windows-itpro-docs/education/windows/tutorial-school-deployment/set-up-azure-ad.md

title, description, ms.date, ms.topic

title	description	ms.date	ms.topic
Set up Azure Active Directory	Learn how to create and prepare your Azure AD tenant for an education environment.	08/31/2022	tutorial

Set up Azure Active Directory

The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.

Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.

In this section you will:

[!div class="checklist"]

• Set up a Microsoft 365 Education tenant
• Add users, create groups, and assign licenses
• Configure school branding
• Enable bulk enrollment

Create a Microsoft 365 tenant

If you don't already have a Microsoft 365 tenant, you'll need to create one.

For more information, see Create your Office 365 tenant account

Tip

To learn more, and practice how to configure the Microsoft 365 tenant for your school, try this interactive demo.

Explore the Microsoft 365 admin center

The Microsoft 365 admin center is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you created the Microsoft 365 tenant.

From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:

:::image type="content" source="./images/m365-admin-center.png" alt-text="All admin centers page in Microsoft 365 admin center" lightbox="./images/m365-admin-center.png" border="true":::

For more information, see Overview of the Microsoft 365 admin center.

Note

Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.

Add users, create groups, and assign licenses

With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.

Note

Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to Azure Active Directory sync below.

School Data Sync

School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into students or teachers and are associated with a grade, school, and other education-specific attributes.

For more information, see Overview of School Data Sync.

Tip

To learn more and practice with School Data Sync, follow the Microsoft School Data Sync demo, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.

Note

You can perform a test deployment by cloning or downloading sample SDS CSV school data from the O365-EDU-Tools GitHub site.

Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.

Azure Active Directory sync

To integrate an on-premises directory with Azure Active Directory, you can use Microsoft Azure Active Directory Connect to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:

• Password hash synchronization
• Pass-through authentication
• Federated authentication

For more information, see Set up directory synchronization for Microsoft 365.

Create users manually

In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.

There are two options for adding users manually, either individually or in bulk:

1. To add students and teachers as users in Microsoft 365 Education individually:
   • Sign in to the Microsoft Entra admin center
   • Select Azure Active Directory > Users > All users > New user > Create new user For more information, see Add users and assign licenses at the same time.
2. To add multiple users to Microsoft 365 Education:
   • Sign in to the Microsoft Entra admin center
   • Select Azure Active Directory > Users > All users > Bulk operations > Bulk create

For more information, see Add multiple users in the Microsoft 365 admin center.

Create groups

Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:

1. Sign in to the Microsoft Entra admin center
2. Select Azure Active Directory > Groups > All groups > New group
3. On the New group page, select Group type > Security
4. Provide a group name and add members, as needed
5. Select Next

For more information, see Create a group in the Microsoft 365 admin center.

Assign licenses

The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.

To assign a license to a group:

1. Sign in to the Microsoft Entra admin center

2. Select Azure Active Directory > Show More > Billing > Licenses

3. Select the required products that you want to assign licenses for > Assign

4. Add the groups to which the licenses should be assigned

   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::

For more information, see Group-based licensing using Azure AD admin center.

Configure school branding

Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.

To configure your school's branding:

1. Sign in to the Microsoft Entra admin center
2. Select Azure Active Directory > Show More > User experiences > Company branding
3. You can specify brand settings like background image, logo, username hint and a sign-in page text :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
4. To adjust the school tenant's name displayed during OOBE, select Azure Active Directory > Overview > Properties
5. In the Name field, enter the school district or organization's name > Save :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::

For more information, see Add branding to your directory.

Enable bulk enrollment

If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.

To allow provisioning packages to complete the Azure AD Join process:

1. Sign in to the Microsoft Entra admin center
2. Select Azure Active Directory > Devices > Device Settings
3. Under Users may join devices to Azure AD, select All

   Note

   If it is required that only specific users can join devices to Azure AD, select Selected. Ensure that the user account that will create provisioning packages is included in the list of users.

4. Select Save :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::

---

Next steps

With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.

[!div class="nextstepaction"] Next: Set up Microsoft Intune >