 365 Security &
Compliance Center role-based access control.
Intune View all Intune audit data
Can create and modify file policies and allow file governance
actions
Can view all the built-in reports under Data Management
Conditional Access Administrator

Users with this role have the ability to manage Azure Active Directory Conditional Access settings.
NOTE
To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be a Global Administrator.
Customer Lockbox access approver
Manages Customer Lockbox requests in your organization. They receive email notifications for Customer
Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn
the Customer Lockbox feature on or off. Only global admins can reset the passwords of people assigned to this
role.
Desktop Analytics Administrator
Users in this role can manage the Desktop Analytics and Office Customization & Policy services. For Desktop
Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and
health status. For Office Customization & Policy service, this role enables users to manage Office policies.
Device Administrators
This role is available for assignment only as an additional local administrator in Device settings. Users with this
role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory.
They do not have the ability to manage devices objects in Azure Active Directory.
Directory Readers
Users in this role can read basic directory information. This role should be used for:
Granting a specific set of guest users read access instead of granting it to all guest users.
Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal
to admins only" is set to "Yes".
Granting service principals access to directory where Directory.Read.All is not an option.
Directory Synchronization Accounts
Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or
supported for any other use.
Directory Writers
Users in this role can read and update basic information of users, groups, and service principals. Assign this
role only to applications that don’t support the Consent Framework. It should not be assigned to any users.
Dynamics 365 administrator / CRM Administrator
Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is
present, as well as the ability to manage support tickets and monitor service health. More information at Use
the service admin role to manage your Azure AD organization.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." It is
"Dynamics 365 Administrator" in the Azure portal.
Exchange Administrator
Users with this role have global permissions within Microsoft Exchange Online, when the service is present.
Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor
service health. More information at About Office 365 admin roles.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." It is
"Exchange Administrator" in the Azure portal. It is "Exchange Online administrator" in the Exchange admin center.
External Id User Flow Administrator

Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. These
users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token,
manage API connectors, and configure session settings for all user flows in the Azure AD organization. On the
other hand, this role does not include the ability to review user data or make changes to the attributes that are
included in the organization schema. Changes to Identity Experience Framework policies (also known as
custom policies) are also outside the scope of this role.
External Id User Flow Attribute Administrator
Users with this role add or delete custom attributes available to all user flows in the Azure AD organization. As
such, users with this role can change or add new elements to the end-user schema and impact the behavior of
all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as
claims to applications. This role cannot edit user flows.
External Identity Provider Administrator
This administrator manages federation between Azure AD organizations and external identity providers. With
this role, users can add new identity providers and configure all available settings (e.g. authentication path,
service ID, assigned key containers). This user can enable the Azure AD organization to trust authentications
from external identity providers. The resulting impact on end-user experiences depends on the type of
organization:
Azure AD organizations for employees and partners: The addition of a federation (e.g. with Gmail) will
immediately impact all guest invitations not yet redeemed. See Adding Google as an identity provider for
B2B guest users.
Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with
another Azure AD organization) does not immediately impact end-user flows until the identity provider is
added as an option in a user flow (also called a built-in policy). See Configuring a Microsoft account as an
identity provider for an example. To change user flows, the limited role of "B2C User Flow Administrator" is
required.
Global Administrator / Company Administrator
Users with this role have access to all administrative features in Azure Active Directory, as well as services that
use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center,
Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Admins can elevate
their access to manage all Azure subscriptions and management groups. This allows Global Admins to get full
access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD
organization becomes a global administrator. There can be more than one global administrator at your
company. Global admins can reset the password for any user and all other administrators.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global
Administrator" in the Azure portal.
Global Reader
Users in this role can read settings and administrative information across Microsoft 365 services but can't take
management actions. Global reader is the read-only counterpart to Global administrator. Assign Global reader
instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with
other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning
the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center,
SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and
Device Management admin center.
NOTE
Global reader role has a few limitations right now -
OneDrive admin center - OneDrive admin center does not support the Global reader role
M365 admin center - Global reader can't read customer lockbox requests. You won't find the Customer lockbox
requests tab under Suppor t in the left pane of M365 Admin Center.
Office Security & Compliance Center - Global reader can't read SCC audit logs, do content search, or see Secure
Score.
Teams admin center - Global reader cannot read Teams lifecycle , Analytics & repor ts , IP phone device
management and App catalog .
Privileged Access Management (PAM) doesn't support the Global reader role.
Azure Information Protection - Global reader is supported for central reporting only, and when your Azure AD
organization isn't on the unified labeling platform.
These features are currently in development.
Groups Administrator
Users in this role can create/manage groups and its settings like naming and expiration policies. It is important
to understand that assigning a user to this role gives them the ability to manage all groups in the organization
across various workloads like Teams, SharePoint, Yammer in addition to Outlook. Also the user will be able to
manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as
well as workload specific ones like Teams and SharePoint Admin Centers.
Guest Inviter
Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can
invite user setting is set to No. More information about B2B collaboration at About Azure AD B2B
collaboration. It does not include any other permissions.
Helpdesk Administrator
Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor
service health. Invalidating a refresh token forces the user to sign in again. Helpdesk administrators can reset
passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following
roles only:
Directory Readers
Guest Inviter
Helpdesk Administrator
Password Administrator
Reports Reader
IMPORTANT
Users with this role can change passwords for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to
apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Through
this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further
assume the identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who might have access to sensitive or private information or critical configuration in
Azure.
Delegating administrative permissions over subsets of users and applying policies to a subset of users is
possible with Administrative Units (now in public preview).
This role was previously called "Password Administrator" in the Azure portal. The "Helpdesk Administrator"
name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API.
Hybrid Identity Administrator
Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in
Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication
methods, Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd
party federation provider), and to deploy related on-premises infrastructure to enable them. On-prem
infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless Single
Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server
2016 computers. In addition, this role grants the ability to see sign-in logs and access to health and analytics
for monitoring and troubleshooting purposes.
Insights Administrator
Users in this role can access the full set of administrative capabilities in the M365 Insights application. This role
has the ability to read directory information, monitor service health, file support tickets, and access the Insights
admin settings aspects.
Insights Business Leader
Users in this role can access a set of dashboards and insights via the M365 Insights application. This includes
full access to all dashboards and presented insights and data exploration functionality. Users in this role do not
have access to product configuration settings, which is the responsibility of the Insights Admin role.
Intune Administrator
Users with this role have global permissions within Microsoft Intune Online, when the service is present.
Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as
create and manage groups. More information at Role-based administration control (RBAC) with Microsoft
Intune.
This role can create and manage all security groups. However, Intune Admin does not have admin rights over
Office groups. That means the admin cannot update owners or memberships of all Office groups in the
organization. However, he/she can manage the Office group that he creates which comes as a part of his/her
end-user privileges. So, any Office group (not security group) that he/she creates should be counted against
his/her quota of 250.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Intune Service Administrator." It is "Intune
Administrator" in the Azure portal.
Kaizala Administrator
Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is
present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can
access reports related to adoption & usage of Kaizala by Organization members and business reports
generated using the Kaizala actions.
License Administrator
Users in this role can add, remove, and update license assignments on users, groups (using group-based
licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage
subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no
access to view, create, or manage support tickets.
Message Center Privacy Reader
Users in this role can monitor all notifications in the Message Center, including data privacy messages.
Message Center Privacy Readers get email notifications including those related to data privacy and they can
unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center
Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups,
domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Users in this role can monitor notifications and advisory health updates in Office 365 Message center for their
organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers
receive weekly email digests of posts, updates, and can share message center posts in Office 365. In Azure AD,
users assigned to this role will only have read-only access on Azure AD services such as users and groups. This
role has no access to view, create, or manage support tickets.
Modern Commerce User
Do not use. This role is automatically assigned from Commerce, and is not intended or supported for any other
use. See details below.
The Modern Commerce User role gives certain users permission to access Microsoft 365 admin center and see
the left navigation entries for Home , Billing , and Suppor t . The content available in these areas is controlled
by commerce-specific roles assigned to users to manage products that they bought for themselves or your
organization. This might include tasks like paying bills, or for access to billing accounts and billing profiles.
Users with the Modern Commerce User role typically have administrative permissions in other Microsoft
purchasing systems, but do not have Global administrator or Billing administrator roles used to access the
admin center.
When is the Modern Commerce User role assigned?
Self-ser vice purchase in Microsoft 365 admin center – Self-service purchase gives users a chance to
try out new products by buying or signing up for them on their own. These products are managed in the
admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the
Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-
service purchases (for Power BI, Power Apps, Power automate) through PowerShell. For more information,
see Self-service purchase FAQ.
Purchases from Microsoft commercial marketplace – Similar to self-service purchase, when a user
buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User
role is assigned if they don’t have the Global admin or Billing admin role. In some cases, users might be
blocked from making these purchases. For more information, see Microsoft commercial marketplace.
Proposals from Microsoft – A proposal is a formal offer from Microsoft for your organization to buy
Microsoft products and services. When the person who is accepting the proposal doesn’t have a Global
admin or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the
proposal and the Modern Commerce User role to access admin center. When they access the admin center
they can only use features that are authorized by their commerce-specific role.
Commerce-specific roles – Some users are assigned commerce-specific roles. If a user isn't a Global or
Billing admin, they get the Modern Commerce User role so they can access the admin center.
If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center.
If they were managing any products, either for themselves or for your organization, they won’t be able to
manage them. This might include assigning licenses, changing payment methods, paying bills, or other tasks
for managing subscriptions.
Network Administrator
Users in this role can review network perimeter architecture recommendations from Microsoft that are based
on network telemetry from their user locations. Network performance for Office 365 relies on careful
enterprise customer network perimeter architecture which is generally user location specific. This role allows
for editing of discovered user locations and configuration of network parameters for those locations to
facilitate improved telemetry measurements and design recommendations
Office Apps Administrator
Users in this role can manage Office 365 apps' cloud settings. This includes managing cloud policies, self-
service download management and the ability to view Office apps related report. This role additionally grants
the ability to manage support tickets, and monitor service health within the main admin center. Users assigned
to this role can also manage communication of new features in Office apps.
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is
intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is
intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Users with this role have limited ability to manage passwords. This role does not grant the ability to manage
service requests or monitor service health. Password administrators can reset passwords of other users who
are non-administrators or members of the following roles only:
Directory Readers
Guest Inviter
Power BI Administrator
Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as
the ability to manage support tickets and monitor service health. More information at Understanding the
Power BI admin role.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". It is
"Power BI Administrator" in the Azure portal.
Power Platform Administrator

Users in this role can create and manage all aspects of environments, PowerApps, Flows, Data Loss Prevention
policies. Additionally, users with this role have the ability to manage support tickets and monitor service
health.
Printer Administrator
Users in this role can register printers and manage all aspects of all printer configurations in the Microsoft
Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated
print permission requests. Printer Administrators also have access to print reports.
Printer Technician
Users with this role can register printers and manage printer status in the Microsoft Universal Print solution.
They can also read all connector information. Key task a Printer Technician cannot do is set user permissions on
printers and sharing printers.
Privileged Authentication Administrator
Users with this role can set or reset non-password credentials for all users, including global administrators,
and can update passwords for all users. Privileged Authentication Administrators can force users to re-register
against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device',
prompting for MFA on the next sign-in of all users. The Authentication administrator role can force re-
registration and MFA for only non-admins and users assigned to the following Azure AD roles:
Directory Readers
Guest Inviter
Reports Reader
Privileged Role Administrator
Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD
Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles.
In addition, this role allows management of all aspects of Privileged Identity Management and administrative
units.
IMPORTANT
This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. This
role does not include any other privileged abilities in Azure AD like creating or updating users. However, users assigned
to this role can grant themselves or others additional privilege by assigning additional roles.
Reports Reader
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center
and the adoption context pack in Power BI. Additionally, the role provides access to sign-in reports and activity
in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader
role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure
settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or
manage support tickets.
Search Administrator
Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin
center. Additionally, these users can view the message center, monitor service health, and create service
requests.
Search Editor
Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin
center, including bookmarks, Q&As, and locations.
Security Administrator
Users with this role have permissions to manage security-related features in the Microsoft 365 security center,
Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection,
and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at
Permissions in the Office 365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center Monitor security-related policies across Microsoft 365
services
Manage security threats and alerts
View reports
Identity Protection Center All permissions of the Security Reader role

Additionally, the ability to perform all Identity Protection
Center operations except for resetting passwords
Privileged Identity Management All permissions of the Security Reader role

Cannot manage Azure AD role assignments or settings
Office 365 Security & Compliance Center Manage security policies

View, investigate, and respond to security threats
View reports
Azure Advanced Threat Protection Monitor and respond to suspicious security activity
Windows Defender ATP and EDR Assign roles

Manage machine groups
Configure endpoint threat detection and automated
remediation
View, investigate, and respond to alerts
Intune Views user, device, enrollment, configuration, and

application information
Cannot make changes to Intune
Cloud App Security Add admins, add policies and settings, upload logs and
perform governance actions
Azure Security Center Can view security policies, view security states, edit security
policies, view alerts and recommendations, dismiss alerts
and recommendations
Office 365 service health View the health of Office 365 services
Smart lockout Define the threshold and duration for lockouts when failed
sign-in events happen.
IN C A N DO
Password Protection Configure custom banned password list or on-premises

password protection.
Security operator
Users with this role can manage alerts and have global read-only access on security-related features, including
all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity
Management and Office 365 Security & Compliance Center. More information about Office 365 permissions is
available at Permissions in the Office 365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center All permissions of the Security Reader role
View, investigate, and respond to security threats alerts
Identity Protection Center All permissions of the Security Reader role

Additionally, the ability to perform all Identity Protection
Center operations except for resetting passwords
Privileged Identity Management All permissions of the Security Reader role
Office 365 Security & Compliance Center All permissions of the Security Reader role
View, investigate, and respond to security alerts
Windows Defender ATP and EDR All permissions of the Security Reader role
View, investigate, and respond to security alerts
Intune All permissions of the Security Reader role
Cloud App Security All permissions of the Security Reader role
Security Reader
Users with this role have global read-only access on security-related feature, including all information in
Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as
well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security &
Compliance Center. More information about Office 365 permissions is available at Permissions in the Office
365 Security & Compliance Center.
IN C A N DO
Microsoft 365 security center View security-related policies across Microsoft 365 services
View security threats and alerts
View reports
IN C A N DO
Identity Protection Center Read all security reports and settings information for
security features
Anti-spam
Encryption
Data loss prevention
Anti-malware
Advanced threat protection
Anti-phishing
Mailflow rules
Privileged Identity Management Has read-only access to all information surfaced in Azure
AD Privileged Identity Management: Policies and reports for
Azure AD role assignments and security reviews.
Cannot sign up for Azure AD Privileged Identity
Management or make any changes to it. In the Privileged
Identity Management portal or via PowerShell, someone in
this role can activate additional roles (for example, Global
Admin or Privileged Role Administrator), if the user is
eligible for them.
Office 365 Security & Compliance Center View security policies

View and investigate security threats
View reports
Windows Defender ATP and EDR View and investigate alerts. When you turn on role-based
access control in Windows Defender ATP, users with read-
only permissions such as the Azure AD Security reader role
lose access until they are assigned to a Windows Defender
ATP role.
Intune Views user, device, enrollment, configuration, and

application information. Cannot make changes to Intune.
Azure Security Center Can view recommendations and alerts, view security
policies, view security states, but cannot make changes
Service Support Administrator

Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the
service dashboard and message center in the Azure portal and Microsoft 365 admin center. More information
at About admin roles.
NOTE
Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. We have
renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph
API, and Azure AD PowerShell.
SharePoint Administrator
Users with this role have global permissions within Microsoft SharePoint Online, when the service is present,
as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor
service health. More information at About admin roles.
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." It is
"SharePoint Administrator" in the Azure portal.
NOTE
This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and
configuration of policies related to SharePoint and OneDrive resources.
Skype for Business / Lync Administrator

Users with this role have global permissions within Microsoft Skype for Business, when the service is present,
as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the
ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business
Admin Center. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. More
information at About the Skype for Business admin role and Teams licensing information at Skype for Business
and Microsoft Teams add-on licensing
NOTE
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator." It is "Skype
for Business Administrator" in the Azure portal.
Teams Communications Administrator

Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This
includes the management tools for telephone number assignment, voice and meeting policies, and full access
to the call analytics toolset.
Teams Communications Support Engineer
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using
the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role
can view full call record information for all participants involved. This role has no access to view, create, or
manage support tickets.
Teams Communications Support Specialist
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using
the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role
can only view user details in the call for the specific user they have looked up. This role has no access to view,
create, or manage support tickets.
Teams Devices Administrator
Users with this role can manage Teams-certified devices from the Teams Admin Center. This role allows
viewing all devices at single glance, with ability to search and filter devices. The user can check details of each
device including logged-in account, make and model of the device. The user can change the settings on the
device and update the software versions. This role does not grant permissions to check Teams activity and call
quality of the device.
Teams Service Administrator
Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for
Business admin center and the respective PowerShell modules. This includes, among other areas, all
management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally
grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service
health.
User Administrator
Users with this role can create users, and manage all aspects of users with some restrictions (see the table),
and can update password expiration policies. Additionally, users with this role can create and manage all
groups. This role also includes the ability to create and manage user views, manage support tickets, and
monitor service health. User administrators don't have permission to manage some user properties for users
in most administrator roles. User with this role do not have permissions to manage MFA. The roles that are
exceptions to this restriction are listed in the following table.
P ERM ISSIO N C A N DO
General permissions Create users and groups

Create and manage user views
Manage Office support tickets
Update password expiration policies
On all users, including all admins Manage licenses

Manage all user properties except User Principal Name
Only on users who are non-admins or in any of the Delete and restore
following limited admin roles:
Directory Readers Disable and enable
Groups Administrator Invalidate refresh Tokens
Guest Inviter
Helpdesk Administrator Manage all user properties including User Principal
Name
Password Administrator Reset password
Reports Reader
Update (FIDO) device keys
User Administrator
IMPORTANT
Users with this role can change passwords for people who may have access to sensitive or private information or critical
configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to
apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. Through this
path a User Administrator may be able to assume the identity of an application owner and then further assume the
identity of a privileged application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
Role Permissions
The following tables describe the specific permissions in Azure Active Directory given to each role. Some roles
may have additional permissions in Microsoft services outside of Azure Active Directory.
Application Administrator permissions
Can create and manage all aspects of app registrations and enterprise apps.
microsoft.directory/Application/appProxyAuthentication/up Update App Proxy authentication properties on service

date principals in Azure Active Directory.
microsoft.directory/Application/appProxyUrlSettings/update Update application proxy internal and external URLS in

microsoft.directory/applications/applicationProxy/read Read all of App Proxy properties.
microsoft.directory/applications/applicationProxy/update Update all of App Proxy properties.

Directory.

Directory.

Directory.
microsoft.directory/applications/create Create applications in Azure Active Directory.

Directory.

Directory.

Directory.

Directory.
microsoft.directory/appRoleAssignments/create Create appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/read Read appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/update Update appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/delete Delete appRoleAssignments in Azure Active Directory.

microsoft.directory/connectorGroups/allProperties/read Read application proxy connector group properties in Azure

Active Directory.
microsoft.directory/connectorGroups/allProperties/update Update all application proxy connector group properties in

microsoft.directory/connectorGroups/create Create application proxy connector groups in Azure Active

Directory.
microsoft.directory/connectorGroups/delete Delete application proxy connector groups in Azure Active

Directory.
microsoft.directory/connectors/allProperties/read Read all application proxy connector properties in Azure

Active Directory.
microsoft.directory/connectors/create Create application proxy connectors in Azure Active

Directory.
microsoft.directory/policies/applicationConfiguration/basic/r Read policies.applicationConfiguration property in Azure

ead Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/u Update policies.applicationConfiguration property in Azure

pdate Active Directory.
microsoft.directory/policies/applicationConfiguration/create Create policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/delete Delete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners Read policies.applicationConfiguration property in Azure

/read Active Directory.
microsoft.directory/policies/applicationConfiguration/owners Update policies.applicationConfiguration property in Azure

/update Active Directory.
microsoft.directory/policies/applicationConfiguration/policyA Read policies.applicationConfiguration property in Azure

ppliedTo/read Active Directory.

microsoft.directory/servicePrincipals/appRoleAssignments/u Update servicePrincipals.appRoleAssignments property in

pdate Azure Active Directory.

Directory.

Active Directory.

Directory.
microsoft.directory/servicePrincipals/create Create servicePrincipals in Azure Active Directory.


Active Directory.

Directory.

Active Directory.

Directory.

microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasks Create and manage Office 365 support tickets.
Application Developer permissions

Can create application registrations independent of the 'Users can register applications' setting.
microsoft.directory/applications/createAsOwner Create applications in Azure Active Directory. Creator is

added as the first owner, and the created object counts
against the creator's 250 created objects quota.
microsoft.directory/appRoleAssignments/createAsOwner Create appRoleAssignments in Azure Active Directory.

Creator is added as the first owner, and the created object
counts against the creator's 250 created objects quota.
microsoft.directory/oAuth2PermissionGrants/createAsOwne Create oAuth2PermissionGrants in Azure Active Directory.

r Creator is added as the first owner, and the created object
counts against the creator's 250 created objects quota.
microsoft.directory/servicePrincipals/createAsOwner Create servicePrincipals in Azure Active Directory. Creator is

added as the first owner, and the created object counts
against the creator's 250 created objects quota.
Authentication Administrator permissions

Allowed to view, set and reset authentication method information for any non-admin user.
microsoft.directory/users/invalidateAllRefreshTokens Invalidate all user refresh tokens in Azure Active Directory.

microsoft.directory/users/strongAuthentication/update Update strong authentication properties like MFA credential

information.
microsoft.office365.webPortal/allEntities/basic/read Read basic properties on all resources in

microsoft.office365.webPortal.
microsoft.directory/users/password/update Update passwords for all users in the Office 365

organization. See online documentation for more detail.
Azure DevOps Administrator permissions

Can manage Azure DevOps organization policy and settings.
NOTE
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
microsoft.azure.devOps/allEntities/allTasks Read and configure Azure DevOps.
Azure Information Protection Administrator permissions

Can manage all aspects of the Azure Information Protection service.
NOTE
microsoft.azure.informationProtection/allEntities/allTasks Manage all aspects of Azure Information Protection.
B2C IEF Keyset Administrator permissions

Manage secrets for federation and encryption in the Identity Experience Framework.
microsoft.aad.b2c/trustFramework/keySets/allTasks Read and configure key sets in Azure Active Directory B2C.
B2C IEF Policy Administrator permissions

Create and manage trust framework policies in the Identity Experience Framework.
microsoft.aad.b2c/trustFramework/policies/allTasks Read and configure custom policies in Azure Active

Directory B2C.
Billing Administrator permissions

Can perform common billing related tasks like updating payment information.
NOTE
microsoft.directory/organization/basic/update Update basic properties on organization in Azure Active

Directory.
microsoft.commerce.billing/allEntities/allTasks Manage all aspects of billing.

Cloud Application Administrator permissions

Can create and manage all aspects of app registrations and enterprise apps except App Proxy.

Directory.

Directory.

Directory.


Directory.

Directory.

Directory.

Directory.

microsoft.directory/policies/applicationConfiguration/create Create policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/r Read policies.applicationConfiguration property in Azure

ead Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/u Update policies.applicationConfiguration property in Azure

pdate Active Directory.
microsoft.directory/policies/applicationConfiguration/delete Delete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners Read policies.applicationConfiguration property in Azure

/read Active Directory.
microsoft.directory/policies/applicationConfiguration/owners Update policies.applicationConfiguration property in Azure

/update Active Directory.
microsoft.directory/policies/applicationConfiguration/policyA Read policies.applicationConfiguration property in Azure

ppliedTo/read Active Directory.



Directory.

Active Directory.

Directory.

Active Directory.

Directory.

Active Directory.

Directory.

Cloud Device Administrator permissions

Full access to manage devices in Azure AD.


Active Directory.
microsoft.directory/devices/delete Delete devices in Azure Active Directory.
microsoft.directory/devices/disable Disable devices in Azure Active Directory.
microsoft.directory/devices/enable Enable devices in Azure Active Directory.


Company Administrator permissions

Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. This role is also
known as the Global Administrator role.
NOTE
microsoft.aad.cloudAppSecurity/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.aad.cloudAppSecurity.
microsoft.directory/administrativeUnits/allProperties/allTask Create and delete administrativeUnits, and read and update

s all properties in Azure Active Directory.
microsoft.directory/applications/allProperties/allTasks Create and delete applications, and read and update all
properties in Azure Active Directory.
microsoft.directory/appRoleAssignments/allProperties/allTas Create and delete appRoleAssignments, and read and

ks update all properties in Azure Active Directory.

microsoft.directory/contacts/allProperties/allTasks Create and delete contacts, and read and update all
microsoft.directory/contracts/allProperties/allTasks Create and delete contracts, and read and update all
microsoft.directory/devices/allProperties/allTasks Create and delete devices, and read and update all
microsoft.directory/directoryRoles/allProperties/allTasks Create and delete directoryRoles, and read and update all
microsoft.directory/directoryRoleTemplates/allProperties/allT Create and delete directoryRoleTemplates, and read and

asks update all properties in Azure Active Directory.
microsoft.directory/domains/allProperties/allTasks Create and delete domains, and read and update all
microsoft.directory/groups/allProperties/allTasks Create and delete groups, and read and update all
microsoft.directory/groupsAssignableToRoles/allProperties/u Update groups with isAssignableToRole property set to true

pdate in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/create Create groups with isAssignableToRole property set to true

in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/delete Delete groups with isAssignableToRole property set to true

microsoft.directory/groupSettings/allProperties/allTasks Create and delete groupSettings, and read and update all
microsoft.directory/groupSettingTemplates/allProperties/allT Create and delete groupSettingTemplates, and read and

asks update all properties in Azure Active Directory.
microsoft.directory/loginTenantBranding/allProperties/allTas Create and delete loginTenantBranding, and read and

ks update all properties in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/allProperties/al Create and delete oAuth2PermissionGrants, and read and

lTasks update all properties in Azure Active Directory.
microsoft.directory/organization/allProperties/allTasks Create and delete organization, and read and update all
microsoft.directory/policies/allProperties/allTasks Create and delete policies, and read and update all
microsoft.directory/roleAssignments/allProperties/allTasks Create and delete roleAssignments, and read and update all
microsoft.directory/roleDefinitions/allProperties/allTasks Create and delete roleDefinitions, and read and update all
microsoft.directory/scopedRoleMemberships/allProperties/al Create and delete scopedRoleMemberships, and read and

lTasks update all properties in Azure Active Directory.
microsoft.directory/serviceAction/activateService Can perform the Activateservice service action in Azure

Active Directory
microsoft.directory/serviceAction/disableDirectoryFeature Can perform the Disabledirectoryfeature service action in

microsoft.directory/serviceAction/enableDirectoryFeature Can perform the Enabledirectoryfeature service action in

microsoft.directory/serviceAction/getAvailableExtentionProp Can perform the Getavailableextentionproperties service

erties action in Azure Active Directory
microsoft.directory/servicePrincipals/allProperties/allTasks Create and delete servicePrincipals, and read and update all

microsoft.directory/subscribedSkus/allProperties/allTasks Create and delete subscribedSkus, and read and update all
microsoft.directory/users/allProperties/allTasks Create and delete users, and read and update all properties
microsoft.directorySync/allEntities/allTasks Perform all actions in Azure AD Connect.
microsoft.aad.identityProtection/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/read Read all resources in

microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/read Read all resources in

microsoft.azure.advancedThreatProtection.
microsoft.commerce.billing/allEntities/allTasks Manage all aspects of billing.
microsoft.intune/allEntities/allTasks Manage all aspects of Intune.
microsoft.office365.complianceManager/allEntities/allTasks Manage all aspects of Office 365 Compliance Manager
microsoft.office365.desktopAnalytics/allEntities/allTasks Manage all aspects of Desktop Analytics.
microsoft.office365.exchange/allEntities/allTasks Manage all aspects of Exchange Online.
microsoft.office365.lockbox/allEntities/allTasks Manage all aspects of Office 365 Customer Lockbox
microsoft.office365.messageCenter/messages/read Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/read Read securityMessages in

microsoft.office365.messageCenter.
microsoft.office365.protectionCenter/allEntities/allTasks Manage all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/allT Create and delete all resources, and read and update
asks standard properties in
microsoft.office365.securityComplianceCenter.
microsoft.office365.sharepoint/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasks Manage all aspects of Skype for Business Online.

microsoft.office365.usageReports/allEntities/read Read Office 365 usage reports.

microsoft.powerApps.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365.
microsoft.powerApps.powerBI/allEntities/allTasks Manage all aspects of Power BI.
microsoft.windows.defenderAdvancedThreatProtection/allEn Read all resources in

tities/read microsoft.windows.defenderAdvancedThreatProtection.
Compliance Administrator permissions

Can read and manage compliance configuration and reports in Azure AD and Office 365.
NOTE

Compliance Data Administrator permissions

Creates and manages compliance content.
NOTE
microsoft.directory.cloudAppSecurity/allEntities/allTasks Read and configure Microsoft Cloud App Security.


Conditional Access Administrator permissions

Can manage Conditional Access capabilities.
microsoft.directory/policies/conditionalAccess/basic/read Read policies.conditionalAccess property in Azure Active

Directory.
microsoft.directory/policies/conditionalAccess/basic/update Update policies.conditionalAccess property in Azure Active

Directory.
microsoft.directory/policies/conditionalAccess/create Create policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/delete Delete policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/owners/read Read policies.conditionalAccess property in Azure Active

Directory.
microsoft.directory/policies/conditionalAccess/owners/updat Update policies.conditionalAccess property in Azure Active

e Directory.
microsoft.directory/policies/conditionalAccess/policiesApplie Read policies.conditionalAccess property in Azure Active

dTo/read Directory.
microsoft.directory/policies/conditionalAccess/tenantDefault Update policies.conditionalAccess property in Azure Active

/update Directory.
CRM Service Administrator permissions

Can manage all aspects of the Dynamics 365 product.
NOTE

microsoft.powerApps.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365.

Customer LockBox Access Approver permissions

Can approve Microsoft support requests to access customer organizational data.
NOTE

microsoft.office365.lockbox/allEntities/allTasks Manage all aspects of Office 365 Customer Lockbox
Desktop Analytics Administrator permissions

Can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this
includes the ability to view asset inventory, create deployment plans, view deployment and health status. For
Office Customization & Policy service, this role enables users to manage Office policies.
NOTE

microsoft.office365.desktopAnalytics/allEntities/allTasks Manage all aspects of Desktop Analytics.
Device Administrators permissions

Users assigned to this role are added to the local administrators group on Azure AD-joined devices.
microsoft.directory/groupSettings/basic/read Read basic properties on groupSettings in Azure Active

Directory.
microsoft.directory/groupSettingTemplates/basic/read Read basic properties on groupSettingTemplates in Azure

Active Directory.
Directory Readers permissions

Can read basic directory information. For granting access to applications, not intended for users.
microsoft.directory/administrativeUnits/basic/read Read basic properties on administrativeUnits in Azure Active

Directory.
microsoft.directory/administrativeUnits/members/read Read administrativeUnits.members property in Azure Active

Directory.
microsoft.directory/applications/basic/read Read basic properties on applications in Azure Active

Directory.
microsoft.directory/applications/owners/read Read applications.owners property in Azure Active

Directory.
microsoft.directory/applications/policies/read Read applications.policies property in Azure Active

Directory.
microsoft.directory/contacts/basic/read Read basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/memberOf/read Read contacts.memberOf property in Azure Active

Directory.
microsoft.directory/contracts/basic/read Read basic properties on contracts in Azure Active

Directory.
microsoft.directory/devices/basic/read Read basic properties on devices in Azure Active Directory.
microsoft.directory/devices/memberOf/read Read devices.memberOf property in Azure Active Directory.
microsoft.directory/devices/registeredOwners/read Read devices.registeredOwners property in Azure Active

Directory.
microsoft.directory/devices/registeredUsers/read Read devices.registeredUsers property in Azure Active

Directory.
microsoft.directory/directoryRoles/basic/read Read basic properties on directoryRoles in Azure Active

Directory.
microsoft.directory/directoryRoles/eligibleMembers/read Read directoryRoles.eligibleMembers property in Azure

Active Directory.
microsoft.directory/directoryRoles/members/read Read directoryRoles.members property in Azure Active

Directory.
microsoft.directory/domains/basic/read Read basic properties on domains in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/read Read groups.appRoleAssignments property in Azure Active

Directory.
microsoft.directory/groups/basic/read Read basic properties on groups in Azure Active Directory.
microsoft.directory/groups/memberOf/read Read groups.memberOf property in Azure Active Directory.
microsoft.directory/groups/members/read Read groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/read Read groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/read Read groups.settings property in Azure Active Directory.

Directory.

Active Directory.
microsoft.directory/oAuth2PermissionGrants/basic/read Read basic properties on oAuth2PermissionGrants in Azure

Active Directory.
microsoft.directory/organization/basic/read Read basic properties on organization in Azure Active

Directory.
microsoft.directory/organization/trustedCAsForPasswordles Read organization.trustedCAsForPasswordlessAuth property

sAuth/read in Azure Active Directory.
microsoft.directory/roleAssignments/basic/read Read basic properties on roleAssignments in Azure Active

Directory.
microsoft.directory/roleDefinitions/basic/read Read basic properties on roleDefinitions in Azure Active

Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/rea Read servicePrincipals.appRoleAssignedTo property in Azure

d Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/re Read servicePrincipals.appRoleAssignments property in

ad Azure Active Directory.
microsoft.directory/servicePrincipals/basic/read Read basic properties on servicePrincipals in Azure Active

Directory.
microsoft.directory/servicePrincipals/memberOf/read Read servicePrincipals.memberOf property in Azure Active

Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGran Read servicePrincipals.oAuth2PermissionGrants property in

ts/basic/read Azure Active Directory.
microsoft.directory/servicePrincipals/ownedObjects/read Read servicePrincipals.ownedObjects property in Azure

Active Directory.
microsoft.directory/servicePrincipals/owners/read Read servicePrincipals.owners property in Azure Active

Directory.
microsoft.directory/servicePrincipals/policies/read Read servicePrincipals.policies property in Azure Active

Directory.
microsoft.directory/subscribedSkus/basic/read Read basic properties on subscribedSkus in Azure Active

Directory.
microsoft.directory/users/appRoleAssignments/read Read users.appRoleAssignments property in Azure Active

Directory.
microsoft.directory/users/basic/read Read basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/read Read users.directReports property in Azure Active Directory.
microsoft.directory/users/manager/read Read users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/read Read users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/re Read users.oAuth2PermissionGrants property in Azure

ad Active Directory.
microsoft.directory/users/ownedDevices/read Read users.ownedDevices property in Azure Active

Directory.
microsoft.directory/users/ownedObjects/read Read users.ownedObjects property in Azure Active

Directory.
microsoft.directory/users/registeredDevices/read Read users.registeredDevices property in Azure Active

Directory.
Directory Synchronization Accounts permissions

Only used by Azure AD Connect service.
microsoft.directory/organization/dirSync/update Update organization.dirSync property in Azure Active

Directory.
microsoft.directory/policies/create Create policies in Azure Active Directory.
microsoft.directory/policies/basic/read Read basic properties on policies in Azure Active Directory.

Directory.
microsoft.directory/policies/owners/read Read policies.owners property in Azure Active Directory.

microsoft.directory/policies/policiesAppliedTo/read Read policies.policiesAppliedTo property in Azure Active

Directory.
microsoft.directory/policies/tenantDefault/update Update policies.tenantDefault property in Azure Active

Directory.

d Active Directory.




Directory.

Active Directory.

Directory.

Directory.

Active Directory.

Directory.


Directory.

Directory.

Active Directory.

Active Directory.

Directory.

Directory.
microsoft.directorySync/allEntities/allTasks Perform all actions in Azure AD Connect.
Directory Writers permissions

Can read & write basic directory information. For granting access to applications, not intended for users.

Active Directory.
microsoft.directory/groups/assignLicense Manage licenses on groups in Azure Active Directory.

Directory.
microsoft.directory/groups/classification/update Update classification property of the group in Azure Active

Directory.
microsoft.directory/groups/create Create groups in Azure Active Directory.
microsoft.directory/groups/groupType/update Update the groupType property of a group in Azure Active

Directory.

Directory.
microsoft.directory/groups/reprocessLicenseAssignment Reprocess license assignments for a group in Azure Active

Directory.
microsoft.directory/groups/securityEnabled/update Update the secutiryEnabled property of a group in Azure

Active Directory.
microsoft.directory/groups/visibility/update Update visibility property of the group
microsoft.directory/groupSettings/basic/update Update basic properties on groupSettings in Azure Active

Directory.
microsoft.directory/groupSettings/create Create groupSettings in Azure Active Directory..
microsoft.directory/groupSettings/delete Delete groupSettings in Azure Active Directory.

microsoft.directory/oAuth2PermissionGrants/basic/update Update basic properties of oAuth2PermissionGrants in

microsoft.directory/oAuth2PermissionGrants/create Create oAuth2PermissionGrants in Azure Active Directory.
microsoft.directory/servicePrincipals/synchronizationCredent Manage application provisioning secrets and credentials.

ials/manage
microsoft.directory/servicePrincipals/synchronizationJobs/m Start, restart, and pause application provisioning

anage synchronization jobs.
microsoft.directory/servicePrincipals/synchronizationSchema Create and manage application provisioning syncronization

/manage jobs and schema.
microsoft.directory/users/appRoleAssignments/update Update users.appRoleAssignments property in Azure Active

Directory.
microsoft.directory/users/assignLicense Manage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/update Update basic properties on users in Azure Active Directory.
microsoft.directory/users/disable Disable a user account in Azure Active Directory.
microsoft.directory/users/enable Enable a user account in Azure Active Directory
microsoft.directory/users/invalidateAllRefreshTokens Invalidate all user refresh tokens in Azure Active Directory,

requiring users to re-authenticate on their next sign-in
microsoft.directory/users/manager/update Update users.manager property in Azure Active Directory.
microsoft.directory/users/reprocessLicenseAssignment Reprocess license assignments for a user in Azure Active

Directory.
microsoft.directory/users/userPrincipalName /update Update the users.userPrincipalName property in Azure

Active Directory.
Exchange Service Administrator permissions

Can manage all aspects of the Exchange product.
NOTE
microsoft.directory/groups/unified/appRoleAssignments/up Update groups.unified property in Azure Active Directory.

date
microsoft.directory/groups/unified/basic/update Update basic properties of Microsoft 365 groups.
microsoft.directory/groups/unified/create Create Microsoft 365 groups.
microsoft.directory/groups/unified/delete Delete Microsoft 365 groups.
microsoft.directory/groups/unified/members/update Update membership of Microsoft 365 groups.
microsoft.directory/groups/unified/owners/update Update ownership of Microsoft 365 groups.
microsoft.office365.exchange/allEntities/allTasks Manage all aspects of Exchange Online.
microsoft.office365.network/performance/allProperties/read Read network performance pages in M365 Admin Center.

External Id User Flow Administrator permissions

Create and manage all aspects of user flows.
microsoft.aad.b2c/userFlows/allTasks Read and configure user flows in Azure Active Directory

B2C.
External Id User Flow Attribute Administrator permissions

Create and manage the attribute schema available to all user flows.
microsoft.aad.b2c/userAttributes/allTasks Read and configure user attributes in Azure Active

Directory B2C.
External Identity Provider Administrator permissions

Configure identity providers for use in direct federation.
microsoft.aad.b2c/identityProviders/allTasks Read and configure identity providers in Azure Active

Directory B2C.
Global Reader permissions

Can read everything that a Global Administrator can, but not edit anything.
NOTE
microsoft.commerce.billing/allEntities/read Read all aspects of billing.
microsoft.directory/administrativeUnits/basic/read Read basic properties on administrativeUnits in Azure Active

Directory.
microsoft.directory/administrativeUnits/members/read Read administrativeUnits.members property in Azure Active

Directory.
microsoft.directory/applications/basic/read Read basic properties on applications in Azure Active

Directory.
microsoft.directory/applications/owners/read Read applications.owners property in Azure Active

Directory.
microsoft.directory/applications/policies/read Read applications.policies property in Azure Active

Directory.
microsoft.directory/contacts/basic/read Read basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/memberOf/read Read contacts.memberOf property in Azure Active

Directory.
microsoft.directory/contracts/basic/read Read basic properties on contracts in Azure Active

Directory.
microsoft.directory/devices/basic/read Read basic properties on devices in Azure Active Directory.
microsoft.directory/devices/memberOf/read Read devices.memberOf property in Azure Active Directory.
microsoft.directory/devices/registeredOwners/read Read devices.registeredOwners property in Azure Active

Directory.
microsoft.directory/devices/registeredUsers/read Read devices.registeredUsers property in Azure Active

Directory.
microsoft.directory/directoryRoles/basic/read Read basic properties on directoryRoles in Azure Active

Directory.
microsoft.directory/directoryRoles/eligibleMembers/read Read directoryRoles.eligibleMembers property in Azure

Active Directory.
microsoft.directory/directoryRoles/members/read Read directoryRoles.members property in Azure Active

Directory.
microsoft.directory/domains/basic/read Read basic properties on domains in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/read Read groups.appRoleAssignments property in Azure Active

Directory.
microsoft.directory/groups/basic/read Read basic properties on groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/read Read groups.hiddenMembers property in Azure Active

Directory.
microsoft.directory/groups/memberOf/read Read groups.memberOf property in Azure Active Directory.
microsoft.directory/groups/members/read Read groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/read Read groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/read Read groups.settings property in Azure Active Directory.

Directory.

Active Directory.
microsoft.directory/oAuth2PermissionGrants/basic/read Read basic properties on oAuth2PermissionGrants in Azure

Active Directory.
microsoft.directory/organization/basic/read Read basic properties on organization in Azure Active

Directory.
microsoft.directory/organization/trustedCAsForPasswordles Read organization.trustedCAsForPasswordlessAuth property

sAuth/read in Azure Active Directory.
microsoft.directory/policies/standard/read Read standard policies in Azure Active Directory.
microsoft.directory/roleAssignments/basic/read Read basic properties on roleAssignments in Azure Active

Directory.
microsoft.directory/roleDefinitions/basic/read Read basic properties on roleDefinitions in Azure Active

Directory.

d Active Directory.


Directory.

Directory.


Active Directory.

Directory.

Directory.

microsoft.directory/subscribedSkus/basic/read Read basic properties on subscribedSkus in Azure Active

Directory.

Directory.


Directory.

Directory.

Directory.
microsoft.directory/users/strongAuthentication/read Read strong authentication properties like MFA credential

information.
microsoft.office365.exchange/allEntities/read Read all aspects of Exchange Online.

microsoft.office365.protectionCenter/allEntities/read Read all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/rea Read all standard properties in

d microsoft.office365.securityComplianceCenter.
microsoft.office365.webPortal/allEntities/standard/read Read standard properties on all resources in

Groups Administrator permissions

Can manage all aspects of groups and group settings like naming and expiration policies.
microsoft.directory/groups/basic/read Read standard properties on Groups in Azure Active

Directory.

Directory.
microsoft.directory/groups/createAsOwner Create groups in Azure Active Directory. Creator is added as

the first owner, and the created object counts against the
creator's 250 created objects quota.

Directory.

Directory.
Guest Inviter permissions

Can invite guest users independent of the 'members can invite guests' setting.

Directory.
microsoft.directory/users/inviteGuest Invite guest users in Azure Active Directory.


Directory.

Directory.

Directory.
Helpdesk Administrator permissions

Can reset passwords for non-administrators and Helpdesk Administrators.

Active Directory.
microsoft.directory/users/password/update Update passwords for all users in Azure Active Directory.

See online documentation for more detail.

Hybrid Identity Administrator permissions

Enable, deploy, configure, manage, monitor and troubleshoot cloud provisioning and authentication services.

Directory.

Directory.

Directory.

Directory.

Directory.

Directory.

Directory.
microsoft.directory/applicationTemplates/instantiate Instantiate gallery applications from application templates.

microsoft.directory/cloudProvisioning/allProperties/allTasks Read and configure all properties of Azure AD Cloud

Provisioning service.
microsoft.directory/federatedAuthentication/allProperties/all Manage all aspects of Active Directory Federated Services

Tasks (ADFS) or 3rd party federation provider in Azure AD.
microsoft.directory/organization/dirSync/update Update organization.dirSync property in Azure Active

Directory.
microsoft.directory/passwordHashSync/allProperties/allTasks Manage all aspects of Password Hash Sync (PHS) in Azure

AD.
microsoft.directory/passThroughAuthentication/allPropertie Manage all aspects of Pass-through Authentication (PTA) in

s/allTasks Azure AD.
microsoft.directory/seamlessSSO/allProperties/allTasks Manage all aspects of seamless single sign-on (SSO) in

Azure AD.

Directory.

Active Directory.

Directory.

Active Directory.

Directory.

Active Directory.

Directory.
microsoft.directory/servicePrincipals/synchronizationJobs/m Manage all aspects of synchronization jobs in Azure AD.

anage
microsoft.directory/servicePrincipals/synchronizationSchema Manage all aspects of synchronization schema in Azure AD.

/manage
microsoft.directory/servicePrincipals/synchronizationCredent Manage all aspects of synchronization credentials in Azure

ials/manage AD.
microsoft.directory/servicePrincipals/tag/update Update servicePrincipals.tag property in Azure Active

Directory.

Insights Administrator permissions

Has sdministrative access in the M365 Insights app.

microsoft.insights/allEntities/allTasks Manage all aspects of Insights.

Insights Business Leader permissions

Can view and share dashboards and insights via the M365 Insights app.
microsoft.insights/reports/read View reports and dashboard in Insights app.
microsoft.insights/programs/update Deploy and manage programs in Insights app.
Intune Service Administrator permissions

Can manage all aspects of the Intune product.
NOTE
microsoft.directory/contacts/basic/update Update basic properties on contacts in Azure Active

Directory.
microsoft.directory/contacts/create Create contacts in Azure Active Directory.
microsoft.directory/contacts/delete Delete contacts in Azure Active Directory.
microsoft.directory/devices/basic/update Update basic properties on devices in Azure Active

Directory.

Active Directory.
microsoft.directory/devices/create Create devices in Azure Active Directory.
microsoft.directory/devices/delete Delete devices in Azure Active Directory.
microsoft.directory/devices/registeredOwners/update Update devices.registeredOwners property in Azure Active

Directory.
microsoft.directory/devices/registeredUsers/update Update devices.registeredUsers property in Azure Active

Directory.

Active Directory.

Directory.


Directory.

Directory.

Directory.

Kaizala Administrator permissions

Can manage settings for Microsoft Kaizala.
NOTE
microsoft.office365.webPortal/allEntities/basic/read Read Office 365 admin center.
License Administrator permissions

Can manage product licenses on users and groups.
microsoft.directory/users/usageLocation/update Update users.usageLocation property in Azure Active

Directory.

Lync Service Administrator permissions

Can manage all aspects of the Skype for Business product.
NOTE
microsoft.office365.skypeForBusiness/allEntities/allTasks Manage all aspects of Skype for Business Online.

Message Center Privacy Reader permissions

Can read Message Center posts, data privacy messages, groups, domains and subscriptions.
NOTE


Message Center Reader permissions

Can read messages and updates for their organization in Office 365 Message Center only.
NOTE

Modern Commerce User permissions

Can manage commercial purchases for a company, department or team.
NOTE
microsoft.commerce.billing/partners/read Read partner property of O365 Billing.
microsoft.commerce.volumeLicenseServiceCenter/allEntities/ Manage all aspects of Volume Licensing Service Center.

allTasks
microsoft.office365.supportTickets/allEntities/allTasks Create and view own Office 365 support tickets.

Network Administrator permissions

Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a
Service applications.
NOTE
microsoft.office365.network/locations/allProperties/allTasks Read and configure network locations properties for each

location.
Office Apps Administrator permissions

Can manage Office apps' cloud services, including policy and settings management, and manage the ability to
select, unselect and publish "what's new" feature content to end-user's devices.
NOTE
microsoft.office365.userCommunication/allEntities/allTasks Read and update What's New messages visibility.

Partner Tier1 Support permissions

Do not use - not intended for general use.
NOTE

Directory.



Directory.

Directory.
microsoft.directory/users/delete Delete users in Azure Active Directory.

microsoft.directory/users/restore Restore deleted users in Azure Active Directory.
microsoft.directory/users/userPrincipalName/update Update users.userPrincipalName property in Azure Active

Directory.

Partner Tier2 Support permissions

Do not use - not intended for general use.
NOTE

Directory.
microsoft.directory/domains/allTasks Create and delete domains, and read and update standard

Directory.
microsoft.directory/organization/basic/update Update basic properties on organization in Azure Active

Directory.

Directory.


Directory.


Password Administrator permissions

Can reset passwords for non-administrators and Password administrators.


Power BI Service Administrator permissions

Can manage all aspects of the Power BI product.
NOTE
microsoft.powerApps.powerBI/allEntities/allTasks Manage all aspects of Power BI.

Power Platform Administrator permissions

Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.
NOTE
microsoft.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365.

microsoft.flow/allEntities/allTasks Manage all aspects of Microsoft Flow.
microsoft.powerApps/allEntities/allTasks Manage all aspects of PowerApps.

Printer Administrator permissions

Can manage all aspects of printers and printer connectors.
NOTE
microsoft.azure.print/allEntities/allProperties/allTasks Create and delete printers and connectors, and read and
update all properties in Microsoft Print.
Printer Technician permissions

Can register and unregister printers and update printer status.
NOTE
microsoft.azure.print/connectors/allProperties/read Read all properties of connectors in Microsoft Print.
microsoft.azure.print/printers/allProperties/read Read all properties of printers in Microsoft Print.
microsoft.azure.print/printers/basic/update Update basic properties of printers in Microsoft Print.
microsoft.azure.print/printers/register Register printers in Microsoft Print.
microsoft.azure.print/printers/unregister Unregister printers in Microsoft Print.
Privileged Authentication Administrator permissions

Allowed to view, set and reset authentication method information for any user (admin or non-admin).

microsoft.directory/users/strongAuthentication/update Update strong authentication properties like MFA credential

information.

microsoft.directory/users/password/update Update passwords for all users in the Office 365

organization. See online documentation for more detail.
Privileged Role Administrator permissions

Can manage role assignments in Azure AD,and all aspects of Privileged Identity Management.
NOTE
microsoft.directory/groupsAssignableToRoles/allProperties/u Update groups with isAssignableToRole property set to true

pdate in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/create Create groups with isAssignableToRole property set to true

microsoft.directory/groupsAssignableToRoles/delete Delete groups with isAssignableToRole property set to true

microsoft.directory/privilegedIdentityManagement/allEntitie Create and delete all resources, and read and update
s/allTasks standard properties in
microsoft.directory/servicePrincipals/appRoleAssignedTo/allT Read and configure servicePrincipals.appRoleAssignedTo

asks property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGran Read and configure

ts/allTasks servicePrincipals.oAuth2PermissionGrants property in Azure
Active Directory.
microsoft.directory/administrativeUnits/allProperties/allTask Create and manage administrative units (including

s members)
microsoft.directory/roleAssignments/allProperties/allTasks Create and manage role assignments.

microsoft.directory/roleDefinitions/allProperties/allTasks Create and manage role definitions.
Reports Reader permissions

Can read sign-in and audit reports.
NOTE


Search Administrator permissions

Can create and manage all aspects of Microsoft Search settings.
NOTE
microsoft.office365.search/allEntities/allProperties/allTasks Create and delete all resources, and read and update all
properties in microsoft.office365.search.

Search Editor permissions

Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
NOTE
microsoft.office365.search/content/allProperties/allTasks Create and delete content, and read and update all
properties in microsoft.office365.search.
Security Administrator permissions

Can read security information and reports,and manage configuration in Azure AD and Office 365.
NOTE

Directory.


Active Directory.
microsoft.directory/identityProtection/allProperties/read Read all resources in microsoft.aad.identityProtection.
microsoft.directory/identityProtection/allProperties/update Update all resources in microsoft.aad.identityProtection.

Directory.
microsoft.directory/policies/create Create policies in Azure Active Directory.
microsoft.directory/policies/tenantDefault/update Update policies.tenantDefault property in Azure Active

Directory.
microsoft.directory/privilegedIdentityManagement/allProper Read all resources in

ties/read microsoft.aad.privilegedIdentityManagement.

Directory.

microsoft.office365.protectionCenter/allEntities/update Update all resources in microsoft.office365.protectionCenter.

Security Operator permissions

Creates and manages security events.
NOTE
microsoft.azure.advancedThreatProtection/allEntities/read Read and configure Azure AD Advanced Threat Protection.
microsoft.directory/cloudAppSecurity/allProperties/allTasks Read and configure Microsoft Cloud App Security.
microsoft.directory/identityProtection/allProperties/read Read all resources in microsoft.aad.identityProtection.
microsoft.directory/privilegedIdentityManagement/allProper Read all resources in

ties/read microsoft.aad.privilegedIdentityManagement.
microsoft.office365.securityComplianceCenter/allEntities/allT Read and configure Security & Compliance Center.

asks
microsoft.windows.defenderAdvancedThreatProtection/allEn Read and configure Windows Defender Advanced Threat

tities/read Protection.
Security Reader permissions

Can read security information and reports in Azure AD and Office 365.
NOTE


Active Directory.
microsoft.directory/policies/conditionalAccess/basic/read Read policies.conditionalAccess property in Azure Active

Directory.

microsoft.aad.identityProtection/allEntities/read Read all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/read Read all resources in


Service Support Administrator permissions

Can read service health information and manage support tickets.
NOTE

SharePoint Service Administrator permissions

Can manage all aspects of the SharePoint service.
NOTE

date
microsoft.office365.sharepoint/allEntities/allTasks Create and delete all resources, and read and update
standard properties in microsoft.office365.sharepoint.

Teams Communications Administrator permissions

Can manage calling and meetings features within the Microsoft Teams service.
NOTE


microsoft.teams/meetings/allProperties/allTasks Manage meetings, including meeting policies,

configurations, and conference bridges.
microsoft.teams/voice/allProperties/allTasks Manage voice, including calling policies and phone number

inventory and assignment.
microsoft.teams/callQuality/allProperties/read Read all data in Call Quality Dashboard (CQD).
Teams Communications Support Engineer permissions

Can troubleshoot communications issues within Teams using advanced tools.
NOTE

microsoft.teams/callQuality/allProperties/read Read all data in Call Quality Dashboard (CQD).
Teams Communications Support Specialist permissions

Can troubleshoot communications issues within Teams using basic tools.
NOTE

microsoft.teams/callQuality/basic/read Read basic data in Call Quality Dashboard (CQD).
Teams Devices Administrator permissions

Can perform management related tasks on Teams certified devices.
NOTE

microsoft.teams/devices/basic/read Manage all aspects of Teams-certified devices including

configuration policies.
Teams Service Administrator permissions

Can manage the Microsoft Teams service.
NOTE

Directory.

date


microsoft.teams/allEntities/allProperties/allTasks Manage all resources in Teams.
User Administrator permissions

Can manage all aspects of users and groups, including resetting passwords for limited admins.

Directory.

Active Directory.

Directory.


Directory.

Directory.


Directory.
microsoft.directory/users/create Create users in Azure Active Directory.


Directory.

Role template IDs

Role template IDs are used mainly by the Microsoft Graph API or PowerShell users.
GRA P H DISP L AY N A M E A Z URE P O RTA L DISP L AY N A M E DIREC TO RY RO L ET EM P L AT EID
Application Administrator Application administrator 9B895D92-2CD3-44C7-9D02-

A6AC2D5EA5C3
Application Developer Application developer CF1C38E5-3621-4004-A7CB-

879624DCED7C
Authentication Administrator Authentication administrator c4e39bd9-1100-46d3-8c65-

fb160da0071f
Azure DevOps Administrator Azure DevOps administrator e3973bdf-4987-49ae-837a-

ba8e231c7286
Azure Information Protection Azure Information Protection 7495fdc4-34c4-4d15-a289-

Administrator administrator 98788ce399fd
B2C IEF Keyset Administrator B2C IEF Keyset Administrator aaf43236-0c0d-4d5f-883a-

6955382ac081
B2C IEF Policy Administrator B2C IEF Policy Administrator 3edaf663-341e-4475-9f94-

5c398ef6c070
Billing Administrator Billing administrator b0f54661-2d74-4c50-afa3-

1ec803f12efe
Cloud Application Administrator Cloud application administrator 158c047a-c907-4556-b7ef-

446551a6b5f7
Cloud Device Administrator Cloud device administrator 7698a772-787b-4ac8-901f-

60d6b08affd2
Company Administrator Global administrator 62e90394-69f5-4237-9190-

012177145e10
Compliance Administrator Compliance administrator 17315797-102d-40b4-93e0-

432062caca18
Compliance Data Administrator Compliance data administrator e6d1a23a-da11-4be4-9570-

befc86d067a7
Conditional Access Administrator Conditional Access administrator b1be1c3e-b65d-4f19-8427-

f6fa0d97feb9
CRM Service Administrator Dynamics 365 administrator 44367163-eba1-44c3-98af-

f5787879f96a
Customer LockBox Access Approver Customer Lockbox access approver 5c4f9dcd-47dc-4cf7-8c9a-

9e4207cbfc91
Desktop Analytics Administrator Desktop Analytics Administrator 38a96431-2bdf-4b4c-8b6e-

5d3d8abac1a4
Device Administrators Device administrators 9f06204d-73c1-4d4c-880a-

6edb90606fd8
Device Join Deprecated 9c094953-4995-41c8-84c8-

3ebb9b32c93f
Device Managers Deprecated 2b499bcd-da44-4968-8aec-

78e1674fa64d
Device Users Deprecated d405c6df-0af8-4e3b-95e4-

4d06e542189e
Directory Readers Directory readers 88d8e3e3-8f55-4a1e-953a-

9b9898b8876b
Directory Synchronization Accounts Not shown because it shouldn't be d29b2b05-8046-44ba-8758-

used 1e26182fcf32
Directory Writers Directory Writers 9360feb5-f418-4baa-8175-

e2a00bac4301
Exchange Service Administrator Exchange administrator 29232cdf-9323-42fd-ade2-

1d097af3e4de
External Id User flow Administrator External Id User flow Administrator 6e591065-9bad-43ed-90f3-

e9424366d2f0
External Id User Flow Attribute External Id User Flow Attribute 0f971eea-41eb-4569-a71e-

Administrator Administrator 57bb8a3eff1e
External Identity Provider External Identity Provider be2f45a1-457d-42af-a067-

Administrator Administrator 6ec1fa63bc45
Global Reader Global reader f2ef992c-3afb-46b9-b7cf-

a126ee74c451
Groups Administrator Groups administrator fdd7a751-b60b-444a-984c-

02652fe8fa1c
Guest Inviter Guest inviter 95e79109-95c0-4d8e-aee3-

d01accf2d47b
Helpdesk Administrator Helpdesk administrator 729827e3-9c14-49f7-bb1b-

9608f156bbb8
Hybrid Identity Administrator Hybrid identity administrator 8ac3fc64-6eca-42ea-9e69-

59f4c7b60eb2
Insights Administrator Insights administrator eb1f4a8d-243a-41f0-9fbd-

c7cdf6c5ef7c
Insights Business Leader Insights business leader 31e939ad-9672-4796-9c2e-

873181342d2d
Intune Service Administrator Intune administrator 3a2c62db-5318-420d-8d74-

23affee5d9d5
Kaizala Administrator Kaizala administrator 74ef975b-6605-40af-a5d2-

b9539d836353
License Administrator License administrator 4d6ac14f-3453-41d0-bef9-

a3e0c569773a
Lync Service Administrator Skype for Business administrator 75941009-915a-4869-abe7-

691bff18279e
Message Center Privacy Reader Message center privacy reader ac16e43d-7b2d-40e0-ac05-

243ff356ab5b
Message Center Reader Message center reader 790c1fb9-7f7d-4f88-86a1-

ef1f95c05c1b
Modern Commerce User Modern Commerce User d24aef57-1500-4070-84db-

2666f29cf966
Network Administrator Network administrator d37c8bed-0711-4417-ba38-

b4abe66ce4c2
Office Apps Administrator Office apps administrator 2b745bdf-0803-4d80-aa65-

822c4493daac
Partner Tier1 Support Not shown because it shouldn't be 4ba39ca4-527c-499a-b93d-

used d9b492c50246
Partner Tier2 Support Not shown because it shouldn't be e00e864a-17c5-4a4b-9c06-

used f5b95a8d5bd8
Password Administrator Password administrator 966707d0-3269-4727-9be2-

8c3a10f19b9d
Power BI Service Administrator Power BI administrator a9ea8996-122f-4c74-9520-

8edcd192826c
Power Platform Administrator Power platform administrator 11648597-926c-4cf3-9c36-

bcebb0ba8dcc
Printer Administrator Printer administrator 644ef478-e28f-4e28-b9dc-

3fdde9aa0b1f
Printer Technician Printer technician e8cef6f1-e4bd-4ea8-bc07-

4b8d950f4477
Privileged Authentication Privileged authentication 7be44c8a-adaf-4e2a-84d6-

Administrator administrator ab2649e08a13
Privileged Role Administrator Privileged role administrator e8611ab8-c189-46e8-94e1-

60213ab1f814
Reports Reader Reports reader 4a5d8f65-41da-4de4-8968-

e035b65339cf
Search Administrator Search administrator 0964bb5e-9bdb-4d7b-ac29-

58e794862a40
Search Editor Search editor 8835291a-918c-4fd7-a9ce-

faa49f0cf7d9
Security Administrator Security administrator 194ae4cb-b126-40b2-bd5b-

6091b380977d
Security Operator Security operator 5f2222b1-57c3-48ba-8ad5-

d4759f1fde6f
Security Reader Security reader 5d6b6bb7-de71-4623-b4af-

96380a352509
Service Support Administrator Service support administrator f023fd81-a637-4b56-95fd-

791ac0226033
SharePoint Service Administrator SharePoint administrator f28a1f50-f6e7-4571-818b-

6a12f2af6b6c
Teams Communications Administrator Teams Communications Administrator baf37b3a-610e-45da-9e62-

d9d1e5e8914b
Teams Communications Support Teams Communications Support f70938a0-fc10-4177-9e90-

Engineer Engineer 2178f8765737
Teams Communications Support Teams Communications Support fcf91098-03e3-41a9-b5ba-

Specialist Specialist 6f0ec8188a12
Teams Devices Administrator Teams Devices Administrator 3d762c5a-1b6c-493f-843e-

55a3b42923d4
Teams Service Administrator Teams Service Administrator 69091246-20e8-4a56-aa4d-

066075b2a7a8
User Not shown because it can't be used a0b1b346-4d3e-4e8b-98f8-

753987be4970
User Account Administrator User administrator fe930be7-5e62-47db-91af-

98c3a49a38b1
Workplace Device Join Deprecated c34f683f-4d5a-4403-affd-

6615e00e3a7f
Deprecated roles
The following roles should not be used. They have been deprecated and will be removed from Azure AD in the
future.
AdHoc License Administrator
Device Join
Device Managers
Device Users
Email Verified User Creator
Mailbox Administrator
Workplace Device Join
Roles not shown in the portal
Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The following table
organizes those differences.
API NAME A Z URE P O RTA L N A M E N OT ES
Company Administrator Global Administrator Name changed for better clarity
CRM Service Administrator Dynamics 365 administrator Reflects current product branding
Device Join Deprecated Deprecated roles documentation
Device Managers Deprecated Deprecated roles documentation
Device Users Deprecated Deprecated roles documentation
Directory Synchronization Accounts Not shown because it shouldn't be Directory Synchronization Accounts
used documentation
Directory Writers Not shown because it shouldn't be Directory Writers documentation

used
Guest User Not shown because it can't be used NA
Lync Service Administrator Skype for Business administrator Reflects current product branding
Partner Tier 1 Support Not shown because it shouldn't be Partner Tier1 Support documentation
used
Partner Tier 2 Support Not shown because it shouldn't be Partner Tier2 Support documentation
used
Restricted Guest User Not shown because it can't be used NA
User Not shown because it can't be used NA
Workplace Device Join Deprecated Deprecated roles documentation
Next steps
To learn more about how to assign a user as an administrator of an Azure subscription, see Add or remove
Azure role assignments (Azure RBAC)
To learn more about how resource access is controlled in Microsoft Azure, see Understand the different
roles
For details on the relationship between subscriptions and an Azure AD tenant, or for instructions to
associate or add a subscription, see Associate or add an Azure subscription to your Azure Active Directory
tenant
View and assign administrator roles in Azure Active
Directory
You can now see and manage all the members of the administrator roles in the Azure Active Directory portal. If
you frequently manage role assignments, you will probably prefer this experience. And if you ever wondered
“What the heck do these roles really do?”, you can see a detailed list of permissions for each of the Azure AD
View all roles

1. Sign in to the Azure portal and select Azure Active Director y .
2. Select Roles and administrators to see the list of all available roles.
3. Select the ellipsis on the right of each row to see the permissions for the role. Select a role to view the users
assigned to the role. If you see something different from the following picture, read the Note in View
assignments for privileged roles to verify whether you're in Privileged Identity Management (PIM).
View my roles
It's easy to view your own permissions as well. Select Your Role on the Roles and administrators page to see
the roles that are currently assigned to you.
View assignments for privileged roles

You can select Manage in PIM for additional management capabilities. Privileged Role Administrators can
change “Permanent” (always active in the role) assignments to “Eligible” (in the role only when elevated). If you
don't have Privileged Identity Management, you can still select Manage in PIM to sign up for a trial. Privileged
Identity Management requires an Azure AD Premium P2 license plan.
If you are a Global Administrator or a Privileged Role Administrator, you can easily add or remove members, filter
the list, or select a member to see their active assigned roles.
NOTE
If you have an Azure AD premium P2 license and you already use Privileged Identity Management, all role management
tasks are performed in Privilege Identity Management and not in Azure AD.
View a user's role permissions

When you're viewing a role's members, select Description to see the complete list of permissions granted by the
role assignment. The page includes links to relevant documentation to help guide you through managing
directory roles.
Download role assignments
To download all assignments for a specific role, on the Roles and administrators page, select a role, and then
select Download role assignments . A CSV file that lists assignments at all scopes for that role is downloaded.
Assign a role
1. Sign in to the Azure portal with Global Administrator or Privileged Role Administrator permissions and
select Azure Active Director y .
2. Select Roles and administrators to see the list of all available roles.
3. Select a role to see its assignments.
4. Select Add assignments and select the roles you want to assign. You can select Manage in PIM for
additional management capabilities. If you see something different from the following picture, read the
Note in View assignments for privileged roles to verify whether you're in PIM.
Next steps
For more about roles and Administrator role assignment, see Assign administrator roles.
For default user permissions, see a comparison of default guest and member user permissions.
Custom administrator roles in Azure Active Directory
(preview)
This article describes how to understand Azure AD custom roles in Azure Active Directory (Azure AD) with roles-
based access control and resource scopes. Custom Azure AD roles surface the underlying permissions of the built-
in roles, so that you can create and organize your own custom roles. This approach allows you to grant access in a
more granular way than built-in roles, whenever they're needed. This first release of Azure AD custom roles
includes the ability to create a role to assign permissions for managing app registrations. Over time, additional
permissions for organization resources like enterprise applications, users, and devices will be added.
Additionally, Azure AD custom roles support assignments on a per-resource basis, in addition to the more
traditional organization-wide assignments. This approach gives you the ability to grant access to manage some
resources (for example, one app registration) without giving access to all resources (all app registrations).
Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD
license plan. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Understand Azure AD role-based access control

Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role
definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that
you add from a preset list. These permissions are the same permissions used in the built-in roles.
Once you’ve created your role definition, you can assign it to a user by creating a role assignment. A role
assignment grants the user the permissions in a role definition at a specified scope. This two-step process allows
you to create a single role definition and assign it many times at different scopes. A scope defines the set of Azure
AD resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A
custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all
resources in the organization. A custom role can also be assigned at an object scope. An example of an object
scope would be a single application. The same role can be assigned to one user over all applications in the
organization and then to another user with a scope of only the Contoso Expense Reports app.
Azure AD built-in and custom roles operate on concepts similar to Azure role-based access control (Azure RBAC).
The difference between these two role-based access control systems is that Azure RBAC controls access to Azure
resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles
control access to Azure AD resources using Graph API. Both systems leverage the concept of role definitions and
role assignments.
How Azure AD determines if a user has access to a resource
The following are the high-level steps that Azure AD uses to determine if you have access to a management
resource. Use this information to troubleshoot access issues.
1. A user (or service principal) acquires a token to the Microsoft Graph or Azure AD Graph endpoint.
2. The user makes an API call to Azure Active Directory (Azure AD) via Microsoft Graph or Azure AD Graph
using the issued token.
3. Depending on the circumstance, Azure AD takes one of the following actions:
Evaluates the user’s role memberships based on the wids claim in the user’s access token.
Retrieves all the role assignments that apply for the user, either directly or via group membership, to the
resource on which the action is being taken.
4. Azure AD determines if the action in the API call is included in the roles the user has for this resource.
5. If the user doesn't have a role with the action at the requested scope, access is not granted. Otherwise access
is granted.
Role assignments
A role assignment is the object that attaches a role definition to a user at a particular scope to grant Azure AD
resource access. Access is granted by creating a role assignment, and access is revoked by removing a role
assignment. At its core, a role assignment consists of three elements:
User (an individual who has a user profile in Azure Active Directory)
Role definition
Resource scope
You can create role assignments using the Azure portal, Azure AD PowerShell, or Graph API. You can also view the
assignments for a custom role.
The following diagram shows an example of a role assignment. In this example, Chris Green has been assigned the
App registration administrator custom role at the scope of the Contoso Widget Builder app registration. The
assignment grants Chris the permissions of the App registration administrator role for only this specific app
registration.
Security principal
A security principal represents the user that is to be assigned access to Azure AD resources. A user is an individual
who has a user profile in Azure Active Directory.
Role
A role definition, or role, is a collection of permissions. A role definition lists the operations that can be performed
on Azure AD resources, such as create, read, update, and delete. There are two types of roles in Azure AD:
Built-in roles created by Microsoft that can't be changed.
Custom roles created and managed by your organization.
Scope
A scope is the restriction of permitted actions to a particular Azure AD resource as part of a role assignment. When
you assign a role, you can specify a scope that limits the administrator's access to a specific resource. For example,
if you want to grant a developer a custom role, but only to manage a specific application registration, you can
include the specific application registration as a scope in the role assignment.
NOTE
Custom roles can be assigned at directory scope and resource scoped. They cannot yet be assigned at Administrative Unit
scope. Built-in roles can can be assigned at directory scope, and in some cases, Administrative Unit scope. They cannot yet be
assigned at Azure AD resource scope.
Required license plan

Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements,
see Comparing generally available features of the Free, Basic, and Premium editions.
Next steps
Create custom role assignments using the Azure portal, Azure AD PowerShell, and Graph API
View the assignments for a custom role
Create and assign a custom role in Azure Active
Directory
This article describes how to create new custom roles in Azure Active Directory (Azure AD). For the basics of
custom roles, see the custom roles overview. The role can be assigned either at the directory-level scope or an app
registration resource scope only.
Custom roles can be created in the Roles and administrators tab on the Azure AD overview page.
Create a role in the Azure portal

Create a new custom role to grant access to manage app registrations
1. Sign in to the Azure AD admin center with Privileged role administrator or Global administrator
permissions in the Azure AD organization.
2. Select Azure Active Director y > Roles and administrators > New custom role .
3. On the Basics tab, provide a name and description for the role and then click Next .
4. On the Permissions tab, select the permissions necessary to manage basic properties and credential
properties of app registrations. For a detailed description of each permission, see Application registration
subtypes and permissions in Azure Active Directory.
a. First, enter "credentials" in the search bar and select the
microsoft.directory/applications/credentials/update permission.
b. Next, enter "basic" in the search bar, select the microsoft.directory/applications/basic/update
permission, and then click Next .
5. On the Review + create tab, review the permissions and select Create .
Your custom role will show up in the list of available roles to assign.
Create a role using PowerShell

Prepare PowerShell
First, you must download the Azure AD Preview PowerShell module.
install-module azureadpreview
---------- --------- ---- ----------------
Create the custom role

Create a new role using the following PowerShell script:
# Basic role information
$displayName = "Application Support Administrator"
$description = "Can manage basic aspects of application registrations."
# Set of permissions to grant

@(
"microsoft.directory/applications/basic/update",
"microsoft.directory/applications/credentials/update"
)

$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -
Assign the custom role using Azure AD PowerShell

Assign the role using the below PowerShell script:

$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@f128.info'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Application Support Administrator'"
# Get app registration and construct resource scope for assignment.

$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128 Filter Photos'"
$resourceScope = '/' + $appRegistration.objectId

Create a role with Graph API

1. Create the role definition.
HTTP request to create a custom role definition.
POST
https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Body
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "<GUID>",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/basic/update",
]
}
]
}
NOTE
The "templateId": "GUID" is an optional parameter being sent in the body depending on requirement. If you have a
requirement for creating multiple different custom role with common parameters , it is best to create a template and define
a templateId . You can generate a templateId beforehand using the powershell cmdlet (New-Guid).Guid .
1. Create the role assignment.

HTTP request to create a custom role definition.
POST
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Body
{
"principalId":"<GUID OF USER>",
"roleDefinitionId":"<GUID OF ROLE DEFINITION>",
"resourceScope":"/<GUID OF APPLICATION REGISTRATION>"
}
Assign a custom role scoped to a resource

Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access
permissions over all app registrations in your organization. But unlike built-in roles, custom roles can also be
assigned at the scope of a single Azure AD resource. This allows you to give the user the permission to update
credentials and basic properties of a single app without having to create a second custom role.
1. Sign in to the Azure AD admin center with Application developer permissions in the Azure AD organization.
2. Select App registrations .
3. Select the app registration to which you are granting access to manage. You might have to select All
applications to see the complete list of app registrations in your Azure AD organization.
4. In the app registration, select Roles and administrators . If you haven't already created one, instructions
are in the preceding procedure.
5. Select the role to open the Assignments page.
6. Select Add assignment to add a user. The user will be granted any permissions over only the selected app
registration.
Next steps
View custom role assignments in Azure Active
Directory
This article describes how to view custom roles you have assigned in Azure Active Directory (Azure AD). In Azure
Active Directory (Azure AD), roles can be assigned at an organization-wide scope or with a single-application scope.
Role assignments at the organization-wide scope are added to and can be seen in the list of single application
role assignments.
Role assignments at the single application scope aren't added to and can't be seen in the list of organization-
wide scoped assignments.
View role assignments in the Azure portal

This procedure describes viewing assignments of a role with organization-wide scope.
1. Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions
2. Select Azure Active Director y , select Roles and administrators , and then select a role to open it and
view its properties.
3. Select Assignments to view the assignments for the role.
View role assignments using Azure AD PowerShell

This section describes viewing assignments of a role with organization-wide scope. This article uses the Azure
Active Directory PowerShell Version 2 module. To view single-application scope assignments using PowerShell, you
can use the cmdlets in Assign custom roles with PowerShell.
Prepare PowerShell
First, you must download the Azure AD preview PowerShell module.
get-module azuread
---------- --------- ---- ----------------
View the assignments of a role

Example of viewing the assignments of a role.
# Fetch list of all directory roles with object ID

Get-AzureADDirectoryRole
# Fetch a specific directory role by ID

$role = Get-AzureADDirectoryRole -ObjectId "5b3fe201-fa8b-4144-b6f1-875829ff7543"
# Fetch role membership for a role

Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
View role assignments using Microsoft Graph API

This section describes viewing assignments of a role with organization-wide scope. To view single-application
scope assignments using Graph API, you can use the operations in Assign custom roles with Graph API.
HTTP request to get a role assignment for a given role definition.
GET
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments&$filter=roleDefinitionId eq ‘<object-
id-or-template-id-of-role-definition>’
Response
HTTP/1.1 200 OK
{
"id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
"principalId":"ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId":"3671d40a-1aac-426c-a0c1-a3821ebd8218",
"resourceScopes":["/"]
}
View assignments of single-application scope

This section describes viewing assignments of a role with single-application scope. This feature is currently in
public preview.
2. Select App registrations , and then select the app registration to view its properties. You might have to
select All applications to see the complete list of app registrations in your Azure AD organization.
3. In the app registration, select Roles and administrators , and then select a role to view its properties.
4. Select Assignments to view the assignments for the role. Opening the assignments view from within the
app registration shows you the assignments that are scoped to this Azure AD resource.
Next steps
Assign administrator and non-administrator roles to
users with Azure Active Directory
In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you
must assign them to a role that provides the permissions they need. For info on which roles manage Azure
resources and which roles manage Azure AD resources, see Classic subscription administrator roles, Azure roles,
and Azure AD roles.
For more information about the available Azure AD roles, see Assigning administrator roles in Azure Active
Directory. To add users, see Add new users to Azure Active Directory.
Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also
configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM).
For more information about how to use PIM, see Privileged Identity Management.
NOTE
If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the
Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't
currently select multiple roles and assign them to a user all at once.
Assign a role to a user

1. Go to the Azure portal and sign in using a Global administrator account for the directory.
3. Select Users .
4. Search for and select the user getting the role assignment. For example, Alain Charon.
5. On the Alain Charon - Profile page, select Assigned roles .

The Alain Charon - Administrative roles page appears.
6. Select Add assignments , select the role to assign to Alain (for example, Application administrator), and
then choose Select .
The Application administrator role is assigned to Alain Charon and it appears on the Alain Charon -
Remove a role assignment

If you need to remove the role assignment from a user, you can also do that from the Alain Charon -
To remove a role assignment from a user
1. Select Azure Active Director y , select Users , and then search for and select the user getting the role
assignment removed. For example, Alain Charon.
2. Select Assigned roles , select Application administrator , and then select Remove assignment .
The Application administrator role is removed from Alain Charon and it no longer appears on the Alain
Charon - Administrative roles page.
Next steps
Add or delete users
Add guest users from another directory
Other user management tasks you can check out are available in Azure Active Directory user management
documentation.
Assign custom roles with resource scope using
PowerShell in Azure Active Directory
This article describes how to create a role assignment at organization-wide scope in Azure Active Directory (Azure
AD). Assigning a role at organization-wide scope grants access across the Azure AD organization. To create a role
assignment with a scope of a single Azure AD resource, see How to create a custom role and assign it at resource
scope.This article uses the Azure Active Directory PowerShell Version 2 module.
For more information about Azure AD admin roles, see Assigning administrator roles in Azure Active Directory.
Connect to your Azure AD organization using a global administrator account to assign or remove roles.
Prepare PowerShell
Install the Azure AD PowerShell module from the PowerShell Gallery. Then import the Azure AD PowerShell
preview module, using the following command:
To verify that the module is ready to use, match the version returned by the following command to the one listed
here:
---------- --------- ---- ----------------
Binary 2.0.0.115 azureadpreview {Add-AzureADMSAdministrati...}
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module,
see the online reference documentation for Azure AD preview module.
Assign a role to a user or service principal with resource scope

1. Open the Azure AD preview PowerShell module.
2. Sign in by executing the command Connect-AzureAD .
3. Create a new role using the following PowerShell script.
## Assign a role to a user or service principal with resource scope


To assign the role to a service principal instead of a user, use the Get-AzureADMSServicePrincipal cmdlet.
Operations on RoleDefinition
Role definition objects contain the definition of the built-in or custom role, along with the permissions that are
granted by that role assignment. This resource displays both custom role definitions and built-in directoryRoles
(which are displayed in roleDefinition equivalent form). Today, an Azure AD organization can have a maximum of
30 unique custom RoleDefinitions defined.
Create Operations on RoleDefinition
# Basic information
$description = "Can manage credentials of application registrations"
$displayName = "Application Registration Credential Administrator"
# Set of actions to grant

@(
"microsoft.directory/applications/standard/read",
)

$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -
Read Operations on RoleDefinition
# Get all role definitions

Get-AzureADMSRoleDefinitions
# Get single role definition by objectId

Get-AzureADMSRoleDefinition -Id 86593cfc-114b-4a15-9954-97c3494ef49b
# Get single role definition by templateId

Get-AzureADMSRoleDefinition -Filter "templateId eq 'c4e39bd9-1100-46d3-8c65-fb160da0071f'"
Update Operations on RoleDefinition
# Update role definition

# This works for any writable property on role definition. You can replace display name with other
# valid properties.
Set-AzureADMSRoleDefinition -Id c4e39bd9-1100-46d3-8c65-fb160da0071f -DisplayName "Updated DisplayName"
Delete operations on RoleDefinition

# Delete role definition
Remove-AzureADMSRoleDefinitions -Id c4e39bd9-1100-46d3-8c65-fb160da0071f
Operations on RoleAssignment
Role assignments contain information linking a given security principal (a user or application service principal) to a
role definition. If required, you can add a scope of a single Azure AD resource for the assigned permissions.
Restricting the scope of permissions is supported for built-in and custom roles.
Create Operations on RoleAssignment



Read Operations on RoleAssignment
# Get role assignments for a given principal

Get-AzureADMSRoleAssignment -Filter "principalId eq '27c8ca78-ab1c-40ae-bd1b-eaeebd6f68ac'"
# Get role assignments for a given role definition

Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '355aed8a-864b-4e2b-b225-ea95482e7570'"
Delete Operations on RoleAssignment
# Delete role assignment

Remove-AzureADMSRoleAssignment -Id 'qiho4WOb9UKKgng_LbPV7tvKaKRCD61PkJeKMh7Y458-1'
Next steps
Share with us on the Azure AD administrative roles forum.
For more about roles and azure AD administrator role assignments, see Assign administrator roles.
Application registration subtypes and permissions in
This article contains the currently available app registration permissions for custom role definitions in Azure Active
Directory (Azure AD).
Permissions for managing single-directory applications

When choosing the permissions for your custom role, you have the option to grant access to manage only single-
directory applications. Single-directory applications are available only to users in the Azure AD organization where
the application is registered. Single-directory applications are defined as having Suppor ted account types set to
"Accounts in this organizational directory only." In the Graph API, single-directory applications have the
signInAudience property set to "AzureADMyOrg."
To grant access to manage only single-directory applications, use the permissions below with the subtype
applications.myOrganization . For example, microsoft.directory/applications.myOrganization/basic/update.
See the custom roles overview for an explanation of what the general terms subtype, permission, and property set
mean. The following information is specific to application registrations.
Create and delete
There are two permissions available for granting the ability to create application registrations, each with different
behavior:
microsoft.directory/applications/createAsOwner
Assigning this permission results in the creator being added as the first owner of the created app registration, and
the created app registration will count against the creator's 250 created objects quota.
microsoft.directory/applications/create
Assigning this permission results in the creator not being added as the first owner of the created app registration,
and the created app registration will not count against the creator's 250 created objects quota. Use this permission
carefully, because there is nothing preventing the assignee from creating app registrations until the directory-level
quota is hit. If both permissions are assigned, this permission takes precedence.
If both permissions are assigned, the /create permission will take precedence. Though the /createAsOwner
permission does not automatically add the creator as the first owner, owners can be specified during the creation
of the app registration when using Graph APIs or PowerShell cmdlets.
Create permissions grant access to the New registration command.
These permissions grant access to the New Registration portal command
There are two permissions available for granting the ability to delete app registrations:
microsoft.directory/applications/delete
Grants the ability to delete app registrations regardless of subtype; that is, both single-tenant and multi-tenant
applications.
microsoft.directory/applications.myOrganization/delete
Grants the ability to delete app registrations restricted to those that are accessible only to accounts in your
organization or single-tenant applications (myOrganization subtype).
NOTE
When assigning a role that contains create permissions, the role assignment must be made at the directory scope. A create
permission assigned at a resource scope does not grant the ability to create app registrations.
Read
All member users in the organization can read app registration information by default. However, guest users and
application service principals can't. If you plan to assign a role to a guest user or application, you must include the
appropriate read permissions.
microsoft.directory/applications/allProperties/read
Ability to read all properties of single-tenant and multi-tenant applications outside of properties that cannot be
read in any situation like credentials.
microsoft.directory/applications.myOrganization/allProperties/read
Grants the same permissions as microsoft.directory/applications/allProperties/read, but only for single-tenant
applications.
microsoft.directory/applications/owners/read
Grants the ability to read owners property on single-tenant and multi-tenant applications. Grants access to all
fields on the application registration owners page:
microsoft.directory/applications/standard/read
Grants access to read standard application registration properties. This includes properties across application
registration pages.
microsoft.directory/applications.myOrganization/standard/read
Grants the same permissions as microsoft.directory/applications/standard/read, but for only single-tenant
applications.
Update
microsoft.directory/applications/allProperties/update
Ability to update all properties on single-directory and multi-directory applications.
microsoft.directory/applications.myOrganization/allProperties/update
Grants the same permissions as microsoft.directory/applications/allProperties/update, but only for single-tenant
applications.
microsoft.directory/applications/audience/update
Ability to update the supported account type (signInAudience) property on single-directory and multi-directory
applications.
microsoft.directory/applications.myOrganization/audience/update
Grants the same permissions as microsoft.directory/applications/audience/update, but only for single-tenant
applications.
microsoft.directory/applications/authentication/update
Ability to update the reply URL, sign-out URL, implicit flow, and publisher domain properties on single-tenant and
multi-tenant applications. Grants access to all fields on the application registration authentication page except
supported account types:
microsoft.directory/applications.myOrganization/authentication/update
Grants the same permissions as microsoft.directory/applications/authentication/update, but only for single-tenant
applications.
microsoft.directory/applications/basic/update
Ability to update the name, logo, homepage URL, terms of service URL, and privacy statement URL properties on
single-tenant and multi-tenant applications. Grants access to all fields on the application registration branding
page:
microsoft.directory/applications.myOrganization/basic/update
Grants the same permissions as microsoft.directory/applications/basic/update, but only for single-tenant
applications.
microsoft.directory/applications/credentials/update
Ability to update the certificates and client secrets properties on single-tenant and multi-tenant applications.
Grants access to all fields on the application registration certificates & secrets page:
microsoft.directory/applications.myOrganization/credentials/update
Grants the same permissions as microsoft.directory/applications/credentials/update, but only for single-directory
applications.
microsoft.directory/applications/owners/update
Ability to update the owner property on single-tenant and multi-tenant. Grants access to all fields on the
application registration owners page:
microsoft.directory/applications.myOrganization/owners/update
Grants the same permissions as microsoft.directory/applications/owners/update, but only for single-tenant
applications.
microsoft.directory/applications/permissions/update
Ability to update the delegated permissions, application permissions, authorized client applications, required
permissions, and grant consent properties on single-tenant and multi-tenant applications. Does not grant the
ability to perform consent. Grants access to all fields on the application registration API permissions and Expose an
API pages:
microsoft.directory/applications.myOrganization/permissions/update
Grants the same permissions as microsoft.directory/applications/permissions/update, but only for single-tenant
applications.

Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements,
see Comparing generally available features of the Free, Basic, and Premium editions.
Next steps
Create custom roles using the Azure portal, Azure AD PowerShell, and Graph API
View the assignments for a custom role
Delegate app registration permissions in Azure Active
Directory
This article describes how to use permissions granted by custom roles in Azure Active Directory (Azure AD) to
address your application management needs. In Azure AD, you can delegate Application creation and management
permissions in the following ways:
Restricting who can create applications and manage the applications they create. By default in Azure AD, all
users can register application registrations and manage all aspects of applications they create. This can be
restricted to only allow selected people that permission.
Assigning one or more owners to an application. This is a simple way to grant someone the ability to manage all
aspects of Azure AD configuration for a specific application.
Assigning a built-in administrative role that grants access to manage configuration in Azure AD for all
applications. This is the recommended way to grant IT experts access to manage broad application configuration
permissions without granting access to manage other parts of Azure AD not related to application configuration.
Creating a custom role defining very specific permissions and assigning it to someone either to the scope of a
single application as a limited owner, or at the directory scope (all applications) as a limited administrator.
It's important to consider granting access using one of the above methods for two reasons. First, delegating the
ability to perform administrative tasks reduces global administrator overhead. Second, using limited permissions
improves your security posture and reduces the potential for unauthorized access. Delegation issues and general
guidelines are discussed in Delegate administration in Azure Active Directory.
Restrict who can create applications

By default in Azure AD, all users can register application registrations and manage all aspects of applications they
create. Everyone also has the ability to consent to apps accessing company data on their behalf. You can choose to
selectively grant those permissions by setting the global switches to 'No' and adding the selected users to the
Application Developer role.
To disable the default ability to create application registrations or consent to applications
1. Sign in to your Azure AD organization with an account that eligible for the Global administrator role in your
2. Set one or both of the following:
On the User settings page for your organization, set the Users can register applications setting to No.
This will disable the default ability for users to create application registrations.
On the user settings for enterprise applications, set the Users can consent to applications accessing
company data on their behalf setting to No. This will disable the default ability for users to consent to
applications accessing company data on their behalf.
Grant individual permissions to create and consent to applications when the default ability is disabled
Assign the Application developer role to grant the ability to create application registrations when the Users can
register applications setting is set to No. This role also grants permission to consent on one's own behalf when
the Users can consent to apps accessing company data on their behalf setting is set to No. As a system
behavior, when a user creates a new application registration, they are automatically added as the first owner.
Ownership permissions give the user the ability to manage all aspects of an application registration or enterprise
application that they own.
Assign application owners

Assigning owners is a simple way to grant the ability to manage all aspects of Azure AD configuration for a specific
application registration or enterprise application. As a system behavior, when a user creates a new application
registration they are automatically added as the first owner. Ownership permissions give the user the ability to
manage all aspects of an application registration or enterprise application that they own. The original owner can be
removed and additional owners can be added.
Enterprise application owners
As an owner, a user can manage the organization-specific configuration of the enterprise application, such as the
single sign-on configuration, provisioning, and user assignments. An owner can also add or remove other owners.
Unlike Global administrators, owners can manage only the enterprise applications they own.
In some cases, enterprise applications created from the application gallery include both an enterprise application
and an application registration. When this is true, adding an owner to the enterprise application automatically adds
the owner to the corresponding application registration as an owner.
To assign an owner to an enterprise application
1. Sign in to your Azure AD organization with an account that eligible for the Application administrator or Cloud
application administrator for the organization.
2. On the App registrations page for the organization, select an app to open the Overview page for the app.
3. Select Owners to see the list of the owners for the app.
4. Select Add to select one or more owners to add to the app.
IMPORTANT
Users and service principals can be owners of application registrations. Only users can be owners of enterprise applications.
Groups cannot be assigned as owners of either.
Owners can add credentials to an application and use those credentials to impersonate the application’s identity. The
application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has
access to as a user or service principal. An application owner could potentially create or update users or other objects while
impersonating the application, depending on the application's permissions.
Assign built-in application admin roles

Azure AD has a set of built-in admin roles for granting access to manage configuration in Azure AD for all
applications. These roles are the recommended way to grant IT experts access to manage broad application
configuration permissions without granting access to manage other parts of Azure AD not related to application
configuration.
Application Administrator: Users in this role can create and manage all aspects of enterprise applications,
application registrations, and application proxy settings. This role also grants the ability to consent to delegated
permissions, and application permissions excluding Microsoft Graph. Users assigned to this role are not added
as owners when creating new application registrations or enterprise applications.
Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator
role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners
when creating new application registrations or enterprise applications.
For more information and to view the description for these roles, see Available roles.
Follow the instructions in the Assign roles to users with Azure Active Directory how-to guide to assign the
Application Administrator or Cloud Application Administrator roles.
IMPORTANT
Application Administrators and Cloud Application Administrators can add credentials to an application and use those
credentials to impersonate the application’s identity. The application may have permissions that are an elevation of privilege
over the admin role's permissions. An admin in this role could potentially create or update users or other objects while
impersonating the application, depending on the application's permissions. Neither role grants the ability to manage
Conditional Access settings.
Create and assign a custom role (preview)

Creating custom roles and assigning custom roles are separate steps:
Create a custom role definition and add permissions to it from a preset list. These are the same permissions
used in the built-in roles.
Create a role assignment to assign the custom role.
This separation allows you to create a single role definition and then assign it many times at different scopes. A
custom role can be assigned at organization-wide scope, or it can be assigned at the scope if a single Azure AD
object. An example of an object scope is a single app registration. Using different scopes, the same role definition
can be assigned to Sally over all app registrations in the organization and then to Naveen over only the Contoso
Expense Reports app registration.
Tips when creating and using custom roles for delegating application management:
Custom roles only grant access in the most current app registration blades of the Azure AD portal. They do not
grant access in the legacy app registrations blades.
Custom roles do not grant access to the Azure AD portal when the “Restrict access to Azure AD administration
portal” user setting is set to Yes.
App registrations the user has access to using role assignments only show up in the ‘All applications’ tab on the
App registration page. They do not show up in the ‘Owned applications’ tab.
For more information on the basics of custom roles, see the custom roles overview, as well as how to create a
custom role and how to assign a role.
Next steps
Application registration subtypes and permissions
Azure AD administrator role reference
Use cloud groups to manage role assignments in
Azure Active Directory (preview)
Azure Active Directory (Azure AD) is introducing a public preview in which you can assign a cloud group to Azure
AD built-in roles. With this feature, you can use groups to grant admin access in Azure AD with minimal effort
from your Global and Privileged role admins.
Consider this example: Contoso has hired people across geographies to manage and reset passwords for
employees in its Azure AD organization. Instead of asking a Privileged role admin or Global admin to assign the
Helpdesk admin role to each person individually, they can create a Contoso_Helpdesk_Administrators group and
assign it to the role. When people join the group, they are assigned the role indirectly. Your existing governance
workflow can then take care of the approval process and auditing of the group’s membership to ensure that only
legitimate users are members of the group and are thus assigned to the Helpdesk admin role.
How this feature works

Create a new Office 365 or security group with the ‘isAssignableToRole’ property set to ‘true’. You could also
enable this property when creating a group in the Azure portal by turning on Azure AD roles can be assigned
to the group . Either way, you can then assign the group to one or more Azure AD roles in the same way as you
assign roles to users. A maximum of 200 role-assignable groups can be created in a single Azure AD organization
(tenant).
If you do not want members of the group to have standing access to the role, you can use Azure AD Privileged
Identity Management. Assign a group as an eligible member of an Azure AD role. Each member of the group is
then eligible to have their assignment activated for the role that the group is assigned to. They can then activate
their role assignment for a fixed time duration.
NOTE
You must be on updated version of Privileged Identity Management to be able to assign a group to Azure AD role via PIM.
You could be on older version of PIM because your Azure AD organization leverages the Privileged Identity Management
API. Please reach out to the alias pim_preview@microsoft.com to move your organization and update your API. Learn more
at Azure AD roles and features in PIM.
Why we enforce creation of a special group for assigning it to a role

If a group is assigned a role, any IT admin who can manage group membership could also indirectly manage the
membership of that role. For example, assume that a group Contoso_User_Administrators is assigned to User
account admin role. An Exchange admin who can modify group membership could add themselves to the
Contoso_User_Administrators group and in that way become a User account admin. As you can see, an admin
could elevate their privilege in a way you did not intend.
Azure AD allows you to protect a group assigned to a role by using a new property called isAssignableToRole for
groups. Only cloud groups that had the isAssignableToRole property set to ‘true’ at creation time can be assigned
to a role. This property is immutable; once a group is created with this property set to ‘true’, it can’t be changed.
You can't set the property on an existing group. We designed how groups are assigned to roles to prevent that sort
of potential breach from happening:
Only Global admins and Privileged role admins can create a role-assignable group (with the
"isAssignableToRole" property enabled).
It can't be an Azure AD dynamic group; that is, it must have a membership type of "Assigned." Automated
population of dynamic groups could lead to an unwanted account being added to the group and thus assigned
to the role.
By default, only Global admins and Privileged role admins can manage the membership of a role-assignable
group, but you can delegate the management of role-assignable groups by adding group owners.
To prevent elevation of privilege, the credentials of members and owners of a role-assignable group can be
changed only by a Privileged Authentication administrator or a Global administrator.
No nesting. A group can't be added as a member of a role-assignable group.
Limitations
The following scenarios are not supported right now:
Assign cloud groups to Azure AD custom roles
Assign cloud groups to Azure AD roles (built-in or custom) over an administrative unit or application scope.
Assign on-premises groups to Azure AD roles (built-in or custom)
Known issues
You can't create or modify a dynamic group when the role is assigned via a group.
The Enable staged rollout for managed user sign-in feature doesn't support assignment via group.
Azure AD P2 licensed customers only: Don't assign a group as Active to a role through both Azure AD and
Privileged Identity Management (PIM). Specifically, don't assign a role to a role-assignable group when it's
being created and assign a role to the group using PIM later. This will lead to issues where users can’t see their
active role assignments in the PIM as well as the inability to remove that PIM assignment. Eligible assignments
are not affected in this scenario. If you do attempt to make this assignment, you might see unexpected behavior
such as:
End time for the role assignment might display incorrectly.
In the PIM portal, My Roles can show only one role assignment regardless of how many methods by
which the assignment is granted (through one or more groups and directly).
Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the
role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal.
Exchange Admin Center doesn't recognize role membership via group yet, but PowerShell cmdlet will work.
Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You
can migrate to the unified sensitivity labeling platform and then use the Office 365 Security & Compliance
center to use group assignments to manage roles.
We are fixing these issues.

Using this feature requires you to have an available Azure AD Premium P1 license in your Azure AD organization.
To use also Privileged Identity Management for just-in-time role activation requires you to have an available Azure
AD Premium P2 license. To find the right license for your requirements, see Comparing generally available features
of the Free and Premium plans.
Next steps
Assign a role to a role-assignable group
Create a role-assignable group in Azure Active
Directory
You can only assign a role to a group that was created with the ‘isAssignableToRole’ property set to True, or was
created in the Azure AD portal with Azure AD roles can be assigned to the group turned on. This group
attribute makes the group one that can be assigned to a role in Azure Active Directory (Azure AD). This article
describes how to create this special kind of group. Note: A group with isAssignableToRole property set to true
cannot be of dynamic membership type. For more information, see Using a group to manage Azure AD role
assignments.
Using Azure AD admin center

2. Select Groups > All groups > New group .
3. On the New Group tab, provide group type, name and description.
4. Turn on Azure AD roles can be assigned to the group . This switch is visible to only Privileged Role
Administrators and Global Administrators because these are only two roles that can set the switch.
5. Select the members and owners for the group. You also have the option to assign roles to the group, but
assigning a role isn't required here.
6. After the members and owners are specified, select Create .

The group is created with any roles you might have assigned to it.
Using PowerShell
Install the Azure AD preview module
To verify that the module is ready to use, issue the following command:
Create a group that can be assigned to role
$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is

assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -
MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true
For this type of group, isPublic will always be false and isSecurityEnabled will always be true.
Copy one group's users and service principals into a role -assignable group
#Basic set up
#Connect to Azure AD. Sign in as Privileged Role Administrator or Global Administrator. Only these two roles
can create a role-assignable group.
Connect-AzureAD
#Input variabled: Existing group

$idOfExistingGroup = "14044411-d170-4cb0-99db-263ca3740a0c"
#Input variables: New role-assignable group

$groupName = "Contoso_Bellevue_Admins"
$groupDescription = "This group is assigned to Helpdesk Administrator built-in role in Azure AD."
$mailNickname = "contosobellevueadmins"
#Create new security group which is a role assignable group. For creating O365 group, set GroupTypes="Unified"
and MailEnabled=$true
$roleAssignablegroup = New-AzureADMSGroup -DisplayName $groupName -Description $groupDescription -MailEnabled
$false -MailNickname $mailNickname -SecurityEnabled $true -IsAssignableToRole $true
#Get details of existing group

$existingGroup = Get-AzureADMSGroup -Id $idOfExistingGroup
$membersOfExistingGroup = Get-AzureADGroupMember -ObjectId $existingGroup.Id
#Copy users and service principals from existing group to new group
foreach($member in $membersOfExistingGroup){
if($member.ObjectType -eq 'User' -or $member.ObjectType -eq 'ServicePrincipal'){
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.ObjectId
}
}
Using Microsoft Graph API

Create a role -assignable group in Azure AD
POST https://graph.microsoft.com/beta/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}
For this type of group, isPublic will always be false and isSecurityEnabled will always be true.
Next steps
Assign a role to a cloud group
Use cloud groups to manage role assignments
Troubleshooting roles assigned to cloud groups
Assign a role to a cloud group in Azure Active
Directory
This section describes how an IT admin can assign Azure Active Directory (Azure AD) role to an Azure AD group.

Assigning a group to an Azure AD role is similar to assigning users and service principals except that only groups
that are role-assignable can be used. In the Azure portal, only groups that are role-assignable are displayed.
2. Select Azure Active Director y > Roles and administrators , and select the role you want to assign.
3. On the role name page, select > Add assignment .
4. Select the group. Only the groups that can be assigned to Azure AD roles are displayed.
5. Select Add .
For more information on assigning role permissions, see Assign administrator and non-administrator roles to
users.
Using PowerShell
$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is

assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -
MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true
Get the role definition for the role you want to assign
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"
Create a role assignment
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -RoleDefinitionId $roleDefinition.Id -

PrincipalId $group.Id

Create a group that can be assigned Azure AD role
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
"groupTypes": [
"Unified"
],
}
Get the role definition
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions?$filter = displayName eq

‘Helpdesk Administrator’
Create the role assignment
POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<ID of role definition>",
"directoryScopeId":"/"
}
Next steps
Remove role assignments from a group in Azure
Active Directory
This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Azure portal, you can
now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership,
remove the user from the group to remove the role assignment.
Using Azure admin center

2. Select Roles and administrators > role name .
3. Select the group from which you want to remove the role assignment and select Remove assignment .
4. When asked to confirm your action, select Yes .
Using PowerShell
$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned

to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName
"contosohelpdeskadministrators" -IsAssignableToRole $true
Get the role definition you want to assign the group to
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"
Create a role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -RoleDefinitionId $roleDefinition.Id -
PrincipalId $group.objectId
Remove the role assignment
Remove-AzureAdMSRoleAssignment -Id $roleAssignment.Id

Create a group that can be assigned an Azure AD role
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD",
"groupTypes": [
"Unified"
],
}
Get the role definition
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions?$filter = displayName eq

‘Helpdesk Administrator’
Create the role assignment
POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<Id of role definition>",
"directoryScopeId":"/"
}
Delete role assignment
DELETE https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments/<Id of role assignment>
Next steps
View roles assigned to a group in Azure Active
Directory
This section describes how the roles assigned to a group can be viewed using Azure AD admin center. Viewing
groups and assigned roles are default user permissions.
1. Sign in to the Azure AD admin center with any non-admin or admin credentials.
2. Select the group that you are interested in.
3. Select Assigned roles . You can now see all the Azure AD roles assigned to this group.
Using PowerShell
Get object ID of the group
Get-AzureADMSGroup -SearchString “Contoso_Helpdesk_Administrators”
View role assignment to a group
Get-AzureADMSRoleAssignment -Filter "principalId eq '<object id of group>"

Get object ID of the group
GET https://graph.microsoft.com/beta/groups?$filter displayName eq ‘Contoso_Helpdesk_Administrator’
Get role assignments to a group

GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=principalId eq
Next steps
Assign a role to a group using Privileged Identity
Management
This article describes how you can assign an Azure Active Directory (Azure AD) role to a group using Azure AD
Privileged Identity Management (PIM).
NOTE
You must be using the updated version of Privileged Identity Management to be able to assign a group to an Azure AD role
using PIM. You might be on older version of PIM if your Azure AD organization leverages the Privileged Identity
Management API. If so, please reach out to the alias pim_preview@microsoft.com to move your organization and update
your API. Learn more at Azure AD roles and features in PIM.

1. Sign in to Azure AD Privileged Identity Management as a Privileged role administrator or Global
administrator in your organization.
2. Select Privileged Identity Management > Azure AD roles > Roles > Add assignments
3. Select a role, and then select a group. Only groups that are eligible for role assignment (role-assignable
groups) are displayed, not all groups.
4. Select the desired membership setting. For roles requiring activation, choose eligible . By default, the user
would be permanently eligible, but you could also set a start and end time for the user's eligibility. Once you
are complete, hit Save and Add to complete the role assignment.
Using PowerShell
Download the Azure AD Preview PowerShell module
To install the Azure AD #PowerShell module, use the following cmdlets:
To verify that the module is ready to use, use the following cmdlet:
Assign a group as an eligible member of a role
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule

$schedule.Type = "Once"
$schedule.StartDateTime = "2019-04-26T20:49:11.770Z"
$schedule.endDateTime = "2019-07-25T20:49:11.770Z"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule $schedule -ResourceId "[YOUR
TENANT ID]" -RoleDefinitionId "9f8c1837-f885-4dfd-9a75-990f9222b21d" -SubjectId "[YOUR GROUP ID]" -
AssignmentState "Eligible" -Type "AdminAdd"

POST
https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignmentRequests
"roleDefinitionId": {roleDefinitionId},
"resourceId": {tenantId},
"subjectId": {GroupId},
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "reason string",
"schedule": {
"startDateTime": {DateTime},
"endDateTime": {DateTime},
"type": "Once"
Next steps
Configure Azure AD admin role settings in Privileged Identity Management
Assign Azure resource roles in Privileged Identity Management
Here are some common questions and troubleshooting tips for assigning roles to groups in Azure Active
Directory (Azure AD).
Q: I'm a Groups Administrator but I can't see the Azure AD roles can be assigned to the group switch.
A: Only Privileged Role administrators or Global administrators can create a group that's eligible for role
assignment. Only users in those roles see this control.
Q: Who can modify the membership of groups that are assigned to Azure AD roles?
A: By default, only Privileged Role Administrator and Global Administrator manage the membership of a role-
assignable group, but you can delegate the management of role-assignable groups by adding group owners.
Q : I am a Helpdesk Administrator in my organization but I can't update password of a user who is a Directory
Reader. Why does that happen?
A : The user might have gotten Directory Reader by way of a role-assignable group. All members and owners of a
role-assignable groups are protected. Only users in the Privileged Authentication Administrator or Global
Administrator roles can reset credentials for a protected user.
Q: I can't update password of a user. They don't have any higher privileged role assigned. Why is it happening?
A: The user could be an owner of a role-assignable group. We protect owners of role-assignable groups to avoid
elevation of privilege. An example might be if a group Contoso_Security_Admins is assigned to Security
administrator role, where Bob is the group owner and Alice is Password administrator in the organization. If this
protection weren't present, Alice could reset Bob's credentials and take over his identity. After that, Alice could add
herself or anyone to the group Contoso_Security_Admins group to become a Security administrator in the
organization. To find out if a user is a group owner, get the list of owned objects of that user and see if any of the
groups have isAssignableToRole set to true. If yes, then that user is protected and the behavior is by design. Refer
to these documentations for getting owned objects:
Get-AzureADUserOwnedObject
List ownedObjects
Q: Can I create an access review on groups that can be assigned to Azure AD roles (specifically, groups with
isAssignableToRole property set to true)?
A: Yes, you can. If you are on newest version of Access Review, then your reviewers are directed to My Access by
default, and only Global administrators can create access reviews on role-assignable groups. However, if you are
on the older version of Access Review, then your reviewers are directed to the Access Panel by default, and both
Global administrators and User administrator can create access reviews on role-assignable groups. The new
experience will be rolled out to all customers on July 28, 2020 but if you’d like to upgrade sooner, make a request
to Azure AD Access Reviews - Updated reviewer experience in My Access Signup.
Q: Can I create an access package and put groups that can be assigned to Azure AD roles in it?
A: Yes, you can. Global Administrator and User Administrator have the power to put any group in an access
package. Nothing changes for Global Administrator, but there's a slight change in User administrator role
permissions. To put a role-assignable group into an access package, you must be a User Administrator and also
owner of the role-assignable group. Here's the full table showing who can create access package in Enterprise
License Management:
EN T IT L EM EN T C A N A DD C A N A DD C A N A DD
A Z URE A D M A N A GEM EN T SEC URIT Y M IC RO SO F T 365 SH A REP O IN T
DIREC TO RY RO L E RO L E GRO UP * GRO UP * C A N A DD A P P O N L IN E SIT E
Global n/a ️
✔ ️
✔ ️
✔ ️
✔
administrator
User n/a ️
✔ ️
✔ ️
✔
administrator
Intune Catalog owner ️

✔ ️
✔
administrator
Exchange Catalog owner ️

✔
administrator
Teams service Catalog owner ️

✔
administrator
SharePoint Catalog owner ️

✔ ️
✔
administrator
Application Catalog owner ️

✔
administrator
Cloud application Catalog owner ️

✔
administrator
User Catalog owner Only if group Only if group Only if app

owner owner owner
*Group isn't role-assignable; that is, isAssignableToRole = false. If a group is role-assignable, then the person
creating the access package must also be owner of the role-assignable group.
Q: I can't find "Remove assignment" option in "Assigned Roles". How do I delete role assignment to a user?
A: This answer is applicable only to Azure AD Premium P1 organizations.
1. Sign in to the Azure portal and open Azure Active Director y .
2. Select users and open a user profile.
3. Select Assigned roles .
4. Select the gear icon. A pane opens that can give this information. There's a "Remove" button beside direct
assignments. To remove indirect role assignment, remove the user from the group that has been assigned the
role.
Q: How do I see all groups that are role-assignable?
A: Follow these steps:
2. Select Groups > All groups .
3. Select Add filters .
4. Filter to Role assignable .
Q: How do I know which role are assigned to a principal directly and indirectly?
A: Follow these steps:
2. Select users and open a user profile.
3. Select Assigned roles , and then:
In Azure AD Premium P1 licensed organizations: Select the gear icon. A pane opens that can give this
information.
In Azure AD Premium P2 licensed organizations: You'll find direct and inherited license information in
the Membership column.
Q: Why do we enforce creating a new cloud group for assigning it to role?
A: If you assign an existing group to a role, the existing group owner could add other members to this group
without the new members realizing that they'll have the role. Because role-assignable groups are powerful, we're
putting lots of restrictions to protect them. You don't want changes to the group that would be surprising to the
person managing the group.
Next steps
Administrator roles by admin task in Azure Active
Directory
In this article, you can find the information needed to restrict a user's administrator permissions by assigning least
privileged roles in Azure Active Directory (Azure AD). You will find administrator tasks organized by feature area
and the least privileged role required to perform each task, along with additional non-Global Administrator roles
that can perform the task.
Application proxy
TA SK L EA ST P RIVIL EGED RO L E A DDIT IO N A L RO L ES
Configure application proxy app Application administrator
Configure connector group properties Application administrator
Create application registration when Application developer Cloud Application administrator,

ability is disabled for all users Application Administrator
Create connector group Application administrator
Delete connector group Application administrator
Disable application proxy Application administrator
Download connector service Application administrator
Read all configuration Application administrator
External Identities/B2C
Create Azure AD B2C directories All non-guest users (see

documentation)
Create B2C applications Global Administrator
Create enterprise applications Cloud Application Administrator Application Administrator
Create, read, update, and delete B2C B2C IEF Policy Administrator
policies
Create, read, update, and delete identity External Identity Provider Administrator
providers
Create, read, update, and delete External ID User Flow Administrator

password reset user flows
Create, read, update, and delete profile External ID User Flow Administrator
editing user flows
Create, read, update, and delete sign-in External ID User Flow Administrator
user flows
Create, read, update, and delete sign-up External ID User Flow Administrator
user flow
Create, read, update, and delete user External ID User Flow Attribute
attributes Administrator
Create, read, update, and delete users User Administrator
Read all configuration Global reader
Read B2C audit logs Global reader (see documentation)
NOTE
Azure AD B2C Global readers do not have the same permissions as Azure AD global administrators. If you have Azure AD
B2C global administrator privileges, make sure that you are in an Azure AD B2C directory and not an Azure AD directory.
Company branding
Configure company branding Global Administrator
Read all configuration Directory readers Default user role (see documentation)
Company properties
Configure company properties Global Administrator
Connect
Passthrough authentication Global Administrator
Read all configuration Global reader Global Administrator
Seamless single sign-on Global Administrator

Cloud Provisioning
Passthrough authentication Hybrid Identity Administrator
Read all configuration Global reader Hybrid Identity Administrator
Seamless single sign-on Hybrid Identity Administrator
Connect Health
Add or delete services Owner (see documentation)
Apply fixes to sync error Contributor (see documentation) Owner
Configure notifications Contributor (see documentation) Owner
Configure settings Owner (see documentation)
Configure sync notifications Contributor (see documentation) Owner
Read ADFS security reports Security Reader Contributor, Owner
Read all configuration Reader (see documentation) Contributor, Owner
Read sync errors Reader (see documentation) Contributor, Owner
Read sync services Reader (see documentation) Contributor, Owner
View metrics and alerts Reader (see documentation) Contributor, Owner
View metrics and alerts Reader (see documentation) Contributor, Owner
View sync service metrics and alerts Reader (see documentation) Contributor, Owner
Custom domain names

Manage domains Global Administrator
Domain Services
Create Azure AD Domain Services Global Administrator

instance
Perform all Azure AD Domain Services Azure AD DC Administrators group (see

tasks documentation)
Read all configuration Reader on Azure subscription containing

AD DS service
Devices
Disable device Cloud device administrator
Enable device Cloud device administrator
Read basic configuration Default user role (see documentation)
Read BitLocker keys Security Reader Password administrator, Security

administrator
Enterprise applications
Consent to any delegated permissions Cloud application administrator Application administrator
Consent to application permissions not Cloud application administrator Application administrator

including Microsoft Graph
Consent to application permissions to Privileged Role Administrator

Microsoft Graph
Consent to applications accessing own Default user role (see documentation)

data
Create enterprise application Cloud application administrator Application administrator
Manage Application Proxy Application administrator
Manage user settings Global Administrator
Read access review of a group or of an Security Reader Security Administrator, User

app Administrator
Read all configuration Default user role (see documentation)
Update enterprise application Enterprise application owner (see Cloud application administrator,
assignments documentation) Application administrator
Update enterprise application owners Enterprise application owner (see Cloud application administrator,
documentation) Application administrator
properties documentation) Application administrator
provisioning documentation) Application administrator
Update enterprise application self- Enterprise application owner (see Cloud application administrator,
service documentation) Application administrator
Update single sign-on properties Enterprise application owner (see Cloud application administrator,
documentation) Application administrator
Entitlement management
Add resources to a catalog User administrator With entitlement management, you can
delegate this task to the catalog owner
(see documentation)
Add SharePoint Online sites to catalog Global administrator
Groups
Assign license User administrator
Create group Groups administrator User administrator
Create, update, or delete access review User administrator

of a group or of an app
Manage group expiration User administrator
Manage group settings Groups Administrator User Administrator
Read all configuration (except hidden Directory readers Default user role (see documentation)
membership)
Read hidden membership Group member Group owner, Password administrator,

Exchange administrator, SharePoint
administrator, Teams administrator, User
administrator
Read membership of groups with Helpdesk Administrator User administrator, Teams administrator
hidden membership
Revoke license License administrator User administrator
Update group membership Group owner (see documentation) User administrator
Update group owners Group owner (see documentation) User administrator
Update group properties Group owner (see documentation) User administrator
Delete group Groups administrator User administrator
Identity Protection
Configure alert notifications Security Administrator
Configure and enable or disable MFA Security Administrator

policy
Configure and enable or disable sign-in Security Administrator

risk policy
Configure and enable or disable user Security Administrator

risk policy
Configure weekly digests Security Administrator
Dismiss all risk detections Security Administrator
Fix or dismiss vulnerability Security Administrator
Read all configuration Security Reader
Read all risk detections Security Reader
Read vulnerabilities Security Reader
Licenses
Assign license License administrator User administrator
Try or buy subscription Billing administrator

Monitoring - Audit logs
Read audit logs Reports reader Security Reader, Security administrator
Monitoring - Sign-ins
Read sign-in logs Reports reader Security Reader, Security administrator
Multi-factor authentication
Delete all existing app passwords Global Administrator

generated by the selected users
Disable MFA Global Administrator
Enable MFA Global Administrator
Manage MFA service settings Global Administrator
Require selected users to provide Authentication Administrator

contact methods again
Restore multi-factor authentication on Authentication Administrator

all remembered devices
MFA Server
Block/unblock users Global Administrator
Configure account lockout Global Administrator
Configure caching rules Global Administrator
Configure fraud alert Global Administrator
Configure notifications Global Administrator
Configure one-time bypass Global Administrator
Configure phone call settings Global Administrator
Configure providers Global Administrator

Configure server settings Global Administrator
Read activity report Global reader
Read server status Global reader
Organizational relationships
Manage identity providers External Identity Provider Administrator
Manage settings Global Administrator
Manage terms of use Global Administrator
Password reset
Configure authentication methods Global Administrator
Configure customization Global Administrator
Configure notification Global Administrator
Configure on-premises integration Global Administrator
Configure password reset properties User Administrator Global Administrator
Configure registration Global Administrator
Read all configuration Security Administrator User Administrator
Privileged identity management

Assign users to roles Privileged role administrator
Configure role settings Privileged role administrator
View audit activity Security reader

View role memberships Security reader
Roles and administrators

Manage role assignments Privileged role administrator
Read access review of an Azure AD role Security Reader Security administrator, Privileged role
administrator
Read all configuration Default user role (see documentation)
Security - Authentication methods

Configure authentication methods Global Administrator
Configure password protection Security administrator
Configure smart lockout Security administrator
Security - Conditional Access

Configure MFA trusted IP addresses Conditional Access administrator
Create custom controls Conditional Access administrator Security administrator
Create named locations Conditional Access administrator Security administrator
Create policies Conditional Access administrator Security administrator
Create terms of use Conditional Access administrator Security administrator
Create VPN connectivity certificate Conditional Access administrator Security administrator
Delete classic policy Conditional Access administrator Security administrator
Delete terms of use Conditional Access administrator Security administrator
Delete VPN connectivity certificate Conditional Access administrator Security administrator
Disable classic policy Conditional Access administrator Security administrator

Manage custom controls Conditional Access administrator Security administrator
Manage named locations Conditional Access administrator Security administrator
Manage terms of use Conditional Access administrator Security administrator
Read all configuration Security reader Security administrator
Read named locations Security reader Conditional Access administrator,

security administrator
Security - Identity security score

Read all configuration Security reader Security administrator
Read security score Security reader Security administrator
Update event status Security administrator
Security - Risky sign-ins

Read risky sign-ins Security Reader
Security - Users flagged for risk

Dismiss all events Security Administrator
Read users flagged for risk Security Reader
Users
Add user to directory role Privileged role administrator
Add user to group User administrator
Assign license License administrator User administrator

Create guest user Guest inviter User administrator
Create user User administrator
Delete users User administrator
Invalidate refresh tokens of limited User administrator

admins (see documentation)
Invalidate refresh tokens of non-admins Password administrator User administrator

(see documentation)
Invalidate refresh tokens of privileged Privileged Authentication Administrator

Read basic configuration Default User role (see documentation
Reset password for limited admins (see User administrator

documentation)
Reset password of non-admins (see Password administrator User administrator

documentation)
Reset password of privileged admins Privileged Authentication Administrator
Update all properties except User User administrator

Principal Name
Update User Principal Name for limited User administrator

Update User Principal Name property Global Administrator

on privileged admins (see
documentation)
Update user settings Global Administrator
Support
Submit support ticket Service Administrator Application Administrator, Azure

Information Protection Administrator,
Billing Administrator, Cloud Application
Administrator, Compliance
Administrator, Dynamics 365
Administrator, Desktop Analytics
Administrator, Exchange Administrator,
Password Administrator, Intune
Administrator, Skype for Business
Administrator, Power BI Administrator,
Privileged Authentication Administrator,
SharePoint Administrator, Teams
Communications Administrator, Teams
Administrator, User Administrator,
Workplace Analytics Administrator
Next steps
How to assign or remove azure AD administrator roles
Azure AD administrator roles reference
Administrator roles for Microsoft 365 services
All products in Microsoft 365 can be managed with administrative roles in Azure AD. Some products also provide
additional roles that are specific to that product. For information on the roles supported by each product, see the
table below. General discussions of delegation issues can be found in Role delegation planning in Azure Active
Directory.
Where to find content

M IC RO SO F T 365 SERVIC E RO L E C O N T EN T A P I C O N T EN T
Admin roles in Office 365 and Microsoft Office 365 admin roles Not available
365 business plans
Azure Active Directory (Azure AD) and Azure AD admin roles Graph API
Azure AD Identity Protection Fetch role assignments
Exchange Online Exchange role-based access control PowerShell for Exchange

Fetch role assignments
SharePoint Online Azure AD admin roles Graph API

Also About the SharePoint admin role in Fetch role assignments
Office 365
Teams/Skype for Business Azure AD admin roles Graph API

Security & Compliance Center (Office Office 365 admin roles Exchange PowerShell
365 Advanced Threat Protection, Fetch role assignments
Exchange Online Protection,
Information Protection)
Secure Score Azure AD admin roles Graph API

Compliance Manager Compliance Manager roles Not available
Azure Information Protection Azure AD admin roles Graph API

Microsoft Cloud App Security Role-based access control API reference
Azure Advanced Threat Protection Azure ATP role groups Not available
Windows Defender Advanced Threat Windows Defender ATP role-based Not available
Protection access control
Privileged Identity Management Azure AD admin roles Graph API

M IC RO SO F T 365 SERVIC E RO L E C O N T EN T A P I C O N T EN T
Intune Intune role-based access control Graph API

Managed Desktop Azure AD admin roles Graph API

Next steps
How to assign or remove Azure AD administrator roles
Azure AD administrator roles reference
Securing privileged access for hybrid and cloud
deployments in Azure AD
The security of business assets depends on the integrity of the privileged accounts that administer your IT systems.
Cyber-attackers use credential theft attacks to target admin accounts and other privileged access to try to gain
access to sensitive data.
For cloud services, prevention and response are the joint responsibilities of the cloud service provider and the
customer. For more information about the latest threats to endpoints and the cloud, see the Microsoft Security
Intelligence Report. This article can help you develop a roadmap toward closing the gaps between your current
plans and the guidance described here.
NOTE
Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance.
Learn more about how the Microsoft global incident response team mitigates the effects of attacks against cloud services,
and how security is built into Microsoft business products and cloud services at Microsoft Trust Center - Security and
Microsoft compliance targets at Microsoft Trust Center - Compliance.
Traditionally, organizational security was focused on the entry and exit points of a network as the security
perimeter. However, SaaS apps and personal devices on the Internet have made this approach less effective. In
Azure AD, we replace the network security perimeter with authentication in your organization's identity layer, with
users assigned to privileged administrative roles in control. Their access must be protected, whether the
environment is on-premises, cloud, or a hybrid.
Securing privileged access requires changes to:
Processes, administrative practices, and knowledge management
Technical components such as host defenses, account protections, and identity management
Secure your privileged access in a way that is managed and reported in the Microsoft services you care about. If
you have on-premises admin accounts, see the guidance for on-premises and hybrid privileged access in Active
Directory at Securing Privileged Access.
NOTE
The guidance in this article refers primarily to features of Azure Active Directory that are included in Azure Active Directory
Premium plans P1 and P2. Azure Active Directory Premium P2 is included in the EMS E5 suite and Microsoft 365 E5 suite.
This guidance assumes your organization already has Azure AD Premium P2 licenses purchased for your users. If you do not
have these licenses, some of the guidance might not apply to your organization. Also, throughout this article, the term
global administrator (or global admin) means the same thing as "company administrator" or "tenant administrator."
Develop a roadmap
Microsoft recommends that you develop and follow a roadmap to secure privileged access against cyber attackers.
You can always adjust your roadmap to accommodate your existing capabilities and specific requirements within
your organization. Each stage of the roadmap should raise the cost and difficulty for adversaries to attack
privileged access for your on-premises, cloud, and hybrid assets. Microsoft recommends the following four
roadmap stages. Schedule the most effective and the quickest implementations first. This article can be your guide,
based on Microsoft's experiences with cyber-attack incident and response implementation. The timelines for this
roadmap are approximations.
Stage 1 (24-48 hours): Critical items that we recommend you do right away
Stage 2 (2-4 weeks): Mitigate the most frequently used attack techniques
Stage 3 (1-3 months): Build visibility and build full control of admin activity
Stage 4 (six months and beyond): Continue building defenses to further harden your security platform
This roadmap framework is designed to maximize the use of Microsoft technologies that you may have already
deployed. Consider tying in to any security tools from other vendors that you have already deployed or are
considering deploying.
Stage 1: Critical items to do right now
Stage 1 of the roadmap is focused on critical tasks that are fast and easy to implement. We recommend that you
do these few items right away within the first 24-48 hours to ensure a basic level of secure privileged access. This
stage of the Secured Privileged Access roadmap includes the following actions:
General preparation
Turn on Azure AD Privileged Identity Management
We recommend that you turn on Azure AD Privileged Identity Management (PIM) in your Azure AD production
environment. After you turn on PIM, you'll receive notification email messages for privileged access role changes.
Notifications provide early warning when additional users are added to highly privileged roles.
Azure AD Privileged Identity Management is included in Azure AD Premium P2 or EMS E5. To help you protect
access to applications and resources on-premises and in the cloud, sign up for the Enterprise Mobility + Security
free 90-day trial. Azure AD Privileged Identity Management and Azure AD Identity Protection monitor security
activity using Azure AD reporting, auditing, and alerts.
After you turn on Azure AD Privileged Identity Management:
1. Sign in to the Azure portal with an account that is a global admin of your Azure AD production organization.
2. To select the Azure AD organization where you want to use Privileged Identity Management, select your
user name in the upper right-hand corner of the Azure portal.
3. On the Azure portal menu, select All ser vices and filter the list for Azure AD Privileged Identity
Management .
4. Open Privileged Identity Management from the All ser vices list and pin it to your dashboard.
Make sure the first person to use PIM in your organization is assigned to the Security administrator and
Privileged role administrator roles. Only privileged role administrators can manage the Azure AD directory
role assignments of users. The PIM security wizard walks you through the initial discovery and assignment
experience. You can exit the wizard without making any additional changes at this time.
Identify and categorize accounts that are in highly privileged roles
After turning on Azure AD Privileged Identity Management, view the users who are in the following Azure AD
roles:
Privileged role administrator
Exchange administrator
SharePoint administrator
If you don't have Azure AD Privileged Identity Management in your organization, you can use the PowerShell API.
Start with the global admin role because a global admin has the same permissions across all cloud services for
which your organization has subscribed. These permissions are granted no matter where they were assigned: in
the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell.
Remove any accounts that are no longer needed in those roles. Then, categorize the remaining accounts that are
assigned to admin roles:
Assigned to administrative users, but also used for non-administrative purposes (for example, personal email)
Assigned to administrative users and used for administrative purposes only
Shared across multiple users
For break-glass emergency access scenarios
For automated scripts
For external users
Define at least two emergency access accounts
It's possible for a user to be accidentally locked out of their role. For example, if a federated on-premises identity
provider isn't available, users can't sign in or activate an existing administrator account. You can prepare for
accidental lack of access by storing two or more emergency access accounts.
Emergency access accounts help restrict privileged access within an Azure AD organization. These accounts are
highly privileged and aren't assigned to specific individuals. Emergency access accounts are limited to emergency
for "break glass" scenarios where normal administrative accounts can't be used. Ensure that you control and
reduce the emergency account's usage to only that time for which it's necessary.
Evaluate the accounts that are assigned or eligible for the global admin role. If you don't see any cloud-only
accounts using the *.onmicrosoft.com domain (for "break glass" emergency access), create them. For more
information, see Managing emergency access administrative accounts in Azure AD.
Turn on multi-factor authentication and register all other highly privileged single-user non-federated admin accounts
Require Azure Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned
to one or more of the Azure AD admin roles: Global administrator, Privileged Role administrator, Exchange
administrator, and SharePoint administrator. Use the guide to enable Multi-factor Authentication (MFA) for your
admin accounts and ensure that all those users have registered at https://aka.ms/mfasetup. More information can
be found under step 2 and step 3 of the guide Protect access to data and services in Office 365.
Stage 2: Mitigate frequently used attacks
Stage 2 of the roadmap focuses on mitigating the most frequently used attack techniques of credential theft and
abuse and can be implemented in approximately 2-4 weeks. This stage of the Secured Privileged Access roadmap
includes the following actions.
General preparation
Conduct an inventory of services, owners, and admins
The increase in "bring your own device" and work from home policies and the growth of wireless connectivity
make it critical to monitor who is connecting to your network. A security audit can reveal devices, applications, and
programs on your network that your organization doesn't support and that represent high risk. For more
information, see Azure security management and monitoring overview. Ensure that you include all of the following
tasks in your inventory process.
Identify the users who have administrative roles and the services where they can manage.
Use Azure AD PIM to find out which users in your organization have admin access to Azure AD.
Beyond the roles defined in Azure AD, Office 365 comes with a set of admin roles that you can assign to
users in your organization. Each admin role maps to common business functions, and gives people in your
organization permissions to do specific tasks in the Microsoft 365 admin center. Use the Microsoft 365
admin center to find out which users in your organization have admin access to Office 365, including via
roles not managed in Azure AD. For more information, see About Office 365 admin roles and Security
practices for Office 365.
Do the inventory in services your organization relies on, such as Azure, Intune, or Dynamics 365.
Ensure that your accounts that are used for administration purposes:
Have working email addresses attached to them
Have registered for Azure Multi-Factor Authentication or use MFA on-premises
Ask users for their business justification for administrative access.
Remove admin access for those individuals and services that don't need it.
Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts
If your initial global administrators reuse their existing Microsoft account credentials when they began using Azure
AD, replace the Microsoft accounts with individual cloud-based or synchronized accounts.
Ensure separate user accounts and mail forwarding for global administrator accounts
Personal email accounts are regularly phished by cyber attackers, a risk that makes personal email addresses
unacceptable for global administrator accounts. To help separate internet risks from administrative privileges,
create dedicated accounts for each user with administrative privileges.
Be sure to create separate accounts for users to do global admin tasks
Make sure that your global admins don't accidentally open emails or run programs with their admin accounts
Be sure those accounts have their email forwarded to a working mailbox
Ensure the passwords of administrative accounts have recently changed
Ensure all users have signed into their administrative accounts and changed their passwords at least once in the
last 90 days. Also, verify that any shared accounts have had their passwords changed recently.
Turn on password hash synchronization
Azure AD Connect synchronizes a hash of the hash of a user's password from on-premises Active Directory to a
cloud-based Azure AD organization. You can use password hash synchronization as a backup if you use federation
with Active Directory Federation Services (AD FS). This backup can be useful if your on-premises Active Directory
or AD FS servers are temporarily unavailable.
Password hash sync enables users to sign in to a service by using the same password they use to sign in to their
on-premises Active Directory instance. Password hash sync allows Identity Protection to detect compromised
credentials by comparing password hashes with passwords known to be compromised. For more information, see
Implement password hash synchronization with Azure AD Connect sync.
Require multi-factor authentication for users in privileged roles and exposed users
Azure AD recommends that you require multi-factor authentication (MFA) for all of your users. Be sure to consider
users who would have a significant impact if their account were compromised (for example, financial officers). MFA
reduces the risk of an attack because of a compromised password.
Turn on:
MFA using Conditional Access policies for all users in your organization.
If you use Windows Hello for Business, the MFA requirement can be met using the Windows Hello sign-in
experience. For more information, see Windows Hello.
Configure Identity Protection
Azure AD Identity Protection is an algorithm-based monitoring and reporting tool that detects potential
vulnerabilities affecting your organization's identities. You can configure automated responses to those detected
suspicious activities, and take appropriate action to resolve them. For more information, see Azure Active Directory
Identity Protection.
Obtain your Office 365 Secure Score (if using Office 365)
Secure Score looks at your settings and activities for the Office 365 services you're using and compares them to a
baseline established by Microsoft. You'll get a score based on how aligned you are with security practices. Anyone
who has the admin permissions for an Office 365 Business Premium or Enterprise subscription can access the
Secure Score at https://securescore.office.com.
Review the Office 365 security and compliance guidance (if using Office 365)
The plan for security and compliance outlines the approach for an Office 365 customer to configure Office 365 and
enable other EMS capabilities. Then, review steps 3-6 of how to Protect access to data and services in Office 365
and the guide for how to monitor security and compliance in Office 365.
Configure Office 365 Activity Monitoring (if using Office 365)
Monitor your organization for users who are using Office 365 to identify staff who have an admin account but
might not need Office 365 access because they don't sign in to those portals. For more information, see Activity
reports in the Microsoft 365 admin center.
Establish incident/emergency response plan owners
Establishing a successful incident response capability requires considerable planning and resources. You must
continually monitor for cyber-attacks and establish priorities for incident handling. Collect, analyze, and report
incident data to build relationships and establish communication with other internal groups and plan owners. For
more information, see Microsoft Security Response Center.
Secure on-premises privileged administrative accounts, if not already done
If your Azure Active Directory organization is synchronized with on-premises Active Directory, then follow the
guidance in Security Privileged Access Roadmap: This stage includes:
Creating separate admin accounts for users who need to conduct on-premises administrative tasks
Deploying Privileged Access Workstations for Active Directory administrators
Creating unique local admin passwords for workstations and servers
Additional steps for organizations managing access to Azure
Complete an inventory of subscriptions
Use the Enterprise portal and the Azure portal to identify the subscriptions in your organization that host
production applications.
Remove Microsoft accounts from admin roles
Microsoft accounts from other programs, such as Xbox, Live, and Outlook, shouldn't be used as administrator
accounts for your organization's subscriptions. Remove admin status from all Microsoft accounts, and replace with
Azure AD (for example, chris@contoso.com) work or school accounts. For admin purposes, depend on accounts
that are authenticated in Azure AD and not in other services.
Monitor Azure activity
The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who
created, updated, and deleted what resources, and when these events occurred. For more information, see Audit
and receive notifications about important actions in your Azure subscription.
Additional steps for organizations managing access to other cloud apps via Azure AD
Configure Conditional Access policies
Prepare Conditional Access policies for on-premises and cloud-hosted applications. If you have users workplace
joined devices, get more information from Setting up on-premises Conditional Access by using Azure Active
Directory device registration.
Stage 3: Take control of admin activity
Stage 3 builds on the mitigations from Stage 2 and should be implemented in approximately 1-3 months. This
stage of the Secured Privileged Access roadmap includes the following components.
General preparation
Complete an access review of users in administrator roles
More corporate users are gaining privileged access through cloud services, which can lead to unmanaged access.
Users today can become global admins for Office 365, Azure subscription administrators, or have admin access to
VMs or via SaaS apps.
Your organization should have all employees handle ordinary business transactions as unprivileged users, and
then grant admin rights only as needed. Complete access reviews to identify and confirm the users who are
eligible to activate admin privileges.
We recommend that you:
1. Determine which users are Azure AD admins, enable on-demand, just-in-time admin access, and role-based
security controls.
2. Convert users who have no clear justification for admin privileged access to a different role (if no eligible role,
remove them).
Continue rollout of stronger authentication for all users
Require highly exposed users to have modern, strong authentication such as Azure MFA or Windows Hello.
Examples of highly exposed users include:
C-suite executives
High-level managers
Critical IT and security personnel
Use dedicated workstations for administration for Azure AD
Attackers might try to target privileged accounts so that they can disrupt the integrity and authenticity of data.
They often use malicious code that alters the program logic or snoops the admin entering a credential. Privileged
Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from
Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations
and devices provides strong protection from:
Phishing attacks
Application and operating system vulnerabilities
Impersonation attacks
Credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket
By deploying privileged access workstations, you can reduce the risk that admins enter their credentials in a
desktop environment that hasn't been hardened. For more information, see Privileged Access Workstations.
Review National Institute of Standards and Technology recommendations for handling incidents
The National Institute of Standards and Technology's (NIST) provides guidelines for incident handling, particularly
for analyzing incident-related data and determining the appropriate response to each incident. For more
information, see The (NIST) Computer Security Incident Handling Guide (SP 800-61, Revision 2).
Implement Privileged Identity Management (PIM) for JIT to additional administrative roles
For Azure Active Directory, use Azure AD Privileged Identity Management capability. Time-limited activation of
privileged roles works by enabling you to:
Activate admin privileges to do a specific task
Enforce MFA during the activation process
Use alerts to inform admins about out-of-band changes
Enable users to keep their privileged access for a pre-configured amount of time
Allow security admins to:
Discover all privileged identities
View audit reports
Create access reviews to identify every user who is eligible to activate admin privileges
If you're already using Azure AD Privileged Identity Management, adjust timeframes for time-bound privileges as
necessary (for example, maintenance windows).
Determine exposure to password-based sign-in protocols (if using Exchange Online)
We recommend you identify every potential user who could be catastrophic to the organization if their credentials
were compromised. For those users, put in place strong authentication requirements and use Azure AD
Conditional Access to keep them from signing in to their email using username and password. You can block
legacy authentication using Conditional Access, and you can block basic authentication through Exchange online.
Complete a roles review assessment for Office 365 roles (if using Office 365)
Assess whether all admins users are in the correct roles (delete and reassign according to this assessment).
Review the security incident management approach used in Office 365 and compare with your own organization
You can download this report from Security Incident Management in Microsoft Office 365.
Continue to secure on-premises privileged administrative accounts
If your Azure Active Directory is connected to on-premises Active Directory, then follow the guidance in the
Security Privileged Access Roadmap: Stage 2. In this stage, you:
Deploy Privileged Access Workstations for all administrators
Require MFA
Use Just Enough Admin for domain controller maintenance, lowering the attack surface of domains
Deploy Advanced Threat Assessment for attack detection
Establish integrated monitoring
The Azure Security Center:
Provides integrated security monitoring and policy management across your Azure subscriptions
Helps detect threats that may otherwise go unnoticed
Works with a broad array of security solutions
Inventory your privileged accounts within hosted Virtual Machines
You don't usually need to give users unrestricted permissions to all your Azure subscriptions or resources. Use
Azure AD admin roles to grant only the access that your users who need to do their jobs. You can use Azure AD
administrator roles to let one admin manage only VMs in a subscription, while another can manage SQL databases
within the same subscription. For more information, see What is Azure role-based access control.
Implement PIM for Azure AD administrator roles
Use Privileged identity Management with Azure AD administrator roles to manage, control, and monitor access to
Azure resources. Using PIM protects by lowering the exposure time of privileges and increasing your visibility into
their use through reports and alerts. For more information, see What is Azure AD Privileged Identity Management.
Use Azure log integrations to send relevant Azure logs to your SIEM systems
Azure log integration enables you to integrate raw logs from your Azure resources to your organization's existing
Security Information and Event Management (SIEM) systems. Azure log integration collects Windows events from
Windows Event Viewer logs and Azure resources from:
Azure activity Logs
Azure Security Center alerts
Azure resource logs
Additional steps for organizations managing access to other cloud apps via Azure AD
Implement user provisioning for connected apps
Azure AD allows you to automate creating and maintaining user identities in cloud apps like Dropbox, Salesforce,
and ServiceNow. For more information, see Automate user provisioning and deprovisioning to SaaS applications
with Azure AD.
Integrate information protection
Microsoft Cloud App Security allows you to investigate files and set policies based on Azure Information Protection
classification labels, enabling greater visibility and control of your cloud data. Scan and classify files in the cloud
and apply Azure information protection labels. For more information, see Azure Information Protection integration.
Configure Conditional Access
Configure Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD
connected apps.
Monitor activity in connected cloud apps
We recommend using Microsoft Cloud App Security to ensure that user access is also protected in connected
applications. This feature secures the enterprise access to cloud apps and secures your admin accounts, allowing
you to:
Extend visibility and control to cloud apps
Create policies for access, activities, and data sharing
Automatically identify risky activities, abnormal behaviors, and threats
Prevent data leakage
Minimize risk and automated threat prevention and policy enforcement
The Cloud App Security SIEM agent integrates Cloud App Security with your SIEM server to enable centralized
monitoring of Office 365 alerts and activities. It runs on your server and pulls alerts and activities from Cloud App
Security and streams them into the SIEM server. For more information, see SIEM integration.
Stage 4: Continue building defenses
Stage 4 of the roadmap should be implemented at six months and beyond. Complete your roadmap to strengthen
your privileged access protections from potential attacks that are known today. For the security threats of
tomorrow, we recommend viewing security as an ongoing process to raise the costs and reduce the success rate of
adversaries targeting your environment.
Securing privileged access is important to establish security assurances for your business assets. However, it
should be part of a complete security program that provides ongoing security assurances. This program should
include elements such as:
Policy
Operations
Information security
Servers
Applications
PCs
Devices
Cloud fabric
We recommend the following practices when you're managing privileged access accounts:
Ensure that admins are doing their day-to-day business as unprivileged users
Grant privileged access only when needed, and remove it afterward ( just-in-time)
Keep audit activity logs relating to privileged accounts
For more information on building a complete security roadmap, see Microsoft cloud IT architecture resources. To
engage with Microsoft services to help you implement any part of your roadmap, contact your Microsoft
representative or see Build critical cyber defenses to protect your enterprise.
This final ongoing stage of the Secured Privileged Access roadmap includes the following components.
General preparation
Review admin roles in Azure AD
Determine if current built-in Azure AD admin roles are still up to date and ensure that users are in only the roles
they need. With Azure AD, you can assign separate administrators to serve different functions. For more
information, see Assigning administrator roles in Azure Active Directory.
Review users who have administration of Azure AD joined devices
For more information, see How to configure hybrid Azure Active Directory joined devices.
Review members of built-in Office 365 admin roles
Skip this step if you're not using Office 365.
Validate incident response plan
To improve upon your plan, Microsoft recommends you regularly validate that your plan operates as expected:
Go through your existing road map to see what was missed
Based on the postmortem analysis, revise existing or define new practices
Ensure that your updated incident response plan and practices are distributed throughout your organization
Determine if you need to transfer ownership of an Azure subscription to another account.
"Break glass": what to do in an emergency
1. Notify key managers and security officers with information about the incident.
2. Review your attack playbook.
3. Access your "break glass" account username and password combination to sign in to Azure AD.
4. Get help from Microsoft by opening an Azure support request.
5. Look at the Azure AD sign-in reports. There might be some time between an event occurring and when it's
included in the report.
6. For hybrid environments, if your on-premises infrastructure federated and your AD FS server aren't
available, you can temporarily switch from federated authentication to use password hash sync. This switch
reverts the domain federation back to managed authentication until the AD FS server becomes available.
7. Monitor email for privileged accounts.
8. Make sure you save backups of relevant logs for potential forensic and legal investigation.
For more information about how Microsoft Office 365 handles security incidents, see Security Incident
Management in Microsoft Office 365.
FAQ: Answers for securing privileged access

Q: What do I do if I haven't implemented any secure access components yet?
Answer : Define at least two break-glass account, assign MFA to your privileged admin accounts, and separate user
accounts from Global admin accounts.
Q: After a breach, what is the top issue that needs to be addressed first?
Answer : Be sure you're requiring the strongest authentication for highly exposed individuals.
Q: What happens if our privileged admins have been deactivated?
Answer : Create a Global admin account that is always kept up to date.
Q: What happens if there's only one global administrator left and they can't be reached?
Answer : Use one of your break-glass accounts to gain immediate privileged access.
Q: How can I protect admins within my organization?
Answer : Have admins always do their day-to-day business as standard "unprivileged" users.
Q: What are the best practices for creating admin accounts within Azure AD?
Answer : Reserve privileged access for specific admin tasks.
Q: What tools exist for reducing persistent admin access?
Answer : Privileged Identity Management (PIM) and Azure AD admin roles.
Q: What is the Microsoft position on synchronizing admin accounts to Azure AD?
Answer : Tier 0 admin accounts are used only for on-premises AD accounts. Such accounts aren't typically
synchronized with Azure AD in the cloud. Tier 0 admin accounts include accounts, groups, and other assets that
have direct or indirect administrative control of the on-premises Active Directory forest, domains, domain
controllers, and assets.
Q: How do we keep admins from assigning random admin access in the portal?
Answer : Use non-privileged accounts for all users and most admins. Start by developing a footprint of the
organization to determine which few admin accounts should be privileged. And monitor for newly created
administrative users.
Next steps
Microsoft Trust Center for Product Security – Security features of Microsoft cloud products and services
Microsoft Trust Center - Compliance – Microsoft's comprehensive set of compliance offerings for cloud
services
Guidance on how to do a risk assessment - Manage security and compliance requirements for Microsoft
cloud services
Other Microsoft Online Services
Microsoft Intune Security – Intune provides mobile device management, mobile application management,
and PC management capabilities from the cloud.
Microsoft Dynamics 365 security – Dynamics 365 is the Microsoft cloud-based solution that unifies
customer relationship management (CRM) and enterprise resource planning (ERP) capabilities.
Manage emergency access accounts in Azure AD
It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD)
organization because you can't sign in or activate another user's account as an administrator. You can mitigate the
impact of accidental lack of administrative access by creating two or more emergency access accounts in your
organization.
Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency
access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't
be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is
absolutely necessary.
This article provides guidelines for managing emergency access accounts in Azure AD.
Why use an emergency access account

An organization might need to use an emergency access account in the following situations:
The user accounts are federated, and federation is currently unavailable because of a cell-network break or an
identity-provider outage. For example, if the identity provider host in your environment has gone down, users
might be unable to sign in when Azure AD redirects to their identity provider.
The administrators are registered through Azure Multi-Factor Authentication, and all their individual devices are
unavailable or the service is unavailable. Users might be unable to complete Multi-Factor Authentication to
activate a role. For example, a cell network outage is preventing them from answering phone calls or receiving
text messages, the only two authentication mechanisms that they registered for their device.
The person with the most recent Global Administrator access has left the organization. Azure AD prevents the
last Global Administrator account from being deleted, but it does not prevent the account from being deleted or
disabled on-premises. Either situation might make the organization unable to recover the account.
Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other
networks might be unavailable.
Create emergency access accounts

Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the
*.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
When configuring these accounts, the following requirements must be met:
The emergency access accounts should not be associated with any individual user in the organization. Make
sure that your accounts are not connected with any employee-supplied mobile phones, hardware tokens that
travel with individual employees, or other employee-specific credentials. This precaution covers instances
where an individual employee is unreachable when the credential is needed. It is important to ensure that any
registered devices are kept in a known, secure location that has multiple means of communicating with Azure
AD.
The authentication mechanism used for an emergency access account should be distinct from that used by your
other administrative accounts, including other emergency access accounts. For example, if your normal
administrator sign-in is via on-premises MFA, then Azure MFA would be a different mechanism. However if
Azure MFA is your primary part of authentication for your administrative accounts, then consider a different
approach for these, such as using Conditional Access with a third-party MFA provider via Custom controls.
The device or credential must not expire or be in scope of automated cleanup due to lack of use.
You should make the Global Administrator role assignment permanent for your emergency access accounts.
Exclude at least one account from phone -based multi-factor authentication
To reduce the risk of an attack resulting from a compromised password, Azure AD recommends that you require
multi-factor authentication for all individual users. This group includes administrators and all others (for example,
financial officers) whose compromised account would have a significant impact.
However, at least one of your emergency access accounts should not have the same multi-factor authentication
mechanism as your other non-emergency accounts. This includes third-party multi-factor authentication solutions.
If you have a Conditional Access policy to require multi-factor authentication for every administrator for Azure AD
and other connected software as a service (SaaS) apps, you should exclude emergency access accounts from this
requirement, and configure a different mechanism instead. Additionally, you should make sure the accounts do not
have a per-user multi-factor authentication policy.
Exclude at least one account from Conditional Access policies
During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one
emergency access account should be excluded from all Conditional Access policies.
Federation guidance
An additional option for organizations that use AD Domain Services and ADFS or similar identity provider to
federate to Azure AD, is to configure an emergency access account whose MFA claim could be supplied by that
identity provider. For example, the emergency access account could be backed by a certificate and key pair such as
one stored on a smartcard. When that user is authenticated to AD, ADFS can supply a claim to Azure AD indicating
that the user has met MFA requirements. Even with this approach, organizations must still have cloud-based
emergency access accounts in case federation cannot be established.
Store account credentials safely

Organizations need to ensure that the credentials for emergency access accounts are kept secure and known only
to individuals who are authorized to use them. Some customers use a smartcard and others use passwords. A
password for an emergency access account is usually separated into two or three parts, written on separate pieces
of paper, and stored in secure, fireproof safes that are in secure, separate locations.
If using passwords, make sure the accounts have strong passwords that do not expire the password. Ideally, the
passwords should be at least 16 characters long and randomly generated.
Monitor sign-in and audit logs

Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications
to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are
only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and
trigger email and SMS alerts to your admins whenever break glass accounts sign in.
Prerequisites
1. Send Azure AD sign-in logs to Azure Monitor.
Obtain Object IDs of the break glass accounts
1. Sign in to the Azure portal with an account assigned to the User administrator role.
2. Select Azure Active Director y > Users .
3. Search for the break-glass account and select the user’s name.
4. Copy and save the Object ID attribute so that you can use it later.
5. Repeat previous steps for second break-glass account.
Create an alert rule
1. Sign in to the Azure portal with an account assigned to the Monitoring Contributor role in Azure Monitor.
2. Select All ser vices ", enter "log analytics" in Search and then select Log Analytics workspaces .
3. Select a workspace.
4. In your workspace, select Aler ts > New aler t rule .
a. Under Resource , verify that the subscription is the one with which you want to associate the alert
rule.
b. Under Condition , select Add .
c. Select Custom log search under Signal name .
d. Under Search quer y , enter the following query, inserting the object IDs of the two break glass
accounts.
NOTE
For each additional break glass account you want to include, add another "or UserId == "ObjectGuid"" to the
query.
e. Under Aler t logic , enter the following:

Based on: Number of results
Operator: Greater than
Threshold value: 0
f. Under Evaluated based on , select the Period (in minutes) for how long you want the query to
run, and the Frequency (in minutes) for how often you want the query to run. The frequency
should be less than or equal to the period.
g. Select Done . You may now view the estimated monthly cost of this alert.
5. Select an action group of users to be notified by the alert. If you want to create one, see Create an action group.
6. To customize the email notification sent to the members of the action group, select actions under Customize
Actions .
7. Under Aler t Details , specify the alert rule name and add an optional description.
8. Set the Severity level of the event. We recommend that you set it to Critical(Sev 0) .
9. Under Enable rule upon creation , leave it set as yes .
10. To turn off alerts for a while, select the Suppress Aler ts check box and enter the wait duration before alerting
again, and then select Save .
11. Click Create aler t rule .
Create an action group
1. Select Create an action group .
2. Enter the action group name and a short name.

3. Verify the subscription and resource group.
4. Under action type, select Email/SMS/Push/Voice .
5. Enter an action name such as Notify global admin .
6. Select the Action Type as Email/SMS/Push/Voice .
7. Select Edit details to select the notification methods you want to configure and enter the required contact
information, and then select Ok to save the details.
8. Add any additional actions you want to trigger.
9. Select OK .
Validate accounts regularly

When you train staff members to use emergency access accounts and validate the emergency access accounts, at
minimum do the following steps at regular intervals:
Ensure that security-monitoring staff are aware that the account-check activity is ongoing.
Ensure that the emergency break glass process to use these accounts is documented and current.
Ensure that administrators and security officers who might need to perform these steps during an emergency
are trained on the process.
Update the account credentials, in particular any passwords, for your emergency access accounts, and then
validate that the emergency access accounts can sign-in and perform administrative tasks.
Ensure that users have not registered Multi-Factor Authentication or self-service password reset (SSPR) to any
individual user’s device or personal details.
If the accounts are registered for Multi-Factor Authentication to a device, for use during sign-in or role
activation, ensure that the device is accessible to all administrators who might need to use it during an
emergency. Also verify that the device can communicate through at least two network paths that do not share a
common failure mode. For example, the device can communicate to the internet through both a facility's
wireless network and a cell provider network.
These steps should be performed at regular intervals and for key changes:
At least every 90 days
When there has been a recent change in IT staff, such as a job change, a departure, or a new hire
When the Azure AD subscriptions in the organization have changed
Next steps
Securing privileged access for hybrid and cloud deployments in Azure AD
Add users using Azure AD and assign the new user to the Global Administrator role
Sign up for Azure AD Premium, if you haven’t signed up already
How to require two-step verification for a user
Configure additional protections for Global Administrators in Microsoft 365, if you are using Microsoft 365
Start an access review of Global Administrators and transition existing Global Administrators to more specific
administrator roles
Administrative units management in Azure Active
Directory (preview)
This article describes administrative units in Azure Active Directory (Azure AD). An administrative unit is an Azure
AD resource that can be a container for other Azure AD resources. In this preview release, an administrative unit
can contain only users and groups.
Administrative units allow you to grant admin permissions that are restricted to a department, region, or other
segment of your organization that you define. You can use administrative units to delegate permissions to
regional administrators or to set policy at a granular level. For example, a User account admin could update
profile information, reset passwords, and assign licenses for users only in their administrative unit.
For example, delegating to regional support specialists the Helpdesk Administrator role restricted to managing
just the users in the region they support.
Deployment scenario
Restricting administrative scope using administrative units can be useful in organizations that are made up of
independent divisions of any kind. Consider the example of a large university that is made up of many
autonomous schools (School of Business, School of Engineering, and so on) that each has a team of IT admins
who control access, manage users, and set policies for their school. A central administrator could:
Create a role with administrative permissions over only Azure AD users in the business school administrative
unit
Create an administrative unit for the School of Business
Populate the admin unit with only the business school students and staff
Add the Business school IT team to the role with their scope
License requirements
Using administrative units requires an Azure Active Directory Premium license for each administrative unit admin,
and Azure Active Directory Free licenses for administrative unit members. For more information, see Getting
started with Azure AD Premium.
Manage administrative units

In this preview release, you can manage administrative units using the Azure portal, PowerShell cmdlets and
scripts, or the Microsoft Graph. You can refer to our documentation for details:
Create, remove, populate, and add roles to administrative units: Complete how-to procedures
Working with Admin Units: How to work with administrative units using PowerShell
Administrative Unit Graph support: Detailed documentation on Microsoft Graph for administrative units.
Planning your administrative units
Administrative units can be used to logically group Azure AD resources. For example, for an organization whose IT
department is scattered globally, it might make sense to create administrative units that define those geographical
boundaries. In another scenario where a multi-national organization has different "sub-organizations", that are
semi-autonomous in operations, each sub-organization may be represented by an administrative unit.
The criteria on which administrative units are created will be guided by the unique requirements of an
organization. Administrative Units are a common way to define structure across Microsoft 365 services. We
recommend that you prepare your administrative units with their use across Microsoft 365 services in mind. You
can get maximum value out of administrative units when you can associate common resources across Microsoft
365 under an administrative unit.
You can expect the creation of administrative units in the organization to go through the following stages:
1. Initial Adoption: Your organization will start creating administrative units based on initial criteria and the
number of administrative units will increase as the criteria is refined.
2. Pruning: Once the criteria is well defined, administrative units that are no longer required will be deleted.
3. Stabilization: Your organizational structure is well defined and the number of administrative units is not going
to change significantly over short durations.
Currently supported scenarios

Global administrators or Privileged role administrators can use the Azure AD portal to create administrative units,
add users as members of administrative units, and then assign IT staff to administrative unit-scoped administrator
roles. The administrative unit-scoped admins can then use the Microsoft 365 admin center for basic management
of users in their administrative units.
Additionally, groups can be added as members of administrative unit, and an admin unit-scoped group
administrator can manage them using PowerShell, the Microsoft Graph, and the Azure AD portal.
The below table describes current support for administrative unit scenarios.
Administrative unit management
M IC RO SO F T 365 A DM IN
P ERM ISSIO N S M S GRA P H / P O W ERSH EL L A Z URE A D P O RTA L C EN T ER
Creating and deleting Supported Supported Not supported

administrative units
Adding and removing Supported Supported Not supported

administrative unit members
individually
Bulk adding and removing Not supported Supported No plan to support

administrative unit members
using .csv file
Assigning administrative Supported Supported Not supported

unit-scoped administrators
Adding and removing AU Not supported Not supported Not supported

members dynamically based
on attributes
User management
administrative unit-scoped Supported Supported Supported

management of user
properties, passwords,
licenses
administrative unit-scoped Supported Supported Supported

blocking and unblocking of
user sign-ins
administrative unit-scoped Supported Supported Not supported

management of user MFA
credentials
Group management

management of group
properties and members

management of group
licensing
NOTE
Administrators with an administrative unit scope can't manage dynamic group membership rules.
Administrative units apply scope only to management permissions. They don't prevent members or
administrators from using their default user permissions to browse other users, groups, or resources outside of
the administrative unit. In the Microsoft 365 admin center, users outside of a scoped admin's administrative units
are filtered out, but you can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.
Next steps
Managing AUs
Manage users in AUs
Manage groups in AUs
Assign scoped roles to an AU
Manage administrative units in Azure Active
Directory
For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure
AD role with a scope that's limited to one or more administrative units (AUs).
Get started
1. To run queries from the following instructions via Graph Explorer, do the following:
a. In the Azure portal, go to Azure AD. In the applications list, select Graph Explorer , and then select Grant
admin consent to Graph Explorer .
b. In Graph Explorer, select the beta version.
2. Use the preview version of Azure AD PowerShell.
Add an administrative unit

Use the Azure portal
1. In the Azure portal, go to Azure AD, and then, in the left pane, select Administrative units .
2. Select Add and then enter the name of the administrative unit. Optionally, add a description of the
administrative unit.
3. Select Add to finalize the administrative unit.

Use PowerShell
Install Azure AD PowerShell (preview) before you try to run the following commands:
Connect-AzureAD
New-AzureADAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"
You can modify the values that are enclosed in quotation marks, as required.
Use Microsoft Graph
Http Request
POST /administrativeUnits
Request body
{
"displayName": "North America Operations",
"description": "North America Operations administration"
}
Remove an administrative unit

In Azure AD, you can remove an administrative unit that you no longer need as a unit of scope for administrative
roles.
Use the Azure portal
1. In the Azure portal, go to Azure AD > Administrative units .
2. Select the administrative unit to be deleted, and then select Delete .
3. To confirm that you want to delete the administrative unit, select Yes . The administrative unit is deleted.
Use PowerShell
$delau = Get-AzureADAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADAdministrativeUnit -ObjectId $delau.ObjectId
You can modify the values that are enclosed in quotation marks, as required for the specific environment.
Use the Graph API
HTTP request
DELETE /administrativeUnits/{Admin id}
Request body
{}
Next steps
Manage users in an administrative unit
Manage groups in an administrative unit
Add and manage users in an administrative unit in
In Azure Active Directory (Azure AD), you can add users to an administrative unit (AU) for more granular
administrative scope of control.
For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.
Add users to an AU
Azure portal
You can assign users to administrative units in two ways.
1. Individual assignment
a. You can go to the Azure AD in the portal and select Users and select the user to be assigned to an
administrative unit. You can then select Administrative units in the left panel. The user can be
assigned to one or more administrative units by clicking on Assign to administrative unit and
selecting the administrative units where the user is to be assigned.
b. You can go to Azure AD in the portal and select Administrative units in the left pane and then select
the administrative unit where the users is to be assigned. Select All users on the left pane and then
select Add member. You can then go ahead and select one or more users to be assigned to the
administrative unit from the right pane.
2. Bulk assignment
Go to Azure AD in the portal and select Administrative units. Select the administrative unit where users are
to be added. Proceed by clicking on All users -> Add members from .csv file. You can then download the
CSV template and edit the file. The format is simple and needs a single UPN to be added in each line. Once
the file is ready, save it at an appropriate location and then upload it in step 3 as highlighted in the
snapshot.
PowerShell
$administrativeunitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$UserObj = Get-AzureADUser -Filter "UserPrincipalName eq 'billjohn@fabidentity.onmicrosoft.com'"
Add-AzureADAdministrativeUnitMember -ObjectId $administrativeunitObj.ObjectId -RefObjectId $UserObj.ObjectId
In the above example, the cmdlet Add-AzureADAdministrativeUnitMember is used to add the user to the
administrative unit. The object ID of the administrative unit where user is to be added and the object ID of the user
who is to be added are taken as argument. The highlighted section may be changed as required for the specific
environment.
Microsoft Graph
Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
"@odata.id":"https://graph.microsoft.com/beta/users/{id}"
}
Example:
{
"@odata.id":"https://graph.microsoft.com/beta/users/johndoe@fabidentity.com"
}
List administrative units for a user

Azure portal
In the Azure portal you can open a user's profile by going to Azure AD > Users. Click on the user to open the user's
profile.
Select Administrative units on the left panel to see the list of administrative units where the user has been
assigned.
PowerShell
Get-AzureADAdministrativeUnit | where { Get-AzureADAdministrativeUnitMember -ObjectId $_.ObjectId | where

{$_.ObjectId -eq $userObjId} }
Microsoft Graph
https://graph.microsoft.com/beta/users//memberOf/$/Microsoft.Graph.AdministrativeUnit
Remove a single user from an AU

Azure portal
There are two ways you can remove a user from an administrative unit. In the Azure portal you can open a user's
profile by going to Azure AD > Users . Select the user to open the user's profile. Select the administrative unit you
want the user to be removed from and select Remove from administrative unit .
You can also remove a user in Azure AD > Administrative units by selecting the administrative unit you want
to remove users from. Select the user and select Remove member .
PowerShell
Remove-AzureADAdministrativeUnitMember -ObjectId $auId -MemberId $memberUserObjId
Microsoft Graph
https://graph.microsoft.com/beta/administrativeUnits//members//$ref
Bulk remove more than one user

You can go to Azure AD > Administrative units and select the administrative unit you want to remove users from.
Click on Bulk remove member. Download the CSV template for providing the list of users to be removed.
Edit the downloaded CSV template with the relevant user entries. Do not remove the first two rows of the
template. Add one user UPN in each row.
Once you have saved the entries in the file, upload the file, select Submit .
Next steps
Assign a role to an administrative unit
Add groups to an administrative unit
Add and manage groups in administrative units in
In Azure Active Directory (Azure AD), you can add groups to an administrative unit (AU) for more granular
administrative scope of control.
Add groups to an AU
Azure portal
In the preview, you can assign groups only individually to an administrative unit. There is no option of bulk
assignment of groups to an administrative unit. You can assign a group to an administrative unit in one of the two
ways in portal:
1. From the Azure AD > Groups page
Open the Groups overview page in Azure AD and select the group that needs to be assigned to the
administrative unit. On the left side, select Administrative units to list out the administrative units the
group is assigned to. On the top you will find the option Assign to administrative unit and clicking on it will
give a panel on right side to choose the administrative unit.
2. From the Azure AD > Administrative units > All Groups page
Open the All Groups blade in Azure AD > Administrative Units. If there are groups already assigned to the
administrative unit, they will be displayed on the right side. Select Add on the top and a right panel will
slide in listing the groups available in your Azure AD organization. Select one or more groups to be
assigned to the administrative units.
PowerShell
$administrative unitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"

$GroupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Add-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId -RefObjectId $GroupObj.ObjectId
In this example, the cmdlet Add-AzureADAdministrativeUnitMember is used to add the group to the administrative
unit. The object ID of the administrative unit and the object ID of the group to be added are taken as argument. The
highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
"@odata.id":"https://graph.microsoft.com/beta/groups/{id}"
}
Example:
{
"@odata.id":"https://graph.microsoft.com/beta/groups/ 871d21ab-6b4e-4d56-b257-ba27827628f3"
}
List groups in an AU
Azure portal
Go to Azure AD > Administrative units in the portal. Select the administrative unit for which you want to list
the users. By default, All users is selected already on the left panel. Select All groups and on the right you will
find the list of groups that are members of the selected administrative unit.
PowerShell
$administrative unitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"

Get-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId
This will help you get all the members of the administrative unit. If you want to display all the groups that are
members of the administrative unit, you can use the below code snippet:
foreach ($member in (Get-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId))

{
if($member.ObjectType -eq "Group")
{
Get-AzureADGroup -ObjectId $member.ObjectId
}
}
Microsoft Graph
HTTP request
GET /administrativeUnits/{Admin id}/members/$/microsoft.graph.group
Request body
{}
List AUs for a group

Azure portal
In the Azure AD portal, you can open a group's details by opening Groups . Select a group to open the group's
profile. Select Administrative units to list all the administrative units where the group is a member.
PowerShell
Get-AzureADAdministrativeUnit | where { Get-AzureADAdministrativeUnitMember -ObjectId $_.ObjectId | where

{$_.ObjectId -eq $groupObjId} }
Microsoft Graph
https://graph.microsoft.com/beta/groups/<group-id>/memberOf/$/Microsoft.Graph.AdministrativeUnit
Remove a group from an AU

Azure portal
There are two ways you can remove a group from an administrative unit in the Azure portal.
Open Azure AD > Groups and open the profile for group you want to remove from administrative unit. Select
Administrative units in the left panel to list all the administrative units where the group is a member. Select the
administrative unit that you want to remove the group from, and then select Remove from administrative unit .
Alternatively, you can go to Azure AD > Administrative units and select the administrative unit where the
group is a member. Select Groups in the left panel to list the member groups. Select the group to be removed
from the administrative unit and then select Remove groups .
PowerShell
Remove-AzureADAdministrativeUnitMember -ObjectId $auId -MemberId $memberGroupObjId
Microsoft Graph
https://graph.microsoft.com/beta/administrativeUnits/<adminunit-id>/members/<group-id>/$ref
Next steps
Assign a role to an administrative unit
Manage users in an administrative unit
Assign scoped roles to an administrative unit
In Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope limited to one or more
administrative units (AUs) for more granular administrative control.
Roles available
RO L E DESC RIP T IO N
Authentication Administrator Has access to view, set, and reset authentication method
information for any non-admin user in the assigned
administrative unit only.
Groups Administrator Can manage all aspects of groups and groups settings like
naming and expiration policies in the assigned administrative
unit only.
Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk

administrators in the assigned administrative unit only.
License Administrator Can assign, remove, and update license assignments within
the administrative unit only.
Password Administrator Can reset passwords for non-administrators and Password

Administrators within the assigned administrative unit only.
User Administrator Can manage all aspects of users and groups, including
resetting passwords for limited admins within the assigned
administrative unit only.
Assign a scoped role

Azure portal
Go to Azure AD > Administrative units in the portal. Select the administrative unit over which you want to
assign the role to a user. On the left pane, select Roles and administrators to list all the available roles.
Select the role to be assigned and then select Add assignments . A panel opens on the right where you can select
one or more users to be assigned to the role.
PowerShell
$AdminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"
$Role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Account Administrator"
$administrativeUnit = Get-AzureADAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
$RoleMember = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo
$RoleMember.ObjectId = $AdminUser.ObjectId
Add-AzureADScopedRoleMembership -ObjectId $administrativeUnit.ObjectId -RoleObjectId $Role.ObjectId -
RoleMemberInfo $RoleMember
The highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
POST /administrativeUnits/{id}/scopedRoleMembers
Request body
{
"roleId": "roleId-value",
"roleMemberInfo": {
"id": "id-value"
}
}
List the scoped admins on an AU

Azure portal
All the role assignments done with an administrative unit scope can be viewed in the Administrative units section
of Azure AD. Go to Azure AD > Administrative units in the portal. Select the admin unit for the role
assignments you want to list. Select Roles and administrators and open a role to view the assignments in the
admin unit.
PowerShell
$administrativeUnit = Get-AzureADAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"

Get-AzureADScopedRoleMembership -ObjectId $administrativeUnit.ObjectId | fl *
The highlighted section may be changed as required for the specific environment.
Microsoft Graph
Http request
GET /administrativeUnits/{id}/scopedRoleMembers
Request body
{}
Next steps
Azure AD administrative units: Troubleshooting and
FAQ
For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD
role with a scope that's limited to one or more administrative units (AUs). For sample PowerShell scripts for
common tasks, see Work with administrative units.
Frequently asked questions

Q: Why am I unable to create an administrative unit?
A: Only a Global Administrator or Privileged Role Administrator can create an administrative unit in Azure AD.
Check to ensure that the user who's trying to create the administrative unit is assigned either the Global
Administrator or Privileged Role Administrator role.
Q: I added a group to the administrative unit. Why are the group members still not showing up
there?
A: When you add a group to the administrative unit, that does not result in all the group's members being added to
it. Users must be directly assigned to the administrative unit.
Q: I just added (or removed) a member of the administrative unit. Why is the member not showing
up (or still showing up) in the user interface?
A: Sometimes, processing of the addition or removal of one or more members of the administrative unit might
take a few minutes to be reflected on the Administrative units page. Alternatively, you can go directly to the
associated resource's properties and see whether the action has been completed. For more information about users
and groups in AUs, see List administrative units for a user and List administrative units for a group.
Q: I am a delegated password administrator on an administrative unit. Why am I unable to reset a
specific user's password?
A: As an administrator of an administrative unit, you can reset passwords only for users who are assigned to your
administrative unit. Make sure that the user whose password reset is failing belongs to the administrative unit to
which you've been assigned. If the user belongs to the same administrative unit but you still can't reset their
password, check the roles that are assigned to the user.
To prevent an elevation of privilege, an administrative unit-scoped administrator can't reset the password of a user
who's assigned to a role with an organization-wide scope.
Q: Why are administrative units necessar y? Couldn't we have used security groups as the way to
define a scope?
A: Security groups have an existing purpose and authorization model. A User Administrator, for example, can
manage membership of all security groups in the Azure AD organization. The role might use groups to manage
access to applications such as Salesforce. A User Administrator should not be able to manage the delegation model
itself, which would be the result if security groups were extended to support "resource grouping" scenarios.
Administrative units, such as organizational units in Windows Server Active Directory, are intended to provide a
way to scope administration of a wide range of directory objects. Security groups themselves can be members of
resource scopes. Using security groups to define the set of security groups that an administrator can manage could
become confusing.
Q: What does it mean to add a group to an administrative unit?
A: Adding a group to an administrative unit brings the group itself into the management scope of any User
Administrator who is also scoped to that administrative unit. User administrators for the administrative unit can
manage the name and membership of the group itself. It does not grant the User Administrator for the
administrative unit permissions to manage the users of the group (for example, to reset their passwords). To grant
the User Administrator the ability to manage users, the users have to be direct members of the administrative unit.
Q: Can a resource (user or group) be a member of more than one administrative unit?
A: Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all
organization-wide and administrative unit-scoped administrators who have permissions over the resource.
Q: Are administrative units available in B2C organizations?
A: No, administrative units are not available for B2C organizations.
Q: Are nested administrative units suppor ted?
A: No, nested administrative units are not supported.
Q: Are administrative units suppor ted in PowerShell and the Graph API?
A: Yes. You'll find support for administrative units in PowerShell cmdlet documentation and sample scripts.
Find support for the administrativeUnit resource type in Microsoft Graph.
Next steps
Restrict scope for roles by using administrative units
Manage administrative units
Add branding to your organization's Azure Active
Directory sign-in page
Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active
Directory (Azure AD) sign-in pages. Your sign-in pages appear when users sign in to your organization's web-based
apps, such as Office 365, which uses Azure AD as your identity provider.
NOTE
Adding custom branding requires you to use Azure Active Directory Premium 1, Premium 2, or Basic editions, or to have an
Office 365 license. For more information about licensing and editions, see Sign up for Azure AD Premium.
Azure AD Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active
Directory. Azure AD Premium and Basic editions aren't currently supported in the Azure service operated by 21Vianet in
China. For more information, talk to us using the Azure Active Directory Forum.
Customize your Azure AD sign-in page

You can customize your Azure AD sign-in pages, which appear when users sign in to your organization's tenant-
specific apps, such as https://outlook.com/contoso.com , or when passing a domain variable, such as
https://passwordreset.microsoftonline.com/?whr=contoso.com .
Your custom branding won't immediately appear when your users go to sites such as, www.office.com. Instead, the
user has to sign-in before your customized branding appears. After the user has signed in, the branding may take
15 minutes or longer to appear.
NOTE
All branding elements are optional. For example, if you specify a banner logo with no background image, the sign-in page will
show your logo with a default background image from the destination site (for example, Office 365).
Additionally, sign-in page branding doesn't carry over to personal Microsoft accounts. If your users or business guests sign in
using a personal Microsoft account, the sign-in page won't reflect the branding of your organization.
To customize your branding

2. Select Azure Active Director y , and then select Company branding , and then select Configure .
3. On the Configure company branding page, provide any or all of the following information.
IMPORTANT
All the custom images you add on this page have image size (pixels), and potentially file size (KB), restrictions. Because
of these restrictions, you'll most-likely need to use a photo editor to create the right-sized images.
General settings
Language. The language is automatically set as your default and can't be changed.
Sign-in page background image. Select a .png or .jpg image file to appear as the
background for your sign-in pages. The image will be anchored to the center of the browser,
and will scale to the size of the viewable space. You can't select an image larger than
1920x1080 pixels in size or that has a file size more than 300 KB.
It's recommended to use images without a strong subject focus, e.g., an opaque white box
appears in the center of the screen, and could cover any part of the image depending on the
dimensions of the viewable space.
Banner logo. Select a .png or .jpg version of your logo to appear on the sign-in page after the
user enters a username and on the My Apps portal page.
The image can't be taller than 60 pixels or wider than 280 pixels. We recommend using a
transparent image since the background might not match your logo background. We also
recommend not adding padding around the image or it might make your logo look small.
Username hint. Type the hint text that appears to users if they forget their username. This text
must be Unicode, without links or code, and can't exceed 64 characters. If guests sign in to your
app, we suggest not adding this hint.
Sign-in page text and formatting. Type the text that appears on the bottom of the sign-in
page. You can use this text to communicate additional information, such as the phone number
to your help desk or a legal statement. This text must be Unicode and not exceed 1024
characters.
You can customize the sign-in page text you entered. To begin a new paragraph, use the enter
key twice. You can also change text formatting to include bold, italics, an underline or clickable
link. Use the following syntax to add formatting to text:
Hyperlink: [text](link)
Bold: **text** or __text__
Italics: *text* or _text_
Underline: ++text++
Advanced settings
Sign-in page background color. Specify the hexadecimal color (for example, white is
#FFFFFF) that will appear in place of your background image in low-bandwidth connection
situations. We recommend using the primary color of your banner logo or your organization
color.
Square logo image. Select a .png (preferred) or .jpg image of your organization's logo to
appear to users during the setup process for new Windows 10 Enterprise devices. This image is
only used for Windows authentication and appears only on tenants that are using Windows
Autopilot for deployment or for password entry pages in other Windows 10 experiences. In
some cases it may also appear in the consent dialog.
The image can't be larger than 240x240 pixels in size and must have a file size of less than 10
KB. We recommend using a transparent image since the background might not match your
logo background. We also recommend not adding padding around the image or it might make
your logo look small.
Square logo image, dark theme. Same as the square logo image above. This logo image
takes the place of the square logo image when used with a dark background, such as with
Windows 10 Azure AD joined screens during the out-of-box experience (OOBE). If your logo
looks good on white, dark blue, and black backgrounds, you don't need to add this image.
Show option to remain signed in. You can choose to let your users remain signed in to
Azure AD until explicitly signing out. If you choose No , this option is hidden, and users must
sign in each time the browser is closed and reopened.
This capability is only available on the default branding object and not on any language-
specific object. To learn more about configuring and troubleshooting the option to remain
signed in, see Configure the 'Stay signed in?' prompt for Azure AD accounts
NOTE
Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain
signed in. If you set this option to No , your users may see additional and unexpected prompts to
sign-in.
4. After you've finished adding your branding, select Save .

If this process creates your first custom branding configuration, it becomes the default for your tenant. If you
have additional configurations, you'll be able to choose your default configuration.
IMPORTANT
To add more corporate branding configurations to your tenant, you must choose New language on the Contoso -
Company branding page. This opens the Configure company branding page, where you can follow the same
steps as above.
Update your custom branding

After you've created your custom branding, you can go back and change anything you want.
To edit your custom branding
2. Select Azure Active Director y , and then select Company branding , and then select Configure .
3. On the Configure company branding page, add, remove, or change any of the information, based on the
descriptions in the Customize your Azure AD sign-in page section of this article.
4. Select Save .
It can take up to an hour for any changes you made to the sign-in page branding to appear.
Add language-specific company branding to your directory

You can't change your original configuration's language from your default language. However, if you need a
configuration in a different language, you can create a new configuration.
To add a language -specific branding configuration
2. Select Azure Active Director y , and then select Company branding , and then select New language .
3. On the Configure company branding page, select your language (for example, French) and then add your
translated information, based on the descriptions in the Customize your Azure AD sign-in page section of
this article.
4. Select Save .
The Contoso – Company branding page updates to show your new French configuration.
Add your custom branding to pages

Add your custom branding to pages by modifying the end of the URL with the text, ?whr=yourdomainname . This
modification works on several pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service
Password Reset (SSPR) setup page, and the sign in page.
Examples:
Original URL: https://aka.ms/MFASetup
Custom URL: https://account.activedirectory.windowsazure.com/proofup.aspx?whr=contoso.com
Original URL: https://aka.ms/SSPR
Custom URL: https://passwordreset.microsoftonline.com/?whr=contoso.com
Sign-in options for Microsoft accounts in Azure
Active Directory
The Microsoft 365 sign-in page for Azure Active Directory (Azure AD) supports work or school accounts and
Microsoft accounts, but depending on the user's situation, it could be one or the other or both. For example, the
Azure AD sign-in page supports:
Apps that accept sign-ins from both types of account
Organizations that accept guests
Identification
You can tell if the sign-in page your organization uses supports Microsoft accounts by looking at the hint text in the
username field. If the hint text says "Email, phone, or Skype", the sign-in page supports Microsoft accounts.
Additional sign-in options work only for personal Microsoft accounts but can't be used for signing in to work or
school account resources.
Next steps
Customize your sign-in branding
Home realm discovery for Azure Active Directory
sign-in pages
We are changing our Azure Active Directory (Azure AD) sign-in behavior to make room for new authentication
methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD
makes intelligent decisions by reading organization and user settings for the username entered on the sign-in
page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0.
Home realm discovery behavior

Historically, home realm discovery was governed by the domain that is provided at sign-in or by a Home Realm
Discovery policy for some legacy applications. For example, in our discovery behavior an Azure Active Directory
user could mistype their username but would still arrive at their organization's credential collection screen. This
occurs when the user correctly provides the organization's domain name “contoso.com”. This behavior does not
allow the granularity to customize experiences for an individual user.
To support a wider range of credentials and increase usability, Azure Active Directory’s username lookup behavior
during the sign-in process is now updated. The new behavior makes intelligent decisions by reading organization-
level and user-level settings based on the username entered on the sign-in page. To make this possible, Azure
Active Directory will check to see if the username that is entered on the sign-in page exists in their specified domain
or redirects the user to provide their credentials.
An additional benefit of this work is improved error messaging. Here are some examples of the improved error
messaging when signing in to an application that supports Azure Active Directory users only.
The username is mistyped or the username has not yet been synced to Azure AD:
The domain name is mistyped:

User tries to sign in with a known consumer domain:
The password is mistyped but the username is accurate:
IMPORTANT
This feature might have an impact on federated domains relying on the old domain-level Home Realm Discovery to force
federation. For updates on when federated domain support will be added, see Home realm discovery during sign-in for
Microsoft 365 services. In the meantime, some organizations have trained their employees to sign in with a username that
doesn’t exist in Azure Active Directory but contains the proper domain name, because the domain names routes users
currently to their organization's domain endpoint. The new sign-in behavior doesn't allow this. The user is notified to correct
the user name, and they aren't allowed to sign in with a username that does not exist in Azure Active Directory.
If you or your organization have practices that depend on the old behavior, it is important for organization administrators to
update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory
username to sign in.
If you have concerns with the new behavior, leave your remarks in the Feedback section of this article.
Next steps
Customize your sign-in branding
Integrate LinkedIn account connections in Azure
Active Directory
You can allow users in your organization to access their LinkedIn connections within some Microsoft apps. No data
is shared until users consent to connect their accounts. You can integrate your organization in the Azure Active
Directory (Azure AD) admin center.
IMPORTANT
The LinkedIn account connections setting is currently being rolled out to Azure AD organizations. When it is rolled out to
your organization, it is enabled by default.
Exceptions:
The setting is not available for customers using Microsoft Cloud for US Government, Microsoft Cloud Germany, or Azure
and Office 365 operated by 21Vianet in China.
The setting is off by default for Azure AD organizations provisioned in Germany. Note that the setting is not available for
customers using Microsoft Cloud Germany.
The setting is off by default for organizations provisioned in France.
Once LinkedIn account connections are enabled for your organization, the account connections work after users consent to
apps accessing company data on their behalf. For information about the user consent setting, see How to remove a user's
access to an application.
Enable LinkedIn account connections in the Azure portal

You can enable LinkedIn account connections for only the users you want to have access, from your entire
organization to only selected users in your organization.
1. Sign in to the Azure AD admin center with an account that's a global admin for the Azure AD organization.
2. Select Users .
3. On the Users page, select User settings .
4. Under LinkedIn account connections , allow users to connect their accounts to access their LinkedIn
connections within some Microsoft apps. No data is shared until users consent to connect their accounts.
Select Yes to enable the service for all users in your organization
Select Selected group to enable the service for only a group of selected users in your organization
Select No to withdraw consent from all users in your organization
5. When you're done, select Save to save your settings.
IMPORTANT
LinkedIn integration is not fully enabled for your users until they consent to connect their accounts. No data is shared when
you enable account connections for your users.
Assign selected users with a group

We have replaced the 'Selected' option that specifies a list of users with the option to select a group of users so that
you can enable the ability to connect LinkedIn and Microsoft accounts for a single group instead of many individual
users. If you don't have LinkedIn account connections enabled for selected individual users, you don't need to do
anything. If you have previously enabled LinkedIn account connections for selected individual users, you should:
1. Get the current list of individual users
2. Move the currently enabled individual users to a group
3. Use the group from the previous as the selected group in the LinkedIn account connections setting in the Azure
AD admin center.
NOTE
Even if you don't move your currently selected individual users to a group, they can still see LinkedIn information in Microsoft
apps.
Move currently selected users to a group

1. Create a CSV file of the users who are selected for LinkedIn account connections.
2. Sign into Microsoft 365 with your administrator account.
3. Launch PowerShell.
4. Install the Azure AD module by running Install-Module AzureAD
5. Run the following script:
$groupId = "GUID of the target group"
$users = Get-Content
Path to the CSV file
$i = 1
foreach($user in $users} { Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $user ; Write-Host $i Added
$user ; $i++ ; Start-Sleep -Milliseconds 10 }
To use the group from step two as the selected group in the LinkedIn account connections setting in the Azure AD
admin center, see Enable LinkedIn account connections in the Azure portal.
Use Group Policy to enable LinkedIn account connections

1. Download the Office 2016 Administrative Template files (ADMX/ADML)
2. Extract the ADMX files and copy them to your central store.
3. Open Group Policy Management.
4. Create a Group Policy Object with the following setting: User Configuration > Administrative
Templates > Microsoft Office 2016 > Miscellaneous > Show LinkedIn features in Office
applications .
5. Select Enabled or Disabled .
STAT E EF F EC T
Enabled The Show LinkedIn features in Office applications

setting in Office 2016 Options is enabled. Users in your
organization can use LinkedIn features in their Office 2016
applications.
Disabled The Show LinkedIn features in Office applications

setting in Office 2016 Options is disabled and end users
can't change this setting. Users in your organization can't
use LinkedIn features in their Office 2016 applications.
This group policy affects only Office 2016 apps for a local computer. If users disable LinkedIn in their Office 2016
apps, they can still see LinkedIn features in Office 365.
Next steps
User consent and data sharing for LinkedIn
LinkedIn information and features in your Microsoft apps
LinkedIn help center
View your current LinkedIn integration setting in the Azure portal
LinkedIn account connections data sharing and
consent
You can enable users in your Active Directory (Azure AD) organization to consent to connect their Microsoft work
or school account with their LinkedIn account. After a user connects their accounts, information and highlights
from LinkedIn are available in some Microsoft apps and services. Users can also expect their networking
experience on LinkedIn to be improved and enriched with information from Microsoft.
To see LinkedIn information in Microsoft apps and services, users must consent to connect their own Microsoft and
LinkedIn accounts. Users are prompted to connect their accounts the first time they click to see someone's LinkedIn
information on a profile card in Outlook, OneDrive or SharePoint Online. LinkedIn account connections are not
fully enabled for your users until they consent to the experience and to connect their accounts.
NOTE
If you’re interested in viewing or deleting personal data, please review Microsoft's guidance in the Windows Data Subject
Requests for the GDPR site. If you’re looking for general information about GDPR, see the GDPR section of the Service Trust
portal.
Benefits of sharing LinkedIn information

Access to LinkedIn information within Microsoft apps and services makes it easier for your users to connect,
engage, and build professional relationships with colleagues, customers, and partners inside and outside your
organization. New users can get up to speed faster by connecting with colleagues, learning more about them, and
easily accessing more information. Here is an example of how LinkedIn information appears on the profile card in
Microsoft apps:
Enable and announce LinkedIn integration

You must be an Azure Active Directory Admin to manage the setting for your organization. You can enable it for all
users, or for a specific set of users.
1. To enable or disable the integration, follow the steps in Consent to LinkedIn integration for your Azure AD
organization.
2. When you announce the LinkedIn integration in your organization, point your users to the FAQ about LinkedIn
information in Microsoft apps and services. The article provides information about where LinkedIn information
shows up, data sharing and privacy, how to connect accounts and more.
You must announce Linkedin Integration to your users providing them all the information related to Data sharing
and privacy with Linkedin Integration.
User consent for data access in Microsoft and LinkedIn

Data that is accessed from LinkedIn is not stored permanently in Microsoft services. Data that is accessed from
Microsoft is not stored permanently with LinkedIn, except for Contacts. Microsoft Contacts are stored on LinkedIn
until users remove them, as described in deleting imported contacts from LinkedIn.
When users connect their accounts, information and insights from LinkedIn are available in some Microsoft apps,
like the profile card. Users can also expect their networking experience on LinkedIn to be improved and enriched
with information from Microsoft. When users in your organization connect their LinkedIn and Microsoft work or
school accounts, they have two options:
Give permission for data to be accessed from both accounts. This means that they give permission for their
Microsoft or work account to access data from their LinkedIn account, and for their LinkedIn account to access
data from their Microsoft work or school account.
Give permission for only the LinkedIn data to be accessed by their Microsoft work and school account.
Users can disconnect accounts and remove data access permissions at any time, and users can control how their
own LinkedIn profile is viewed, including whether their profile can be viewed in Microsoft apps.
LinkedIn account data
When you connect your Microsoft and LinkedIn accounts, you allow LinkedIn to provide the following data to
Microsoft:
Profile data - includes LinkedIn identity, contact information, and the information you share with others on your
LinkedIn profile.
Interests data - includes interests on LinkedIn, such as people and topics you follow, courses groups, and
content you like and share.
Subscriptions data - includes subscriptions to LinkedIn applications and services along with associated data.
Connections data - includes your LinkedIn network including profiles and contact information of your 1st-
degree connections.
Data that is accessed from LinkedIn is not stored permanently in Microsoft services. For more information about
Microsoft’s use of personal data, see the Microsoft Privacy Statement.
Microsoft work or school account data
When you connect your Microsoft and LinkedIn accounts, you allow Microsoft to provide the following data to
LinkedIn:
Profile data - includes information like your first name, last name, profile photo, email address, manager, and
people that you manage.
Calendar data - includes meetings in your calendars, their times, locations, and attendees' contact information.
Information about the meeting, like agenda, content, or meeting title is not included in the calendar data.
Interests data - includes the interests associated with your account, based on your use of Microsoft services,
such as Cortana and Bing for Business.
Subscriptions data - includes subscriptions provided by your organization to Microsoft apps and services, such
as Office 365.
Contacts data - includes contact lists in Outlook, Skype, and other Microsoft account services, including the
contact information for people you frequently communicate or collaborate with. Contacts will be periodically
imported, stored, and used by LinkedIn, for example to suggest connections, help organize contacts, and show
updates about contacts.
Data that is accessed from Microsoft is not stored permanently with LinkedIn, except for Contacts. Microsoft
Contacts are stored on LinkedIn until users remove them. Learn more about deleting imported contacts from
LinkedIn.
For more information on LinkedIn’s use of personal data, see the LinkedIn Privacy Policy. For LinkedIn services,
data transfer, and storage, data can flow from the European Union to the United States and back, and your privacy
is protected as described in European Union data transfers.
Next steps
LinkedIn in Microsoft applications with your work or school account
Find help and open a support ticket for Azure Active
Directory
Microsoft provides global technical, pre-sales, billing, and subscription support for Azure Active Directory (Azure
AD). Support is available both online and by phone for Microsoft Azure paid and trial subscriptions. Phone support
and online billing support are available in additional languages.
Find help without opening a support ticket

Before creating a support ticket, check out the following resources for answers and information.
For content such as how-to information or code samples for IT professionals and developers, see the
technical documentation at docs.microsoft.com.
The Microsoft Technical Community is the place for our IT pro partners and customers to collaborate, share,
and learn. The Microsoft Technical Community Info Center is used for announcements, blog posts, ask-me-
anything (AMA) interactions with experts, and more. You can also join the community to submit your ideas.
Open a support ticket

If you are unable to find answers by using self-help resources, you can open an online support ticket. You should
open each support ticket for only a single problem, so that we can connect you to the support engineers who are
subject matter experts for your problem. Also, Azure Active Directory engineering teams prioritize their work based
on incidents that are generated, so you're often contributing to service improvements.
How to open a support ticket for Azure AD in the Azure portal
NOTE
For billing or subscription issues, you must use the Microsoft 365 admin center.

2. Scroll down to Troubleshooting + Suppor t and select New suppor t request .
3. On the Basics blade, for Issue type , select Technical .
4. Select your Subscription .
5. For Ser vice , select Azure Active Director y .
6. Create a Summar y for the request. The summary must be under 140 characters.
7. Select a Problem type , and then select a category for that type. At this point, you are also offered self-help
information for your problem category.
8. Add the rest of your problem information and click Next .
9. At this point, you are offered self-help solutions and documentation in the Solutions blade. If none of the
solutions there resolve your problem, click Next .
10. On the Details blade, fill out the required details and select a Severity.
11. Provide your contact information and select Next .
12. Provide your contact information and select Create .
How to open a support ticket for Azure AD in the Microsoft 365 admin center
NOTE
Support for Azure AD in the Microsoft 365 admin center is offered for administrators only.
1. Sign in to the Microsoft 365 admin center with an account that has an Enterprise Mobility + Security (EMS)
license.
2. On the Suppor t tile, select New ser vice request :
3. On the Suppor t Over view page, select Identity management or User and domain management :
4. For Feature , select the Azure AD feature for which you want support.
5. For Symptom , select an appropriate symptom, summarize your issue and provide relevant details, and then
select Next .
6. Select one of the offered self-help resources, or select Yes, continue or No, cancel request .
7. If you continue, you are asked for more details. You can attach any files you have that represent the problem,
and then select Next .
8. Provide your contact information and select Submit request .
Get phone support

See the Contact Microsoft for support page to obtain support phone numbers.
Next steps
Microsoft Tech Community
Technical documentation at docs.microsoft.com
Troubleshoot and resolve groups issues
Troubleshooting group creation issues

I disabled security group creation in the Azure por tal but groups can still be created via Powershell
The User can create security groups in Azure por tals setting in the Azure portal controls whether or not non-
admin users can create security groups in the Access panel or the Azure portal. It does not control security group
creation via Powershell.
To disable group creation for non-admin users in Powershell:
1. Verify that non-admin users are allowed to create groups:
Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
2. If it returns UsersPermissionToCreateGroupsEnabled : True , then non-admin users can create groups. To

disable this feature:
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
I received a max groups allowed error when tr ying to create a Dynamic Group in Powershell
If you receive a message in Powershell indicating Dynamic group policies max allowed groups count reached, this
means you have reached the max limit for Dynamic groups in your organization. The max number of Dynamic
groups per organization is 5,000.
To create any new Dynamic groups, you'll first need to delete some existing Dynamic groups. There's no way to
increase the limit.
Troubleshooting dynamic memberships for groups

I configured a rule on a group but no memberships get updated in the group
1. Verify the values for user or device attributes in the rule. Ensure there are users that satisfy the rule. For devices,
check the device properties to ensure any synced attributes contain the expected values.
2. Check the membership processing status to confirm if it is complete. You can check the membership processing
status and the last updated date on the Over view page for the group.
If everything looks good, please allow some time for the group to populate. Depending on the size of your Azure
AD organization, the group may take up to 24 hours for populating for the first time or after a rule change.
I configured a rule, but now the existing members of the rule are removed
This is expected behavior. Existing members of the group are removed when a rule is enabled or changed. The users
returned from evaluation of the rule are added as members to the group.
I don’t see membership changes instantly when I add or change a rule, why not?
Dedicated membership evaluation is done periodically in an asynchronous background process. How long the
process takes is determined by the number of users in your directory and the size of the group created as a result
of the rule. Typically, directories with small numbers of users will see the group membership changes in less than a
few minutes. Directories with a large number of users can take 30 minutes or longer to populate.
How can I force the group to be processed now?
Currently, there is no way to automatically trigger the group to be processed on demand. However, you can
manually trigger the reprocessing by updating the membership rule to add a whitespace at the end.
I encountered a rule processing error
The following table lists common dynamic membership rule errors and how to correct them.
RUL E PA RSER ERRO R ERRO R USA GE C O RREC T ED USA GE
Error: Attribute not supported. (user.invalidProperty -eq "Value") (user.department -eq "value")
Make sure the attribute is on the

supported properties list.
Error: Operator is not supported on (user.accountEnabled -contains true) (user.accountEnabled -eq true)
attribute.
The operator used is not supported for
the property type (in this example, -
contains cannot be used on type
boolean). Use the correct operators for
the property type.
Error: Query compilation error. 1. (user.department -eq "Sales") 1. Missing operator. Use -and or -or
(user.department -eq "Marketing") two join predicates
2. (user.userPrincipalName -match (user.department -eq "Sales") -or
"*@domain.ext") (user.department -eq "Marketing")
2. Error in regular expression used with
-match
(user.userPrincipalName -match
".*@domain.ext")
or alternatively: (user.userPrincipalName
-match "@domain.ext$")
Next steps
Identify and resolve license assignment problems for
a group in Azure Active Directory
Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error
state. In this article, we explain the reasons why users might end up in this state.
When you assign licenses directly to individual users, without using group-based licensing, the assignment
operation might fail. For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user
system, the cmdlet can fail for many reasons that are related to business logic. For example, there might be an
insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time.
The problem is immediately reported back to you.
When you're using group-based licensing, the same errors can occur, but they happen in the background while
the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal. The original intent
to license the user is never lost, but it's recorded in an error state for future investigation and resolution.
Find license assignment errors

To find users in an error state in a group
1. Open the group to its overview page and select Licenses . A notification appears if there are any users in
an error state.
2. Select the notification to open a list of all affected users. You can select each user individually to see more
details.
3. To find all groups that contain at least one error, on the Azure Active Director y blade select Licenses ,
and then select Over view . An information box is displayed when groups require your attention.
4. Select the box to see a list of all groups with errors. You can select each group for more details.
The following sections give a description of each potential problem and the way to resolve it.
Not enough licenses

Problem: There aren't enough available licenses for one of the products that's specified in the group. You need
to either purchase more licenses for the product or free up unused licenses from other users or groups.
To see how many licenses are available, go to Azure Active Director y > Licenses > All products .
To see which users and groups are consuming licenses, select a product. Under Licensed users , you see a list of
all users who have had licenses assigned directly or via one or more groups. Under Licensed groups , you see
all groups that have that products assigned.
PowerShell: PowerShell cmdlets report this error as CountViolation.
Conflicting service plans

Problem: One of the products that's specified in the group contains a service plan that conflicts with another
service plan that's already assigned to the user via a different product. Some service plans are configured in a
way that they can't be assigned to the same user as another, related service plan.
Consider the following example. A user has a license for Office 365 Enterprise E1 assigned directly, with all the
plans enabled. The user has been added to a group that has the Office 365 Enterprise E3 product assigned to it.
The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group
license assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans
are:
To solve this conflict, you need to disable two of the plans. You can disable the E1 license that's directly assigned
to the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license.
Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3
license.
The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD
doesn't automatically resolve license conflicts.
PowerShell: PowerShell cmdlets report this error as MutuallyExclusiveViolation.
Other products depend on this license

Problem: One of the products that's specified in the group contains a service plan that must be enabled for
another service plan, in another product, to function. This error occurs when Azure AD attempts to remove the
underlying service plan. For example, this can happen when you remove the user from the group.
To solve this problem, you need to make sure that the required plan is still assigned to users through some other
method or that the dependent services are disabled for those users. After doing that, you can properly remove
the group license from those users.
PowerShell: PowerShell cmdlets report this error as DependencyViolation.
Usage location isn't allowed

Problem: Some Microsoft services aren't available in all locations because of local laws and regulations. Before
you can assign a license to a user, you must specify the Usage location property for the user. You can specify
the location under the User > Profile > Settings section in the Azure portal.
When Azure AD attempts to assign a group license to a user whose usage location isn't supported, it fails and
records an error on the user.
To solve this problem, remove users from unsupported locations from the licensed group. Alternatively, if the
current usage location values don't represent the actual user location, you can modify them so that the licenses
are correctly assigned next time (if the new location is supported).
PowerShell: PowerShell cmdlets report this error as ProhibitedInUsageLocationViolation.
NOTE
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory.
We recommend that administrators set the correct usage location values on users before using group-based licensing to
comply with local laws and regulations.
Duplicate proxy addresses

If you use Exchange Online, some users in your organization might be incorrectly configured with the same
proxy address value. When group-based licensing tries to assign a license to such a user, it fails and shows
“Proxy address is already being used”.
TIP
To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:
Get-Recipient -ResultSize unlimited | where {$_.EmailAddresses -match "user@contoso.onmicrosoft.com"} |

fL Name, RecipientType,emailaddresses
For more information about this problem, see "Proxy address is already being used" error message in Exchange Online.
The article also includes information on how to connect to Exchange Online by using remote PowerShell.
After you resolve any proxy address problems for the affected users, make sure to force license processing on
the group to make sure that the licenses can now be applied.
Azure AD Mail and ProxyAddresses attribute change

Problem: While updating license assignment on a user or a group, you might see that the Azure AD Mail and
ProxyAddresses attribute of some users are changed.
Updating license assignment on a user causes the proxy address calculation to be triggered, which can change
user attributes. To understand the exact reason of the change and solve the problem, see this article on how the
proxyAddresses attribute is populated in Azure AD.
LicenseAssignmentAttributeConcurrencyException in audit logs

Problem: User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs.
When group-based licensing tries to process concurrent license assignment of same license to a user, this
exception is recorded on the user. This usually happens when a user is a member of more than one group with
same assigned license. Azure AD will retry processing the user license and will resolve the issue. There is no
action required from the customer to fix this issue.
More than one product license assigned to a group

You can assign more than one product license to a group. For example, you can assign Office 365 Enterprise E3
and Enterprise Mobility + Security to a group to easily enable all included services for users.
Azure AD attempts to assign all licenses that are specified in the group to each user. If Azure AD can't assign one
of the products because of business logic problems, it won't assign the other licenses in the group either. An
example is if there aren't enough licenses for all, or if there are conflicts with other services that are enabled on
the user.
You can see the users who failed to get assigned and check which products are affected by this problem.
When a licensed group is deleted

You must remove all licenses assigned to a group before you can delete the group. However, removing licenses
from all the users in the group may take time. While removing license assignments from a group, there can be
failures if user has a dependent license assigned or if there is a proxy address conflict issue which prohibits the
license removal. If a user has a license that is dependent on a license which is being removed due to group
deletion, the license assignment to the user is converted from inherited to direct.
For example, consider a group that has Office 365 E3/E5 assigned with a Skype for Business service plan
enabled. Also imagine that a few members of the group have Audio Conferencing licenses assigned directly.
When the group is deleted, group-based licensing will try to remove Office 365 E3/E5 from all users. Because
Audio Conferencing is dependent on Skype for Business, for any users with Audio Conferencing assigned,
group-based licensing converts the Office 365 E3/E5 licenses to direct license assignment.
Manage licenses for products with prerequisites

Some Microsoft Online products you might own are add-ons. Add-ons require a prerequisite service plan to be
enabled for a user or a group before they can be assigned a license. With group-based licensing, the system
requires that both the prerequisite and add-on service plans be present in the same group. This is done to
ensure that any users who are added to the group can receive the fully working product. Let's consider the
following example:
Microsoft Workplace Analytics is an add-on product. It contains a single service plan with the same name. We
can only assign this service plan to a user, or group, when one of the following prerequisites is also assigned:
If we try to assign this product on its own to a group, the portal returns a notification message. If we select the
item details, it shows the following error message:
"License operation failed. Make sure that the group has necessary services before adding or removing a
dependent service. The ser vice Microsoft Workplace Analytics requires Exchange Online (Plan 2) to
be enabled as well."
To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service
plan. For example, we might update an existing group that already contains the full Office 365 E3 product, and
then add the add-on product to it.
It is also possible to create a standalone group that contains only the minimum required products to make the
add-on work. It can the be used to license only selected users for the add-on product. Based on the previous
example, you would assign the following products to the same group:
Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
Microsoft Workplace Analytics
From now on, any users added to this group consume one license of the E3 product and one license of the
Workplace Analytics product. At the same time, those users can be members of another group that gives them
the full E3 product, and they still consume only one license for that product.
TIP
You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1
and Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that
uses E1 as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without
consuming additional licenses.
Force group license processing to resolve errors

processing of a group to update the user state.
For example, if you free up some licenses by removing direct license assignments from users, you need to
trigger the processing of groups that previously failed to fully license all user members. To reprocess a group, go
to the group pane, open Licenses , and then select the Reprocess button on the toolbar.
Force user license processing to resolve errors
processing of a user to update the users state.
For example, after you resolve duplicate proxy address problem for an affected user, you need to trigger the
processing of the user. To reprocess a user, go to the user pane, open Licenses , and then select the Reprocess
button on the toolbar.
Next steps
To learn more about other scenarios for license management through groups, see the following:
Azure AD service limits and restrictions
This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD)
service. If you’re looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits,
Quotas, and Constraints.
Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.
C AT EGO RY L IM IT
Tenants A single user can belong to a maximum of 500 Azure AD

tenants as a member or a guest.
A single user can create a maximum of 200 directories.
Domains You can add no more than 900 managed domain names. If
you set up all of your domains for federation with on-
premises Active Directory, you can add no more than 450
domain names in each tenant.
Resources A maximum of 50,000 Azure AD resources can be

created in a single tenant by users of the Free edition
of Azure Active Directory by default. If you have at
least one verified domain, the default Azure AD service
quota for your organization is extended to 300,000
Azure AD resources. This service limit is unrelated to
the pricing tier limit of 500,000 resources on the Azure
AD pricing page. To go beyond the default quota, you
must contact Microsoft Support.
A non-admin user can create no more than 250 Azure
AD resources. Both active resources and deleted
resources that are available to restore count toward
this quota. Only deleted Azure AD resources that were
deleted fewer than 30 days ago are available to
restore. Deleted Azure AD resources that are no longer
available to restore count toward this quota at a value
of one-quarter for 30 days. If you have developers
who are likely to repeatedly exceed this quota in the
course of their regular duties, you can create and
assign a custom role with permission to create a
limitless number of app registrations.
Schema extensions String-type extensions can have a maximum of 256

characters.
Binary-type extensions are limited to 256 bytes.
Only 100 extension values, across all types and all
applications, can be written to any single Azure AD
resource.
Only User, Group, TenantDetail, Device, Application,
and ServicePrincipal entities can be extended with
string-type or binary-type single-valued attributes.
Schema extensions are available only in the Graph API
version 1.21 preview. The application must be granted
write access to register an extension.
C AT EGO RY L IM IT
Applications A maximum of 100 users can be owners of a single

application.
Application Manifest A maximum of 1200 entries can be added in the Application

Manifest.
Groups A non-admin user can create a maximum of 250

groups in an Azure AD organization. Any Azure AD
admin who can manage groups in the organization can
also create unlimited number of groups (up to the
Azure AD object limit). If you assign a role to remove
the limit for a user, assign them to a less privileged
built-in role such as User Administrator or Groups
Administrator.
An Azure AD organization can have a maximum of
5000 dynamic groups.
A maximum of 100 users can be owners of a single
group.
Any number of Azure AD resources can be members of
a single group.
A user can be a member of any number of groups.
By default, the number of members in a group that
you can synchronize from your on-premises Active
Directory to Azure Active Directory by using Azure AD
Connect is limited to 50,000 members. If you need to
synch a group membership that's over this limit, you
must onboard the Azure AD Connect Sync V2
endpoint API.
Nested Groups in Azure AD are not supported within
all scenarios
At this time the following are the supported scenarios with

nested groups.
One group can be added as a member of another
group and you can achieve group nesting.
Group membership claims (when an app is configured
to receive group membership claims in the token,
nested groups in which the signed-in user is a member
are included)
Conditional access (when a conditional access policy
has a group scope)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and
device registration
The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is
supported, but groups nested within the directly
assigned group will not have access), both for access
and for provisioning
Group-based licensing (assigning a license
automatically to all members of a group)
Microsoft 365 Groups.
C AT EGO RY L IM IT
Application Proxy A maximum of 500 transactions per second per App

Proxy application
A maximum of 750 transactions per second for the
Azure AD organization
A transaction is defined as a single http request and response

for a unique resource. When throttled, clients will receive a
429 response (too many requests).
Access Panel There's no limit to the number of applications that can be seen
in the Access Panel per user regardless of assigned licenses.
Reports A maximum of 1,000 rows can be viewed or downloaded in

any report. Any additional data is truncated.
Administrative units An Azure AD resource can be a member of no more than 30

administrative units.
Admin roles and permissions A maximum of 30 custom roles can be created in an

A group cannot be added as an owner.
Users' ability to read other users' tenant information
cannot be restricted outside of the Azure AD
organization-wide switch to disable all non-admin
users' access to all tenant information (not
recommended). More information on default
permissions here.
It may take up to 15 minutes or signing out/signing in
before admin role membership additions and
revocations take effect.
Next steps
Sign up for Azure as an organization
How Azure subscriptions are associated with Azure AD

Enterprise User Management Documentation - Azure AD

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise User Management Documentation - Azure AD

Uploaded by

Copyright:

Available Formats

Contents

User management documentation

Assign users to groups

Assign licenses to groups

Delegate administrator roles

RO L E N A M E P ERM ISSIO N S SUM M A RY

Assign app access

Add a new user

4. On the User page, enter information for this user:

Add a new guest user

Add a consumer user

Add a new user within a hybrid environment

Available license plans

View license plans and plan details

4. Select a plan name to see its licensed users and groups.

Assign licenses to users or groups

2. On the license plan overview page, select Assign .

To assign a license to a group

2. On the Azure Active Director y Premium Plan 2 page, select Assign .

To remove a license from a group

Create a custom role using the Azure AD portal

App registration permissions

Create a custom role in Azure AD PowerShell

Create the custom role in Azure AD PowerShell

# Set of permissions to grant

# Create new custom admin role

Assign the role in Azure AD PowerShell

# Get the user and role definition you want to link

# Get resource scope for assignment

# Create a scoped role assignment

Create a custom role in the Microsoft Graph API

Assign the role in the Microsoft Graph API

Turn on user creation for groups

Set group expiration

Configure the group naming policy in the Azure portal

View or edit the Prefix-suffix naming policy

Create a group of guest users

Remove guests from All users group

Centralized versus delegated permissions

Delegate app administration

Delegate app registration

Delegate app ownership

Establish emergency accounts

Secure your administrator roles

Elevate privilege temporarily

Member and guest users

Compare member and guest default permissions

Groups Create security Read properties of No permissions

Applications Register (create) Read properties of Read properties of

Devices Read all properties No permissions No permissions

Roles and Scopes Read all No permissions No permissions

Subscriptions Read all No permissions No permissions

Policies Read all properties No permissions No permissions

To restrict the default permissions for member users

P ERM ISSIO N SET T IN G EXP L A N AT IO N

To restrict the default permissions for guest users

P ERM ISSIO N SET T IN G EXP L A N AT IO N

Guest users can still be added to administrator roles

microsoft.directory/applications/audience/update Update applications.audience property in Azure Active

microsoft.directory/applications/authentication/update Update applications.authentication property in Azure Active

microsoft.directory/applications/basic/update Update basic properties on applications in Azure Active

microsoft.directory/applications/credentials/update Update applications.credentials property in Azure Active

microsoft.directory/applications/delete Delete applications in Azure Active Directory.