You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/users-groups-roles/my-staff-configure.md
+21-9Lines changed: 21 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.topic: article
9
9
ms.service: active-directory
10
10
ms.subservice: user-help
11
11
ms.workload: identity
12
-
ms.date: 04/23/2020
12
+
ms.date: 05/01/2020
13
13
ms.author: curtand
14
14
ms.reviewer: sahenry
15
15
ms.custom: oldportal;it-pro;
@@ -21,10 +21,29 @@ My Staff enables you to delegate to a figure of authority, such as a store manag
21
21
22
22
Before you configure My Staff for your organization, we recommend that you review this documentation as well as the [user documentation](../user-help/my-staff-team-manager.md) to ensure you understand the functionality and impact of this feature on your users. You can leverage the user documentation to train and prepare your users for the new experience and help to ensure a successful rollout.
23
23
24
+
SMS-based authentication for users is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
25
+
24
26
## How My Staff works
25
27
26
28
My Staff is based on administrative units (AUs), which are a container of resources which can be used to restrict the scope of a role assignment's administrative control. In My Staff, AUs are used to define a subset of an organization's users such as a store or department. Then, for example, a team manager could be assigned to a role whose scope is one or more AUs. In the example below, the user has been granted the Authentication Administrative role, and the three AUs are the scope of the role. For more information about administrative units, see [Administrative units management in Azure Active Directory](directory-administrative-units.md).
27
29
30
+
## Before you begin
31
+
32
+
To complete this article, you need the following resources and privileges:
33
+
34
+
* An active Azure subscription.
35
+
36
+
* If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
37
+
* An Azure Active Directory tenant associated with your subscription.
38
+
39
+
* If needed, [create an Azure Active Directory tenant](../fundamentals/sign-up-organization.md) or [associate an Azure subscription with your account](../fundamentals/active-directory-how-subscriptions-associated-directory.md).
40
+
* You need *Global administrator* privileges in your Azure AD tenant to enable SMS-based authentication.
41
+
* Each user that's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Azure AD or Microsoft 365 licenses:
42
+
43
+
*[Azure AD Premium P1 or P2](https://azure.microsoft.com/pricing/details/active-directory/)
44
+
*[Microsoft 365 (M365) F1 or F3](https://www.microsoft.com/licensing/news/m365-firstline-workers)
45
+
*[Enterprise Mobility + Security (EMS) E3 or E5](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) or [Microsoft 365 (M365) E3 or E5](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
46
+
28
47
## How to enable My Staff
29
48
30
49
Once you have configured AUs, you can apply this scope to your users who access My Staff. Only users who are assigned an administrative role can access My Staff. To enable My Staff, complete the following steps:
@@ -42,7 +61,7 @@ You can protect the My Staff portal using Azure AD Conditional Access policy. Us
42
61
43
62
We strongly recommend that you protect My Staff using [Azure AD Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/). To apply a Conditional Access policy to My Staff, you must manually create the My Staff service principal using PowerShell.
44
63
45
-
### Apply a Conditional Access policy to My Staff
64
+
### Apply a Conditional Access policy to My Staff
46
65
47
66
1. Install the [Microsoft Graph Beta PowerShell cmdlets](https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/dev/samples/0-InstallModule.ps1).
48
67
1. Run the following commands:
@@ -58,13 +77,6 @@ We strongly recommend that you protect My Staff using [Azure AD Conditional Acce
58
77
59
78
When a user goes to My Staff, they are shown the names of the [administrative units](directory-administrative-units.md) over which they have administrative permissions. In the [My Staff user documentation](../user-help/my-staff-team-manager.md), we use the term "location" to refer to administrative units. If an administrator's permissions do not have an AU scope, the permissions apply across the organization. After My Staff has been enabled, the users who are enabled and have been assigned an administrative role can access it through [https://mystaff.microsoft.com](https://mystaff.microsoft.com). They can select an AU to view the users in that AU, and select a user to open their profile.
60
79
61
-
## Licenses
62
-
63
-
Each user who's enabled in My Staff must be licensed, even if they don't use the My Staff portal. Each enabled user must have one of the following Azure AD or Microsoft 365 licenses:
64
-
65
-
- Azure AD Premium P1 or P2
66
-
- Microsoft 365 F1 or F3
67
-
68
80
## Reset a user's password
69
81
70
82
The following roles have permission to reset a user's password:
0 commit comments