If you’ve just set up a Microsoft 365 subscription for your business, one of the first things you’ll need to do is add your team as users. The process itself is quick — but if you get the license wrong, skip MFA, or hand out admin roles carelessly, you’ll be cleaning up those mistakes for months.
This guide walks you through everything: prerequisites, licenses, step-by-step user creation, bulk methods, MFA, offboarding, and the mistakes most admins make but never talk about.
Table of Contents
Before You Start — Prerequisites
Before you open the Admin Center, make sure you have:
- An active Microsoft 365 subscription with available licenses (check under Billing → Licenses)
- Global Administrator or User Administrator access — if you can’t see admin options, your account doesn’t have the right role
- A verified domain — your company email domain must be added and verified in Microsoft 365 before you can create addresses on it
- The new user’s name, job title, department, and manager
- A decided naming convention — firstname.lastname@, flastname@, or another format. Decide before your first user and stick to it. Inconsistency is painful to fix later.
Understanding Microsoft 365 Licenses
Licenses are the most misunderstood part of Microsoft 365 for new admins. People often pick the cheapest option without checking whether it covers what the employee actually needs.
| License | Desktop Office Apps? | Email? | Best For |
| Microsoft 365 Business Basic | ❌ Web/mobile only | ✅ Yes | Light users who work in a browser or on mobile |
| Microsoft 365 Business Standard | ✅ Yes | ✅ Yes | Most employees — the most common pick for SMBs |
| Microsoft 365 Business Premium | ✅ Yes | ✅ Yes | Teams handling sensitive data; includes Intune and Defender |
| Microsoft 365 E3 | ✅ Yes | ✅ Yes | Enterprise: compliance, eDiscovery, 100 GB mailbox |
| Microsoft 365 E5 | ✅ Yes | ✅ Yes | Enterprise with advanced security and Power BI Pro |
The most common mistake: Assigning Business Basic to employees who need to install Word, Excel, or PowerPoint on a laptop. Basic only includes web and mobile versions — no desktop apps. If they use Office on a computer, they need Business Standard or higher.
A quick rule: ask “Does this person need to install Office on a PC or Mac?” If yes, don’t use Basic.
Step-by-Step: Adding a Single User
Step 1: Sign In to the Admin Center
Go to admin.microsoft.com and sign in with your admin credentials — not your regular email account.
Step 2: Go to Active Users
In the left sidebar, click Users → Active Users. This is where all user accounts are created and managed.
Step 3: Click “Add a User”
Click + Add a user at the top of the page. A setup panel opens on the right side.
Step 4: Enter Basic Information
Fill in the user’s first and last name, display name, and username. The username becomes their email address — double-check it before moving on. Changing a username later can break sign-in and some integrations.
Step 5: Set the Password
Choose to auto-generate a password or set one manually. Always tick “Require this user to change their password when they first sign in” — this is a basic security standard, not optional.
Step 6: Set Usage Location and Assign a License
Select the user’s country (required for licensing compliance), then choose the appropriate license. If no licenses are available, go to Billing → Purchase Services to buy more first.
Step 7: Add Profile Details
Don’t skip this tab. Add the user’s job title, department, office location, and manager. This populates the company directory in Teams and Outlook — new employees use it constantly to figure out who’s who.
Step 8: Set Admin Roles (Only If Needed)
By default, users get no admin access — which is correct for most people. Only assign admin roles if the job actually requires them. See the Roles and Permissions section below.
Step 9: Review and Finish
Check the username, license, and role one more time, then click Finish adding. The account is active immediately. Most services provision within 1–2 minutes; OneDrive and SharePoint may take up to 30 minutes on first sign-in.
Assigning or Changing a License
If you created a user without a license, or need to change one:
- Go to Users → Active Users and click the user’s name
- Click the Licenses and apps tab
- Check or uncheck the license you want
- Optionally expand Apps to enable or disable specific services within the license
- Click Save changes
When you remove a license, the user immediately loses access to those services. Their data isn’t deleted right away — Microsoft retains mailbox data for 30 days and OneDrive data for 180 days — but don’t treat this as a backup. Use a proper Microsoft 365 Backup solution if you need reliable long-term retention.
Setting Up Roles and Permissions
Give people only the access they need — nothing more. Admin roles are high-value targets and the fewer accounts that have them, the lower your risk.
| Role | What It Does | Assign To |
| Global Administrator | Full access to everything | 1–2 senior IT staff only |
| User Administrator | Create/edit/delete users, assign licenses | IT helpdesk or HR |
| Billing Administrator | Manage subscriptions and licenses | Finance or IT procurement |
| Exchange Administrator | Manage mailboxes and email policies | Email admin |
| Helpdesk Administrator | Reset passwords for non-admin users | Level 1 support |
Global Admin accounts should always have MFA enforced and use dedicated admin email addresses separate from daily email. A compromised Global Admin account gives an attacker complete control of your entire tenant.
Adding Multiple Users at Once
For onboarding more than a handful of people, the bulk CSV method saves significant time:
- Go to Active Users and select Add multiple users
- Download Microsoft’s sample CSV template
- Fill in the template with your users’ data
- Upload the CSV — Microsoft validates it and flags any errors
- Review the results and click Add users
Important: The CSV method does not assign licenses automatically. You’ll need to assign licenses after upload, either individually through the UI or via PowerShell for large groups.
For IT admins comfortable with scripting, Microsoft Graph PowerShell is the most powerful option — it lets you create users, assign licenses, and set profile details all in one repeatable script. It’s also excellent for reporting: you can export all users, their licenses, and last sign-in dates to a CSV in seconds, which is invaluable for quarterly audits.
Enabling Multi-Factor Authentication (MFA)
This is the step most guides skip, and it’s arguably the most important. Microsoft’s own data shows MFA blocks over 99.9% of account compromise attacks. If you’re adding users without enabling it, you’re leaving the most effective security control on the table.
Three ways to enable MFA:
- Security Defaults — Go to Azure Active Directory → Properties → Manage Security Defaults and turn it on. Simplest option; good for small organizations.
- Per-User MFA — Go to Users → Active Users → Multi-factor authentication. Enable user by user. Fine for small teams, tedious at scale.
- Conditional Access Policies — The most flexible approach, available on Business Premium, E3, and E5. Lets you require MFA based on conditions — always for admins, only outside the office for standard users, etc.
Always enable MFA on admin accounts first. And always create at least one break-glass emergency admin account that’s excluded from Conditional Access — if your policies lock all admins out, recovering access is a slow and painful process with Microsoft Support.
Offboarding — Removing a User the Right Way
When someone leaves, how you handle their account matters as much as how you created it. Moving too fast risks data loss; moving too slow leaves active credentials that could be exploited.
Recommended sequence:
- Reset the user’s password and revoke active sessions immediately
- Remove any admin roles
- Set an Out of Office reply and forward their email to a manager or shared mailbox
- Transfer their OneDrive files to their manager
- Remove them from Teams channels, SharePoint sites, and distribution lists
- Convert to a Shared Mailbox if others need ongoing access (no license required)
- Disable the account (block sign-in) — don’t delete yet
- After 30 days, confirm all data is accounted for, then delete
- Reclaim the license
Best practice: disable first, delete later. Rushing the deletion is one of the most common causes of permanent data loss during offboarding.
Common Mistakes to Avoid
| Mistake | What Goes Wrong | Fix |
| Business Basic for desktop users | Can’t install Office on their computer | Ask upfront if they need desktop apps |
| Forgetting usage location | License assignment fails silently | Always set the country during creation |
| Handing out admin roles casually | Security risk; hard to track | Assign only what’s needed; review quarterly |
| Skipping MFA at onboarding | Account is vulnerable from day one | Make MFA part of the onboarding checklist |
| Deleting a user account immediately | Permanent data loss | Disable first, delete after 30 days |
| Not reclaiming licenses after departure | Paying for unused seats | Build license review into offboarding |
Don’t Overlook Data Backup
Here’s something most Microsoft 365 setup guides don’t mention: Microsoft 365 is not a backup solution. It protects against infrastructure failure — not against accidental deletion, ransomware, or mistakes made by your own admins.
What can still go wrong without a backup:
- A user permanently deletes an important email thread — gone after 30 days
- Ransomware encrypts OneDrive and SharePoint files across your organization
- An admin makes an error and wipes a mailbox
- Compliance requirements demand longer retention than Microsoft’s defaults
Microsoft themselves recommend supplementing Microsoft 365 with a third-party backup. SkyMigrate’s Microsoft 365 Backup covers email, OneDrive, SharePoint, and Teams with point-in-time recovery and long-term retention.
Migrating to Microsoft 365?
If you’re adding users as part of a migration — from Google Workspace, Exchange on-premises, Amazon WorkMail, or another system — there are a few things to know beyond the standard setup.
Create accounts and assign licenses before migration day. Migration tools need active, licensed mailboxes to deliver data to. Many projects stall because accounts were created but not licensed, and the tool can’t find the target mailbox.
Pre-creating accounts also gives users time to set up MFA and get familiar with the interface before their data arrives. It reduces confusion on cutover day significantly.
Map usernames carefully. If your source system uses email addresses as identifiers, make sure they align correctly with Microsoft 365 usernames to avoid misrouted data.
Depending on where you’re migrating from, SkyMigrate covers the full process:
- Google Workspace Migration — email, calendar, contacts, and Drive data
- Amazon WorkMail Migration — especially relevant as AWS discontinued WorkMail to new customers in April 2026
- IMAP Migration — for organizations on IMAP-based email systems
- OneDrive Migration and SharePoint Migration — for file storage migration alongside email
Best Practices for Long-Term Management
Run quarterly license audits. Check Billing → Licenses for users who haven’t signed in for 90+ days. Former employees with active licenses are a common source of wasted spend.
Use groups, not individual permissions. Assign SharePoint and Teams access through Microsoft 365 Groups or Security Groups. When someone’s role changes, update the group once — all permissions update automatically.
Set up retention policies early. Don’t wait until something is accidentally deleted to think about retention. Our guide on How to Create Retention Policy in Office 365 Exchange Online walks through the setup in detail.
Enable audit logging. Go to Security → Audit and confirm logging is active. These logs are invaluable during incidents and compliance reviews — but only if they were running before the incident.
Document everything. Your naming conventions, license assignment rules, and offboarding checklist should live in a shared document that any IT team member can follow. If it’s not written down, the next admin will make different decisions.
Related Reading
- Shared Mailbox vs User Mailbox in Microsoft 365 — when to use a shared mailbox instead of a licensed account
- How to Create Retention Policy in Office 365 Exchange Online
- Download Outlook Emails from Microsoft 365 Outlook Web App
- How to Add SharePoint to File Explorer in Windows 11 & Windows 10
- Best Email Service Providers in 2026
- Microsoft 365 Migration
- Microsoft 365 Backup
FAQs
Can I create a user without a license? Yes, but they won’t be able to access any Microsoft 365 services until one is assigned. Useful when pre-creating accounts before a migration.
How long does account creation take? Users can usually sign in within 1–2 minutes. OneDrive and SharePoint may take up to 30 minutes to fully provision on first sign-in.
What if I assign the wrong license? Change it anytime from the user’s Licenses and apps tab. Downgrading from Standard to Basic removes desktop app access — the user will need to uninstall Office.
How do I onboard a large team efficiently? Use the CSV bulk upload in Active Users for quick account creation, then assign licenses manually or via PowerShell. PowerShell is better for large groups as it handles creation and licensing in one step.
What happens to data when I delete a user? Mailbox data is retained for 30 days, OneDrive for 180 days. After those windows, it’s permanently gone. Use Microsoft 365 Backup if you need reliable long-term retention beyond Microsoft’s defaults.
What’s the difference between disabling and deleting a user? Disabling blocks sign-in but keeps the account, data, and license active. Deleting starts the data retention clock. Always disable first during offboarding, confirm data is handled, then delete after 30 days.
