There are three types of identity models available in Office 365: Cloud-only, Synchronized, and Federated. In this article, we’re going to discuss the Cloud-only identity.
Overview: Cloud-only identity
The cloud-only model is the simplest identity to manage. From user creation to user management, the cloud-only identity allows everything to be done in the cloud, so there’s no need for any additional on-premises deployment or infrastructure. By default, a cloud-only global administrator account is created when you first sign up for an Office 365 tenant.
Under the cloud-only identity model, users are created directly in Office 365, and all user information is stored in Azure Active Directory (Azure AD), the directory service for Office 365. Whenever a user attempts to sign in to Office 365, Azure AD helps validate the user’s credentials and completes the authentication.
You can create a cloud-only user either through the Office 365 GUI or with the help of Windows Azure Active Directory PowerShell after connecting to your Office 365 tenant.
Use the cloud-only identity if you:
- Are a new organization (small or medium), do not have any on-premises infrastructure or servers to host your own on-premises directory, and want to manage everything in the cloud.
- You are new to Office 365 and want to test it before integrating your on-premises directory services with Azure AD.
- Plan to restructure or decommission your on-premises directory but want your users to continue using Office 365 services.
Authenticating cloud-only users
Cloud-only users are authenticated using traditional responses. The web browser, which is a passive client, is responsible for authenticating the user by performing redirections as needed. The user navigates to https://portal.office.com, which redirects them to the Office 365 sign in service, where the user enters the username and password. Once the user attempts to log in with these credentials, the Office 365 sign in service in Azure AD authenticates the user’s credentials and generates a service token, which the web browser returns to the requested Office 365 service. This either lets the user log in or notifies them that the combination they entered is invalid.
Getting started with cloud-only
When a new cloud-only user account is created in Office 365 (either through the Office 365 Admin Center or via PowerShell), Office 365 can automatically generate a new temporary password for the user and let them change that password upon their first login. Alternatively, the admin can manually set the user’s password and specify whether the user should get a prompt to change their password upon their next login.
Office 365 users can be created without a product license; the admin can choose to assign a product license to the user at a later point in time.
If you just set up your Office 365 tenant for the first time and have not yet added any custom domain, Office 365 will by default use the ‘.onmicrosoft.com’ domain, and users will be created with a UPN suffix of ‘@YourDomain.onmicrosoft.com’. Once you’ve added and verified a custom domain to Office 365, you can choose the default domain for your Office 365 tenant. That way, every time you create a new user account, it will automatically contain your custom domain’s UPN suffix (e.g., firstname.lastname@example.org ).
You can add multiple custom domains (and host up to 900 of them) in your Office 365 tenant.
Overview: creating (or modifying) a cloud-only user profile
- To create or modify a ‘Cloud Only’ user account in Office 365, you can do so using one of the following options:
a. The GUI method is to browse to https://portal.office.com > Admin Center > Users > Active Users.
b. If you want to use PowerShell then, you can either user Windows Azure AD PowerShell Module or simple open Windows PowerShell as an Administrator and connect to Office 365 using Connect-MsolService cmdlet. To use Connect-MsolService, the AzureAD PowerShell module must be installed on that machine.
- After deciding which option to work on, the admin can perform the desired operations either from the Office 365 Admin Center or the AzureAD PowerShell like to create, change, or delete a user. With any of the operation selected, the request is passed on to Azure AD.
- The request is then processed by Azure AD, and either a new user is created, or a user is updated in Azure AD depending upon the operation selected by the Admin.
- Then the creation or changes made in Azure AD are synchronized to the Office 365 Admin Center or you can simply say are displayed in Office 365 Admin Center for the admin to view.
Creating a cloud-only user – GUI method
- Go to the Office 365 portal, and visit the Office 365 Admin Center.
- On the home page, select the menu on the left, and click on Users > Active Users.
- Click on +Add a User.
- Fill in all the required details for the user. Options marked with an asterisk (*) are mandatory fields.Name: First, Last, Display, and User. Display name and Username are mandatory fields. In Office 365, Username is the same as User Principal Name.Domain: Select the UPN suffix for the user using the domain drop down. By default, you will see the default domain that you initially set up. You can change the default domain from Setup > Domains.Password: Choose or set a password for the user. By default, the Auto-generate password radio button is checked; it generates a strong password. If you want to manually create a password for the user, select Let me Create the password, and enter a password in the box. You can set up a temporary password by keeping the Make this user change their password when they first sign in option checked.
Roles: By default, a new user will be created as a normal user account without administrator access. If you want to make this user an administrator, you can expand the role option and select the desired radio button: Global Administrator or Customized Administrator.
Product Licenses: Assign the required product license based on the types of services you want the user to use. You can also create an unlicensed user (a user without a product license) by choosing the last option, Create user without product license. Before assigning the product license to a user, you must specify the user’s location from the Location dropdown on screen.
5. Once you’ve filled out all the required information, click on Add. The user will be created. You can view the newly created user under Home > Users > Active Users.
Creating a cloud-only user – PowerShell method
1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW
2. Open Windows PowerShell as an Administrator and run the below commands:
a. Install-Module MSOnline
b. If prompted to install the NuGet provider, type Y and press ENTER.
c. If prompted to install the module from PSGallery, type Y and press ENTER.
After installation, close the PowerShell command window.
Open Windows PowerShell as an Administrator and run the below commands:
3. Import-Module Msonline
5. Enter the global admin credentials for Office 365.
6. Enter the user account’s information in the following format, modifying the values of the attributes to suit your needs:
New-MsolUser -UserPrincipalName “Newtest2@mycakebasket.com” -DisplayName “New Test2” -FirstName “New” -LastName “Test2” -UsageLocation “US” -LicenseAssignment “mycakebasket:ENTERPRISEPREMIUM_NOPSTNCONF” -Password “Awse@1234” -ForceChangePassword $true
Feel free to use other MSOnline parameters as needed.
This cmdlet will create a new user in Office 365 with the following details:
- Username: email@example.com
- Display name: New Test2
- First name: New
- Last name: Test2
- Usage location: US
- License: ENTERPRISEPREMIUM_NOPSTNCONF
- Password: Awse@1234 (The user must change this upon first login.)
7. You can always check the detailed attributes of an existing Office 365 user with the help of the following Get-MsolUser PowerShell cmdlet:
Get-MsolUser -UserPrincipalName “firstname.lastname@example.org” | fl
Below is a snapshot of this cmdlet’s output:
Additionally, for cloud-only users, the password policy of Office 365 (Azure) will be applied. You can learn more about the password policies for cloud-only users here.