Microsoft 365 feature descriptions

User account management

Microsoft supports the following methods for creating, managing, and authenticating users. However, this topic doesn't include information about security features that allow or prohibit access to individual Microsoft resources (for example, role-based access control in Microsoft Exchange Online or configuring security in Microsoft SharePoint Online). For details about these features, see the Exchange Online service description and the SharePoint Online service description. If you need information about tools that can help you perform administrative tasks, see Tools to manage Microsoft accounts. To learn how to perform day-to-day management tasks, see Common management tasks.

Need help with signing in, installing or uninstalling, or canceling your subscription?: Get help with: signing in | Installing or uninstalling Office | Canceling Office 365

For other issues, visit the Microsoft support center. To get support for Office 365 operated by 21Vianet in China, contact the 21Vianet support team.

Sign-in options: Microsoft has two systems that can be used for user identities: Work or school account (cloud identity) and Federated account (federated identity). The type of identity affects the user experience and user account management options, as well as hardware and software requirements and other deployment considerations.

Work or school account (cloud identity) - Users receive Microsoft Entra cloud credentials—separate from other desktop or corporate credentials—for signing into Microsoft cloud services. This is the default identity, and is recommended in order to minimize deployment complexity. Passwords for work or school accounts use the Microsoft Entra ID password policy.

Federated account (federated identity) - For all subscriptions in organizations with on-premises Active Directory that use single sign-on (SSO), users can sign into Microsoft services by using their Active Directory credentials. The corporate Active Directory stores and controls the password policy. For information about SSO, see Single sign-on roadmap.

Single sign-on: For organizations using single sign-on, all users on a domain must use the same identity system: either cloud identity or federated identity. For example, you could have one group of users that only needs a cloud identity because they don't access on-premises systems, and another group of users who use Microsoft and on-premises systems. You would add two domains to Office 365, such as contractors.contoso.com and staff.contoso.com, and only set up SSO for one of them. An entire domain can be converted from cloud identity to federated identity, or from federated identity to cloud identity.

Authentication: Except for Internet sites for anonymous access created with SharePoint Online, users must be authenticated when accessing Microsoft services. Modern authentication, Cloud identity authentication, and Federated identity authentication. Microsoft uses forms-based authentication, and authentication traffic over the network is always encrypted with TLS/SSL using port 443. Authentication traffic uses a negligible percentage of bandwidth for Microsoft services.

Modern authentication - Modern authentication brings Microsoft Authentication Library-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party identity providers with Office client applications, and smart card and certificate-based authentication. It also removes the need for Microsoft Outlook to use the basic authentication protocol. For more information, including the availability of modern authentication across Office applications, see How modern authentication works for Office 2013 and Office 2016 client apps. Modern authentication is turned on by default for Exchange Online. To learn how to turn it on or off, see Enable modern authentication in Exchange Online.

Cloud identity authentication - Users with cloud identities are authenticated using traditional challenge/response. The web browser is redirected to the Microsoft sign-in service, where you type the user name and password for your work or school account. The sign-in service authenticates your credentials and generates a service token, which the web browser posts to the requested service and logs you in.

Federated identity authentication - Users with federated identities are authenticated using Active Directory Federation Services (AD FS) 2.0 or other Security Token Services. The web browser is redirected to the Microsoft sign-in service, where you type your corporate ID in the form a user principal name (UPN), for example: isabel@contoso.com. The sign-in service determines that you're part of a federated domain and offers to redirect you to the on-premises Federation Server for authentication. If you're logged on to the desktop (domain joined), you're authenticated (using Kerberos or NTLMv2) and the on-premises Security Token Service generates a logon token, which the web browser posts to the Microsoft sign-in service. Using the logon token, the sign-in service generates a service token that the web browser posts to the requested service and logs you in. For a list of available Security Token Services available, see Single sign-on roadmap.

Multi-Factor Authentication: With Multi-Factor Authentication, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication can the user sign in. Microsoft administrators can enroll users for multi-factor authentication in the Microsoft 365 admin center. Learn more about Multi-Factor Authentication.

Rich client authentication: For rich clients such as Microsoft Office desktop applications, authentication can occur in two ways: Microsoft Online Services Sign-In Assistant and Basic/proxy authentication over SSL. To ensure proper discovery and authentication of Microsoft services, administrators must apply a set of components and updates to each workstation that uses rich clients (such as Microsoft Office 2010) and connects to Office 365. Desktop setup is an automated tool to configure workstations with the required updates. For more information, see Use my current Office desktop apps.

Microsoft Online Services Sign-In Assistant - The Sign-in assistant, which is installed by desktop setup, contains a client service that obtains a service token from the sign-in service and returns it to the rich client. If you have a cloud identity, you receive a prompt for credentials, which the client service sends to the sign-in service for authentication (using WS-Trust). If you have a federated identity, the client service first contacts the AD FS 2.0 server to authenticate the credentials (using Kerberos or NTLMv2) and obtain a logon token that is sent to the sign-in service (using WS-Federation and WS-Trust).

Basic/proxy authentication over SSL - The Outlook client passes basic authentication credentials over SSL to Exchange Online. Exchange Online proxies the authentication request to the identity platform, and then to on-premises Active Directory Federation Server (for SSO).

Sign-in experience: The sign-in experience changes depending on the type of identity in use:

Service Cloud identity Federated identity
Outlook 2016 Sign in each session 1 Sign in each session 2
Outlook 2013 Sign in each session 1 Sign in each session 2
Outlook 2010 or Office 2007 on Windows 7 Sign in each session 1 Sign in each session 2
Outlook 2010 or Office Outlook 2007 on Windows Vista Sign in each session 1 Sign in each session 2
Microsoft Exchange ActiveSync Sign in each session 1 Sign in each session 2
POP, IMAP, Outlook for Mac Sign in each session 1 Sign in each session 2
Web experiences: Microsoft 365 admin center/Outlook on the web/SharePoint Online/Office for the web Sign in each browser session4 Sign in each session 3
Office 2010 or Office 2007 using SharePoint Online Sign in each SharePoint Online session 4 Sign in each SharePoint Online session3
Skype for Business Online Sign in each session 1 No prompt
Outlook for Mac Sign in each session 1 Sign in each session 2

1 When first prompted, you can save your password for future use. You won't receive another prompt until you change the password.
2 You enter your corporate credentials. You can save your password and won't be prompted again until your password changes.
3 All apps require you to enter or select your username to sign in. You aren't prompted for your password if your computer is joined to the domain. If you select Keep me signed in you won't be prompted again until you sign out.
4 If you select Keep me signed in you won't be prompted again until you sign out.

Create user accounts: There are multiple ways for you to add users. To learn more, see Add users individually or in bulk - Admin Help and Add users and assign licenses - Microsoft 365 admin | Microsoft Docs. If you're using Office 365 operated by 21Vianet in China, see Create or edit user accounts in Office 365 operated by 21Vianet - Admin Help.

Delete user accounts: How you delete accounts depends on whether or not you're using directory synchronization. If you aren't using directory synchronization, accounts can be deleted by using the admin page or by using Windows PowerShell. If you're using directory synchronization, you must delete users from the local Active Directory, rather than from Office 365.

Deleted accounts: When an account is deleted, it becomes inactive. For approximately 30 days after having deleted it, you can restore the account. For more information about deleting and restoring accounts, see Delete users and Restore users or, if you're using Office 365 operated by 21Vianet in China, see Create or edit user accounts in Office 365 operated by 21Vianet - Admin Help.

Password management: The policies and procedures for password management depend on the identity system.

Cloud identity password management: When using cloud identities, passwords are automatically generated when the account is created. For cloud identity password strength requirements, see password policy. To increase security, users must change their passwords when they first access Microsoft services. As a result, before users can access Microsoft services, they must sign into the Microsoft 365 admin center, where they're prompted to change their passwords. Admins can set the password expiration policy. For more information, see Set a user's password expiration policy.

Cloud identity password reset: There are several tools for resetting passwords for users with cloud identities: Admin resets password, User changes passwords with Outlook on the web, Role-based reset password rights, and Reset passwords using Windows PowerShell.

Admin resets password - If users lose or forget their passwords, admins can reset users' passwords in the admin center or by using Windows PowerShell. Users can only change their own password if they know their existing password. For enterprise plans, if administrators lose or forget their passwords, a different administrator with the Global Administrator role can reset administrators' passwords in the Microsoft 365 admin center or by using Windows PowerShell. For more information, see Reset passwords for admins. If you're working in Office 365 operated by 21Vianet in China, see Change or reset passwords in Office 365 operated by 21Vianet.

User changes passwords with Outlook on the web - The Outlook on the web options page includes a Change password hyperlink, which redirects users to the Change Password page. The user must know their previous password. For more information, see Change password. If you're using Office 365 operated by 21Vianet in China, see Change or reset passwords in Office 365 operated by 21Vianet.

Role-based reset password rights - For enterprise plans, authorized users such as helpdesk staff can be assigned the Reset Password user right and the right to change passwords by using predefined or custom roles without becoming full services administrators. By default in enterprise plans, admins with the Global Administrator, Password Administrator, or User Management Administrator role can change passwords. For more information, see Assigning admin roles.

Reset passwords using Windows PowerShell - Service administrators can use Windows PowerShell to reset passwords.

Federated identity password management: When using federated identities, passwords are managed in Active Directory. The on-premises Security Token Service negotiates the authentication with Federation Gateway without passing users' local Active Directory passwords over the internet to Office 365. Local password policies are used, or, for web clients, two-factor identification. Outlook on the web doesn't include a Change Password hyperlink. Users change their passwords using standard, on-premises tools or through their desktop PC logon options.

Directory Sync: If you have Directory Sync with single sign-on (SSO) enabled in your organization environment and there is an outage that impacts your federated identity provider, Password Sync Backup for Federated Sign-in provides the option to manually switch your domain to Password Sync. Using Password Sync will allow your users access while the outage is fixed. Learn how to switch from Single Sign-On to Password Sync.

License management: A license gives a user access to a set of Microsoft services. An administrator assigns a license to each user for the service they need access to. For example, you can assign a user access to Skype for Business Online, but not SharePoint Online.

Billing: Microsoft billing admins can make changes to subscription details like the number of user licenses and number of additional services your company uses. Check out Assign or remove a license. If you're using Office 365 operated by 21Vianet, see Assign or remove licenses in Office 365 operated by 21Vianet.

Group management: Security groups are used in SharePoint Online to control access to sites. Security groups can be created in the Microsoft 365 admin center. For more information about security groups, see Create, edit, or delete a security group.

Microsoft Entra services: Microsoft Entra ID brings comprehensive identity and access management capabilities to Office 365. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. To learn more about AD features in Office 365, see Sign in page branding and cloud user self-service password reset. Learn more about the Free, Basic, and Premium editions of Microsoft Entra ID.

Feature availability: To view feature availability across plans, see Microsoft 365 and Office 365 platform service description.