Although you can use the Azure management portal to create users in Azure Active Directory (AAD), there are times when you just want to create a service account without having to log out and in as that new user to set a password. The good news is that PowerShell allows you to quickly do just that. The bad news is that there is a little bit of setup work required.
Creating AD Users Using the GUI
It’s pretty easy to create a new user in the management portal: browse into Active Directory, the directory of choice, Users, and then click Add User. That process is pretty simple if you’re setting up access rights to Azure for another user. But what if you want to create lots of users? Using the GUI will be slow.
One of the downsides of using the GUI is that the user is created with a temporary password and the user must log in to set a new password. That’s a bit inconvenient if you just want to set up a service account.
The answer to these concerns is … you guessed it … PowerShell.
There are a number of requirements that you must put in place in order to be able to create users in Azure Active Directory using PowerShell.
- Download and install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW on your PC.
- You’ll also need to download and install the Azure Active Directory Module for Windows PowerShell (64-bit version) on your PC.
- Use a native Azure Active Directory administrator account to get rights in your AAD directory. A Microsoft Account will not work.
Creating the User
Open up the Windows Azure Active Directory for Windows PowerShell console and then run the following cmdlets to sign into your Azure Active Directory. Supply the name and password of your AAD native administrator user account – remember that this must not be a Microsoft Account.
$msolcred = Get-Credential
Connect-MsolService -Credential $msolcred
You now can create a new user. The following example will create a user with a permanent password that does not need to be changed according to the password policy of the domain:
New-MsolUser -UserPrincipalName [email protected] -DisplayName “RemoteApp2” -FirstName “Remote” -LastName “App2” -Password Password00 -PasswordNeverExpires $true -AlternateEmailAddresses [email protected]
The new account is set up as a normal user account. This might be fine for bulk addition of user accounts in your AAD domain, but that won’t be enough for a service account. You might need to add the user to a group or role in the domain, such as Global Admin (a role). The following example will configure the new user as a Global Admin, which is a role called Company Administrators:
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress RemoteApp2@joeelway.com
Now you have the means to quickly create new users in Azure Active Directory.