Blogs about: Microsoft Teams, backgrounds, Intune, OneDrive, Exchange, Azure AD, Windows 10, Security, Tenant, Exchange, best-practice, tips & tricks

Manage users and groups in (Azure) Active Directory? - mailbox - create

Users and groups can be managed in Active Directory or Azure Directory. In this blog I will explain some basic principles. After that I will explain how you can work with groups and users yourself.

What is Azure Active Directory?

They have a similar name, but Azure AD is not a cloud version of Windows Server Active Directory. It is also not intended as a complete replacement for an on-premises Active Directory. If you already use a Windows AD server, you can connect it to Microsoft Azure Active Directory to extend your directory to Azure. This approach allows users to use the same credentials (username and password) to access local and cloud resources.

A user can Azure AD also use Windows AD independently. Smaller companies can Azure AD use it as a single directory service and use it to manage access to their apps and SaaS products, such as Microsoft 365, Salesforce and Dropbox. Source.

Azure Active Directory (AAD)

Azure Active Directory creates a connection between on-premises active directory and Azure Active Directory. This is a practical way to keep users in sync from the on-premises environment.


Advantages: Same password on-premises and in the cloud. Management is largely in Active Directory.
Disadvantages: Complexity, some things you have to do on-premises, some in the cloud, you have a lot of dependencies in the 'old' environment. In Azure AD it is often easier to implement new things.

You can activate Active Directory synchronisation via these instructions or via the video below.

Group management in Azure Active Directory

After you have set up the synchronisation, you can create and manage users and groups in both the on-premises Active Directory and the Cloud Active Directory.

Conceptual illustration with users, directories and subscriptions in Azure

A Azure AD-group allows users to be organised, making it easier to manage permissions. Groups allow the resource owner (or the Azure AD-Directory owner) to assign a set of access permissions to all members of the group.

Groups allow a policy to be defined and then specific users to be added and removed. In this way, access can be granted or denied with minimal effort.

Even better, Azure AD offers the possibility of defining membership based on rules, such as the department in which a user works or the position they hold.

In Azure AD you can define two different types of groups:

  • Security groups. These are the most common security groups and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. This way you can give a set of permissions to all members at once instead of adding permissions individually for each member. This option requires a Azure AD administrator.
  • Microsoft 365 Groups. These groups provide opportunities for collaboration by giving members access to a shared inbox, calendar, files, SharePoint-site and more. This option also allows you to give people outside your organisation access to the group. This option is available to both users and administrators.

Navigate to Azure AD via this portal. Then click on groups.


Press: "New group".


Then choose which group you want to create.


Create a security Create a group as a test.


Creating a dynamic group in Azure AD

Create a security group via https://portal.azure.com a security group. click on: new group


Select dynamic user


The group is created in this example


You can work with a rules policy like the one below. This means that everyone with the domain described below will become a member. (user.userPrincipalName -contains "@jedomein.be")


Creating a group in the on-premises Active Directory

Open Active Directory Users and Computers on the Active Directory Server.


Create a group in Active Directory using the icon shown in the screenshot above.


Start a synchronisation via Azure AD Connect to make it visible in Azure AD.(tip)


Advantages of Azure AD groups

Open Azure AD to view the groups. You can see on the right hand side that the group Member management comes from the Windows Server AD and the other group is created directly in Azure AD .


By management it really looks the same. When are Azure AD groups more convenient than groups from your Windows Server AD.

  • Group management and delegation: If you do group management in the cloud, i.e. in Azure AD , you can more easily give rights to delegate management to people in charge. (Owners) Users are able to add people to groups themselves. More about this in this blog.
  • Exchange management and dynamic groups: It is also possible to create dynamic groups via Exchange Online. Again, groups are best managed via Azure AD .
  • Naming policy and expiration policies: It is more convenient to activate automatic policies in Azure AD than in Active Directory. A screenshot below. Practical guide, here.

User management in Active Directory or Azure Active Directory?

Create a new user from Office 365 ?

Create a mailbox for a new user A mailbox, Teams OneDrive and all other features included in the licence can be activated automatically after a user is created in Office 365.

If your users are provided with Azure AD connect are provided in Office 365 then it is not possible to modify properties of the AD object. Email addresses and all other properties must be done on-premises. Rights and settings of everything except the user and mail settings must be done via Azure AD . If you have your user in the cloud you can manage all properties there too.


Manage group membership: From https://admin.microsoft.com/AdminPortal/Hom e#/users it is possible to look up your user and click on Groups. Add users to the AD groups via this menu.


It is also possible to create a user from Azure AD.


Create a user via on-premises Active Directory?

Create a new user via Active Directory Users and Computers and do a manual Azure AD synchronisation.


After the syncronisation, the use arrives at Azure AD . There you can assign a licence.

The result

Users can be created in 2 places.

  • Either via Azure AD - Testgebruiker-AAD@365tips.be
  • Either via Active Directory testgebruiker@365tips.be


Cloud management is on the rise. An organisation can also use Azure AD independently of Windows AD.

Smaller businesses can use Azure AD as a single directory service and use it to manage access to their apps and SaaS products, such as Microsoft 365, Salesforce and Dropbox. But even if your focus is on the Cloud shift, you can move your printers, documents and applications around and maybe turn off your on-premises Active Directory.

Users can be created and managed on-premises and in the cloud. In Azure AD there are some advantages over Active Directory. Are you looking for a Cloud workplace then read: In 15 steps to a digital workplace!

Also read

Create guest team and restrict general channel usage
Adding devices in Endpoint Manager - Azure AD or Hybrid Join?
Office 365 in education - Setting up a class - Starter Guide
How to share files in Office 365 - 8 scenarios

About the author

Tagged: ,
0 0 votes
Product review
Please let us know if there are

0 Reactions
Inline feedbacks
See all comments
Would love to know your thoughts, please leave a comment.x