Microsoft 365 Admin Center: User Management, Policies, and Billing Guide
Why This Is Happening
You're staring at the Microsoft 365 Admin Center and something isn't working the way it should. Maybe a new employee can't sign in even though you swear you added their account. Maybe a billing change didn't go through and now you're getting scary suspension warnings in your inbox. Or maybe you just got promoted to admin , congratulations, by the way , and the dashboard feels like a cockpit with no flight manual.
I've seen this exact scenario play out on dozens of business tenants, from five-person startups to 500-seat enterprises. The Microsoft 365 Admin Center at admin.microsoft.com is genuinely powerful, but it's also dense. Microsoft keeps moving things around between releases, labels change, and features that used to be in one place quietly migrate to a different section. The error messages don't help either, something like "License assignment failed" gives you almost nothing to work with.
Here's the real problem most admins hit: the Admin Center covers at least six distinct management domains under one roof, users and groups, email and calendars, domains, subscriptions and billing, data and service health, and troubleshooting. Each of these has its own permission model, its own quirks, and its own failure modes. When something breaks, it usually isn't obvious which domain is actually the source of the problem.
The other issue is admin roles. Not every person who needs to manage something in Microsoft 365 should have full Global Admin rights. In practice, I see a lot of small businesses where the owner accidentally assigned someone Global Admin because it seemed like the easiest way to let them "handle the IT stuff." That's a significant security exposure. Microsoft's role-based access model in the Admin Center is built exactly to prevent this, but only if you use it correctly.
Who runs into Microsoft 365 Admin Center problems most often? New IT admins who inherited a tenant they didn't set up. Business owners managing their own subscriptions without IT support. System admins at growing companies suddenly dealing with domain joins, shared mailboxes, and Teams governance at the same time. If any of that sounds familiar, you're in the right place.
The good news: almost every common Admin Center issue, users locked out, licenses not applying, billing errors, group policy confusion, has a clear, documented resolution path. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you dig into the deep troubleshooting steps, run through this fast checklist. In my experience, about 60% of Microsoft 365 Admin Center issues resolve at one of these four points.
Step 1, Confirm your admin role is active. Go to admin.microsoft.com, click your profile avatar in the top-right corner, and select My account. Under Roles, confirm you have the correct admin role for what you're trying to do. If you're trying to manage billing but you only have a User Admin role, you'll be blocked. Global Admin can do everything; other roles have scoped permissions.
Step 2, Check service health first. Before blaming your own configuration, go to Health > Service health in the left nav. If Microsoft has an active incident affecting Exchange Online, Azure AD, or Teams, that's why things are broken, and there's nothing you can do but wait. I can't tell you how many hours I've watched admins spin their wheels on a problem that was already on Microsoft's radar.
Step 3, Try an InPrivate or Incognito browser window. Admin Center issues are frequently caused by stale authentication cookies or cached credentials. Open a fresh private browser session, navigate to admin.microsoft.com, and sign in fresh. If it works there, clear your browser cache and cookies in your main session.
Step 4, Check the Message Center. Navigate to Health > Message Center in the left nav. Microsoft posts advance notice of feature changes, deprecations, and required admin actions here. If a feature you rely on suddenly stopped working, there's often a Message Center post explaining exactly why, and what you need to do.
If none of those four steps resolved your issue, keep reading. The step-by-step section below covers the most common Admin Center failure scenarios in detail.
One of the most common tasks in the Microsoft 365 Admin Center, and one of the most common sources of confusion, is adding a new user and making sure they actually have access to the apps they need. Just creating the account isn't enough. If you skip the license assignment step, the user will be able to sign in but won't see any of their apps.
To add a user, navigate to Users > Active users in the left nav and click Add a user. Fill in the user's first name, last name, and display name. Then set their username, this becomes their primary sign-in email address, formatted as username@yourdomain.com. If you have a custom domain set up, you can choose it from the dropdown here.
On the next screen, Product licenses, this is where admins most frequently make mistakes. You must select a license from your available pool. Each Microsoft 365 for business plan gives each user access to a different set of apps:
- Microsoft 365 Apps for Business, desktop Office apps + 1 TB OneDrive, no Teams or Exchange
- Microsoft 365 Business Basic, web-only Office apps + Teams + 50 GB Exchange mailbox
- Microsoft 365 Business Standard, desktop apps + Teams + 50 GB Exchange mailbox
- Microsoft 365 Business Premium, everything in Standard + advanced security and device management
After assigning the license, set the user's role. If this is a regular employee, leave it as User (no admin access). Assign admin roles only when genuinely needed.
When it works, the user will appear in your Active users list with a green checkmark next to their license. They'll receive a welcome email at the address you specified, with instructions for their first sign-in. If the license column shows "Unlicensed" in red, go back and edit the user, the license assignment didn't save.
A user can't sign in. Your phone is ringing. Here's how to fix it fast in the Microsoft 365 Admin Center without needing to call Microsoft Support.
Go to Users > Active users. Find the user, use the search bar at the top of the user list, it's much faster than scrolling. Click on their display name to open the user details panel on the right side of the screen. You'll see a Reset password option near the top of the panel.
Click Reset password. You have two options: auto-generate a password (Microsoft creates a temporary one) or let you set a specific temporary password manually. I recommend the auto-generate option, it's faster and the password gets emailed directly to an alternate address you specify, so you're not reading passwords over the phone. Check the box that says Require this user to change their password when they first sign in, always leave this enabled.
If the user is getting an error about their account being blocked rather than a wrong password, look for a blue Blocked badge next to their name in the Active users list. Click their name, go to the Account tab in the details panel, and look for Sign-in status. If it reads "Sign-in blocked," click Edit and toggle it back to allowed.
For accounts that are blocked because of a suspected security breach, you'll know because Microsoft often sends an alert to your admin email, don't just unblock the account. First go to Security > Risky users in the Microsoft 365 Defender portal and review the risk events attached to that account. Reset credentials, then unblock.
After a successful password reset, the user should be able to sign in within a few minutes. Azure AD propagation is usually fast, but in some large tenants it can take up to 15 minutes.
Enabling multifactor authentication is the single most impactful security action you can take in the Microsoft 365 Admin Center. Microsoft's own data shows that MFA blocks over 99% of account compromise attacks. And yet I still see tenants running without it in 2026, usually because the admin was worried about user pushback or didn't know where the setting was.
Here's where it is. In the Admin Center left nav, go to Setup, then scroll down to the Sign-in and security section. You'll see Set up multi-factor authentication as a setup card. Click View.
For most small and mid-sized businesses, Microsoft recommends enabling Security defaults in Azure Active Directory, this automatically turns on MFA for all users and enforces it on the next sign-in. To enable Security defaults, the path is: Admin Center > Azure Active Directory (you'll be redirected to the Entra portal) > Properties > Manage security defaults. Toggle Security defaults to Enabled and save.
If you're on Microsoft 365 Business Premium or have Azure AD Premium licenses, you have access to Conditional Access policies, which give you much finer control, you can require MFA only when signing in from outside the office network, for example.
When Security defaults or a Conditional Access policy is active, users signing in for the first time will be prompted to register an authentication method. The Microsoft Authenticator app is the recommended option. Users can also use SMS text message codes as a backup, though the Authenticator app is significantly more secure.
One important note: if you have any service accounts, accounts used by automated processes, not real people, exclude them from MFA policies before you enable them, or those automated processes will start failing immediately.
Groups and shared mailboxes in the Microsoft 365 Admin Center solve two very different collaboration needs, and confusing the two is a common admin mistake that creates support tickets weeks later.
Microsoft 365 Groups are the backbone of Teams, SharePoint sites, and shared calendars. When you create a Team in Microsoft Teams, it automatically creates a Microsoft 365 Group behind the scenes. To manage these, go to Teams & groups > Active teams & groups in the Admin Center left nav. You can see all groups here, manage membership, and control whether the group is public (anyone in your org can join) or private (members must be added by an owner).
Shared mailboxes are a different animal entirely. They're used when multiple people need to read and respond to email from a single address, think support@yourcompany.com or info@yourcompany.com. Shared mailboxes don't need their own license (up to 50 GB), and the users who access them use their own licensed accounts. To create one, go to Teams & groups > Shared mailboxes and click Add a shared mailbox.
Guest access is where I see the most policy confusion. By default, Microsoft 365 allows external users to be added as guests to Teams and SharePoint. Guests get a free account in your Azure AD tenant with limited permissions. To control this, go to Org settings > Microsoft 365 Groups and you'll find a toggle for letting group owners add guests from outside your org. A separate guest access setting exists inside the Teams Admin Center for Teams-specific control.
To remove a guest entirely from your tenant, go to Users > Guest users in the Admin Center. Select the guest and click Delete user. This removes all their access immediately.
Billing issues in the Microsoft 365 Admin Center can escalate quickly, a failed payment can lead to service suspension, and recovering a suspended tenant is a stressful experience you want to avoid entirely.
To manage your subscription and billing, navigate to Billing > Your products in the left nav. Here you'll see every active subscription, the number of licenses purchased vs. assigned, the renewal date, and the current status. If any subscription shows a red or yellow status badge, click it immediately to see what's wrong.
For payment issues, go to Billing > Payment methods. If a credit card has expired or was replaced, you need to add the new card here and then set it as the default payment method. To update: click Add a payment method, fill in the new card details, then go back to your subscription under Your products, click the subscription name, and under Payment method select your new card. Don't assume it auto-updates, it doesn't.
If you need to add more licenses because you've hired new people, go to Billing > Your products, click the subscription you want to expand, and select Buy licenses. Enter the number of additional seats you need. The prorated charge for the remainder of your billing cycle is calculated automatically and charged to your payment method on file.
To reassign or remove a license from a user who left the company: go to Users > Active users, click the user, go to the Licenses and apps tab, uncheck the license, and save. The license immediately returns to your available pool and can be assigned to someone else. Don't forget to also block the departed user's sign-in, removing the license alone doesn't prevent them from signing in with their credentials.
# Check license assignment status via PowerShell (requires Microsoft Graph module)
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -UserId "user@yourdomain.com" -Property DisplayName,AssignedLicenses | Select DisplayName,AssignedLicensesWhen the billing fix works, the status badge on your subscription will return to green within a few minutes. Microsoft sends a confirmation email to the billing admin address on file.
Advanced Troubleshooting
If the standard steps above haven't resolved your Microsoft 365 Admin Center issue, it's time to go deeper. These techniques are what I reach for when something genuinely stumps the first pass of fixes.
Using PowerShell for Admin Center Tasks
Some operations are faster, more reliable, or simply impossible to do through the Admin Center UI. The Microsoft Graph PowerShell module is the modern way to manage Microsoft 365 at scale. Here are the commands I use most often:
# Install the Microsoft Graph module (run once)
Install-Module Microsoft.Graph -Scope CurrentUser
# Connect and authenticate
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All","Directory.ReadWrite.All"
# Get all unlicensed users
Get-MgUser -All -Property DisplayName,AssignedLicenses,UserPrincipalName | Where-Object {$_.AssignedLicenses.Count -eq 0} | Select DisplayName,UserPrincipalName
# Bulk block sign-in for a list of terminated users
$users = @("user1@domain.com","user2@domain.com")
foreach ($user in $users) {
Update-MgUser -UserId $user -AccountEnabled:$false
}Event Viewer and Sign-In Logs
For sign-in failures and authentication issues, the Azure AD Sign-in logs are invaluable. In the Admin Center, go to Azure Active Directory (or navigate directly to entra.microsoft.com), then Monitoring > Sign-in logs. Filter by user and date range. Each failed sign-in entry has an error code and a failure reason string, these are far more useful than what the user sees on their screen. Common codes you'll encounter:
- AADSTS50076, MFA required but not satisfied; user needs to complete their MFA registration
- AADSTS53003, Conditional Access policy blocked the sign-in; check which policy triggered
- AADSTS70011, Invalid scope; usually an app registration issue, not a user issue
- AADSTS50055, Password expired; user needs a password reset before sign-in
Domain DNS Issues
If email isn't working after you added a custom domain, or you're getting "domain not verified" errors, the problem is almost always DNS. In the Admin Center, go to Settings > Domains, click your domain, and look at the DNS records tab. Microsoft shows you exactly which records need to exist, MX, CNAME, TXT, and SRV records, and shows a green checkmark or red X for each one. Any red X means that record is missing or misconfigured at your DNS registrar.
DNS propagation after you make a change can take up to 72 hours, but in practice most registrars propagate within 15–30 minutes. Use a tool like MXToolbox to verify DNS records are live before deciding something is broken.
Group Policy and Conditional Access in Enterprise Environments
For domain-joined devices in hybrid environments, conflicts between on-premises Group Policy Objects and Azure AD Conditional Access policies are a real source of Admin Center headaches. If users on domain-joined machines can't complete MFA registration, check whether there's a GPO restricting browser extensions or enforcing proxy settings that blocks the Microsoft authentication endpoint. The endpoint login.microsoftonline.com must be reachable from all clients without proxy interception.
There are a handful of situations where the right call is escalating directly rather than troubleshooting further yourself: tenant-level configuration issues that require Microsoft backend access (like stuck domain verifications that won't clear even after correct DNS), billing disputes where charges appear for licenses you cancelled, data loss scenarios involving deleted mailboxes or OneDrive files beyond the 30-day soft-delete window, and any situation where a security breach may have affected your admin credentials. You can reach Microsoft Support via the Admin Center itself, go to Support > New service request in the left nav. Having your tenant ID ready (found under Settings > Org settings > Organization profile) speeds up the support call significantly.
Prevention & Best Practices
The best Microsoft 365 Admin Center troubleshooting is the kind you never have to do. Here are the practices I recommend to every tenant I work with, they prevent the large majority of common issues before they ever become problems.
Keep at least two Global Admin accounts. This is the single most important operational practice. If your only Global Admin account gets compromised, locked, or lost, you can be permanently locked out of your tenant. Create a second Global Admin account with a strong password and an alternate email address, store the credentials securely (a password manager or sealed envelope in a physical safe), and test sign-in on it quarterly. This account should be used only for break-glass scenarios, not for day-to-day admin work.
Use the principle of least privilege for admin roles. The Microsoft 365 Admin Center has over a dozen scoped admin roles, User Administrator, Billing Administrator, Exchange Administrator, Teams Administrator, and more. Assign people only the role they need for their specific responsibilities. This limits the blast radius if any admin account gets compromised.
Review your Message Center weekly. Microsoft communicates planned changes, feature deprecations, and required admin actions through the Message Center under Health > Message Center. Reading it once a week takes about five minutes and means you're never surprised by a sudden feature change or a deadline you missed.
Audit your licensed users monthly. People leave organizations and their licenses often aren't reclaimed. Go to Users > Active users and sort by "Last sign-in" date. Any account that hasn't signed in for 90+ days is worth reviewing, it may be a departed employee, a service account no longer in use, or a security exposure.
Back up your DNS records before making changes. Every time you add a domain or modify DNS records through the Admin Center, screenshot or export the current DNS record list first. DNS mistakes can take down email and Teams for your entire org, and having the old values documented makes recovery much faster.
- Enable Security defaults or Conditional Access MFA today, it takes 5 minutes and blocks the vast majority of account compromises
- Set up at least one backup Global Admin account with a secure emergency password stored offline
- Turn on recurring billing notifications under Billing > Billing notifications so payment failures reach you immediately
- Reclaim licenses from inactive accounts monthly, 1 TB of OneDrive and a 50 GB mailbox sitting on a ghost account is both a cost and a security exposure
Frequently Asked Questions
Which Microsoft 365 for business plan should I choose for my small business?
The right plan depends on what your team actually needs day-to-day. If your employees work mostly in a web browser and don't need desktop Office apps installed locally, Microsoft 365 Business Basic is the most cost-effective option, it includes Teams, a 50 GB Exchange mailbox, and web versions of all the Office apps. If they need full desktop apps like Word and Excel installed on their machines, go with Business Standard. For any business handling sensitive data, customer financial information, or operating in a regulated industry, Microsoft 365 Business Premium is worth the extra cost purely for the advanced ransomware protection and device management features. Microsoft also has a free plan chooser tool at their Plans and pricing page that walks you through a short questionnaire and makes a recommendation based on your business size and needs.
How do I give someone admin access without making them a Global Admin?
Go to Users > Active users in the Admin Center, click the user's name, then go to the Roles tab and click Manage roles. You'll see a full list of available admin roles, User Administrator lets them manage user accounts and passwords, Billing Administrator handles subscriptions and payments, Exchange Administrator manages email settings, and so on. Select the role that matches what they actually need to do and save. They'll have access to only the relevant sections of the Admin Center, which protects your tenant if their account is ever compromised. Avoid assigning Global Admin unless someone genuinely needs unrestricted access to everything.
I added a user but they can't access any Microsoft 365 apps, what did I miss?
This almost always means a license wasn't assigned. Go to Users > Active users, click the user's name, and check the Licenses and apps tab. If it shows "Unlicensed" or has no checkboxes selected, that's the issue, select the appropriate license and save. Also check that your subscription still has available license seats: go to Billing > Your products and look at the "Assigned / Available" count next to your plan. If all seats are taken, you'll need to either buy more licenses or reclaim one from an inactive user before you can assign a new one.
My Microsoft 365 subscription is showing a payment failure warning, how do I fix it before service is suspended?
Act fast, Microsoft typically gives a grace period before suspending service, but it's shorter than most people expect. Go to Billing > Payment methods in the Admin Center and check whether your card on file is expired, was reported lost/stolen, or has a billing address mismatch. Add an updated payment method, then go to Billing > Your products, click your subscription, and manually update it to use the new payment method, it won't auto-switch. After saving, you should see the status badge return to green within a few minutes. Microsoft will also send a confirmation email to the billing admin address confirming the payment processed.
How many devices can one Microsoft 365 license cover?
For plans that include desktop app installation, Microsoft 365 Apps for Business, Business Standard, and Business Premium, a single license covers five mobile devices, five tablets, and five PCs or Macs per user. That means one person can have Microsoft 365 apps installed on their work laptop, home computer, iPad, iPhone, and one more device of their choice under a single license. Microsoft 365 Business Basic doesn't include desktop app installations at all, it's web and mobile apps only. If a user exceeds the five-device limit on any category, they'll be prompted to deactivate an existing installation before activating a new one.
Can I try Microsoft 365 before committing to a paid subscription?
Yes, Microsoft offers a one-month free trial for Microsoft 365 for business plans. Go to the Microsoft 365 Plans and pricing page, choose the plan you want to test, and select the free trial option during sign-up. The trial gives you full access to everything in that plan for 30 days with no feature restrictions. One important thing to know: Microsoft automatically converts free trials to paid subscriptions at the end of the trial period unless you turn off recurring billing first. If you want to evaluate without any billing commitment, go to Billing > Your products immediately after starting the trial and toggle recurring billing off, you'll still have full access for the trial period, but you won't be charged automatically when it ends.