Microsoft 365 User Management Guide

• Model type: role-based
• Description: Microsoft 365 uses a role-based access control (RBAC) model built on Microsoft Entra ID (formerly Azure AD). Over 60 built-in admin roles are available, each scoping permissions to specific services (e.g., Exchange Administrator, SharePoint Administrator, Teams Administrator). Roles are assigned per user in the admin center or via Entra ID. Custom roles are available at the Entra ID layer for directory-level permissions.
• Custom roles: Yes
• Custom roles plan: Microsoft Entra ID P1 or P2 (included in Microsoft 365 Business Premium, E3, E5, or as a standalone add-on)
• Granularity: Role assignments are per-user or per-group. Built-in roles cover service-specific administration (Exchange, Teams, SharePoint, Security, Compliance, etc.). Custom roles in Entra ID allow scoping of directory permissions but do not extend to all Microsoft 365 workload-specific permissions. Administrative Units allow scoping admin roles to subsets of users or groups.

1. Sign in to the Microsoft 365 Admin Center at https://admin.microsoft.com
2. Navigate to Users > Active Users
3. Click 'Add a user'
4. Enter the user's first name, last name, display name, and username (which sets their email address)
5. Choose whether to auto-generate a password or create one manually; optionally require the user to change password on first sign-in
6. Select the user's location (country/region) - required for license assignment
7. Assign a product license from the available licenses in your subscription
8. Optionally assign admin roles under the 'Optional settings' step
9. Review and click 'Finish adding' to create the account
10. Share login credentials with the user via email or manually

Required fields: First name, Last name, Display name, Username (sets primary email/UPN), Location (country/region), Password (auto-generated or manual)

Watch out for:

• A user's location must be set before a license can be assigned; this cannot be skipped.
• The username domain must match a verified domain in the tenant or the default onmicrosoft.com domain.
• Newly created users may take a few minutes to appear across all Microsoft 365 services.
• Assigning a license is done during user creation but can also be done afterward; without a license, the user cannot access any Microsoft 365 apps.
• If your tenant uses Entra ID Connect (hybrid), users should be created in on-premises Active Directory and synced, not created directly in the cloud admin center, to avoid sync conflicts.
• Multi-factor authentication (MFA) enrollment is not automatically triggered at account creation unless Conditional Access or Security Defaults are configured.

• Can delete users: Yes
• Delete/deactivate behavior: Microsoft 365 supports both blocking sign-in (soft deactivation) and full account deletion. Blocking sign-in immediately prevents the user from accessing any Microsoft 365 services while preserving the account, mailbox, and data. Deleting a user moves the account to a 'Deleted users' recycle bin for 30 days, during which it can be restored. After 30 days, the account and associated data are permanently deleted. The license is freed immediately upon deletion (or can be unassigned separately when blocking sign-in).

1. Sign in to the Microsoft 365 Admin Center at https://admin.microsoft.com
2. Navigate to Users > Active Users
3. Select the user to deactivate
4. Click 'Block sign-in' from the user detail panel or the action menu
5. Confirm the block; the user is immediately prevented from signing in
6. Optionally, unassign the license from the user to free the seat while keeping the account and mailbox intact
7. To fully delete: return to Active Users, select the user, and choose 'Delete user'; confirm deletion
8. Deleted users appear in Users > Deleted Users for 30 days and can be restored during that window

Watch out for:

• Blocking sign-in does not free the license; you must manually unassign the license to reclaim the seat for billing purposes.
• Deleted users are permanently removed after 30 days with no recovery option; ensure data backup or transfer before this window closes.
• If the user is the sole owner of a Microsoft 365 Group or Team, ownership must be transferred before or immediately after deletion to prevent orphaned groups.
• Exchange mailboxes can be converted to a shared mailbox before deletion to retain email access without consuming a paid license (shared mailboxes up to 50 GB require no additional license).
• If Entra ID Connect sync is active (hybrid environment), deleting the user in the cloud admin center may cause sync conflicts; deletion should be performed in on-premises Active Directory.
• Litigation holds and retention policies override the standard deletion window and can retain mailbox data longer per compliance policy settings.
• Revoking active sessions after blocking sign-in may take up to an hour unless the admin also revokes all refresh tokens via Entra ID.

• Where to check usage: Microsoft 365 Admin Center > Billing > Licenses (shows total purchased vs. assigned per license type). Also available at: https://admin.microsoft.com/Adminportal/Home#/licenses
• How to identify unused seats: Navigate to Microsoft 365 Admin Center > Reports > Usage to view per-user activity reports across Exchange, Teams, SharePoint, and OneDrive. Users with no activity in the selected period (7, 30, 90, or 180 days) can be identified for license reclamation. The 'Microsoft 365 active users' report at https://admin.microsoft.com/Adminportal/Home#/reportsUsage/MailboxUsage shows last activity dates per mailbox.
• Billing notes: Licenses are billed per assigned seat per month. Removing a license assignment mid-cycle does not generate a prorated credit for annual subscriptions; the seat remains paid through the end of the billing period. Monthly subscriptions allow mid-cycle license removal with prorated credit. Business plans are capped at 300 seats; organizations above 300 users must use Microsoft 365 Enterprise plans (E1, E3, E5). A 5% price increase for annual-commitment plans paid monthly took effect in April 2025.

License management is the highest-friction manual task in Microsoft 365. Licenses must be assigned per user, and a user's country/region (usageLocation) must be set before any license assignment will succeed - a step that is easy to miss and produces a non-obvious error.

Blocking sign-in does not free the license seat; admins must manually unassign the license to stop billing, and in annual subscriptions there is no prorated credit for mid-cycle removal.

Pricing adds a second layer of complexity. Business Basic runs $6/user/month (rising to $7 in July 2026); Business Standard is $12.50/user/month (rising to $14); Business Premium holds at $22/user/month. SCIM provisioning to third-party apps requires Entra ID P1 ($6/user/month standalone) or P2 ($9/user/month), which surprises teams expecting full provisioning features at the base tier.

Hybrid environments using Entra ID Connect add a third constraint: users must be created and managed in on-premises Active Directory, not in the cloud admin center. Admins expecting a fully cloud-native workflow across every app in their stack will hit sync conflicts if they bypass this.

The most consistent complaint across admin communities is the cost and complexity of Entra ID P1/P2 licensing.

Features that feel foundational - SCIM outbound provisioning, group-based license assignment, Conditional Access - are gated behind a plan tier that many SMB teams do not initially budget for.

A second recurring issue is the 30-day deleted-user retention window. Compliance-sensitive organizations frequently flag this as too short, particularly when litigation holds or audit requirements extend well beyond that period.

Admins also report that the distinction between blocking sign-in (which preserves the license) and deleting a user (which soft-deletes the account) is not surfaced clearly enough in the UI, leading to billing surprises for departed employees.

Common complaints:

• P1/P2 licensing adds significant cost for full provisioning features such as SCIM to third-party apps and group-based license assignment
• Pricing complexity with modular features - many admins report confusion about which features require Entra ID P1 vs P2 vs Business Premium
• Enterprise Mobility Suite (EMS) bundling can be confusing when comparing standalone vs. bundled Entra ID pricing
• The 30-day deleted user retention window is considered too short by some admins managing compliance-sensitive environments
• Blocking sign-in does not automatically free the license, leading to unexpected billing for departed employees if admins forget to manually unassign
• Hybrid environments using Entra ID Connect require user management in on-premises AD rather than the cloud admin center, which surprises admins expecting a fully cloud-native workflow
• The Business plan 300-seat cap forces mid-size organizations into Enterprise plans with significantly higher complexity and cost
• July 2026 price increases (Business Basic $6→$7, Business Standard $12.50→$14) have generated complaints about value relative to competitors
• Admin role granularity for workload-specific permissions (e.g., Teams vs. Exchange) requires assigning multiple roles, which some admins find cumbersome compared to a single unified admin role

Manual management in the Microsoft 365 Admin Center is workable for teams under roughly 50 users with stable headcount and a single-tenant, cloud-only setup. The built-in role model is granular enough to delegate provisioning without exposing billing or security settings, and the 30-day soft-delete window provides a reasonable safety net for accidental deletions.

The model breaks down at scale or in hybrid environments. Every app a user needs access to requires a correctly assigned license, a set usageLocation, and - if SCIM is involved - an Entra ID P1 or P2 seat.

Teams managing frequent onboarding and offboarding cycles will find the manual license unassignment step (required to reclaim billing) to be a persistent operational gap.

Bottom line

Microsoft 365 manual administration is well-structured for cloud-only tenants with moderate user volume, but the operational burden scales poorly.

License assignment requires a country/region field that blocks provisioning if missed, sign-in blocks do not reclaim seats automatically, and full provisioning features require an Entra ID P1 or P2 add-on that adds meaningful per-user cost on Basic and Standard plans.

Hybrid environments using Entra ID Connect effectively remove the cloud admin center as a user creation tool, requiring on-premises AD as the source of truth.

Teams that need reliable, auditable lifecycle management across every app in their stack will find the manual surface area - license tracking, role assignment, offboarding steps - difficult to sustain without tooling on top of it.