Active Users

The Active Users page is the primary user management interface inside a customer Hosted Organization. Users shown here may come from on-prem Active Directory (AD) and/or Azure AD (synced users). The Active Users list is the operational view used to manage user lifecycle, licensing, access posture, and related service features.

---

Table of Contents

Use the links below to jump to the main sections of this guide.

• Page layout
• Primary buttons
• Quotas Usage modal
• Actions menu
• Filters and list controls
• Users table
• Create User
• User Settings
• Best Practices

---

Page layout

The page consists of:

• A primary action row (create/import/send/quota tools).
• A global Actions menu for bulk operations.
• Filtering controls (locations, view filters, search).
• A users table with per-user indicators and quick actions.

---

Primary buttons

Create New User

Create New User starts the user creation flow for the Hosted Organization. Use this option when the user should be created directly in the organization scope (for example, a new employee account). The exact fields and follow-up steps depend on your environment configuration and identity provider rules.

Send Users List

Send Users List initiates sending/exporting the current user list via the platform’s supported delivery method (for example, generating and sending a list report). Use it when you need to share the current users inventory with another team, customer contact, or internal administrator.

Import Azure AD Users

Import Azure AD Users is used to bring Azure AD users into MSPControl’s Hosted Organization scope (or trigger the import workflow if they are not yet visible here). This is the entry point for environments where Azure AD is the source of truth (or where MSPControl synchronizes identities from Azure AD).

Quotas Usage

Quotas Usage opens a right-side modal that summarizes the current consumption of user-related quotas for this Hosted Organization (for example, total users, service-level user buckets, and other user types). This view is used for quick limit checks and license/plan enforcement verification.

---

Quotas Usage modal

When you click Quotas Usage, a panel opens on the right side of the screen. It lists quota categories with:

• The current count for this Hosted Organization.
• The allowed limit (for example, of Unlimited).
• A breakdown note showing usage distribution (for example, “X in the Organization, Y in Others”).

Quota categories (configurable example)

• Users – Total active users currently created in this Hosted Organization.
• Total Office 365 Users Created in this Organization – Total number of users created/managed under the Office 365 scope for this organization.
• Product Support Only, users – Users classified under the Product Support Only service level/type.
• IT Support & Cybersecurity with Onsite, users – Users classified under this service level/type bucket.
• IT Support & Cybersecurity, users – Users classified under this service level/type bucket.
• IT Support & Cybersecurity – Frontline, users – Users classified under this service level/type bucket.
• External Guest User, users – Users classified as external guest users.
• Service Account, users – Users classified as service accounts (non-human or automation identities).
• RDS Users – Users included in the RDS user bucket (used for RDS enablement/entitlements in environments where applicable).

---

Actions menu

The Actions dropdown (top-right of the page) is used for bulk operations on selected users. This menu applies changes across multiple users consistently (for example, security posture updates, licensing, and access enforcement).

Apply and Cancel

• Apply – Executes the selected action for the currently selected user rows.
• Cancel – Closes the actions dialog without applying changes.

Available actions

The actions list may be scrollable. The following actions are available in this UI:

• Disable – Disables the selected user accounts.
• Enable – Enables the selected user accounts.
• Set Service Level – Assigns a service level classification to selected users (used for quota bucketing and policy behavior).
• Set VIP – Marks selected users as VIP (often used for escalation rules and prioritization workflows).
• Unset VIP – Removes VIP flag from selected users.
• Send password reset By Sms – Initiates a password reset workflow via SMS (if supported/configured).
• Send password reset By Email – Initiates a password reset workflow via email (if supported/configured).
• Sync with Azure AD – Triggers synchronization for selected users with Azure AD (for hybrid/synced environments).
• Unsync with Azure AD – Removes/halts Azure AD synchronization for selected users (where supported by your identity model).
• Revoke All Sessions – Revokes active sessions for selected users (forces re-authentication).
• Remove All Mobile Devices – Removes all mobile device associations for selected users (MDM-style cleanup in supported environments).
• Remove From All Groups – Removes selected users from all groups (use cautiously, as it may remove access and permissions broadly).
• Assign O365 License – Assigns an Office 365 license to selected users.
• Change O365 Licenses – Modifies the Office 365 license assignment for selected users.
• Change O365 Service Plans – Updates Office 365 service plan toggles for selected users (plan-level controls within a license).
• Set Location – Assigns a location value to selected users (used with location-based policies and filtering).
• Enable Personal Folder – Enables a personal folder feature for selected users (feature behavior depends on your hosting/storage configuration).
• Disable Personal Folder – Disables personal folder for selected users.
• Cancel Pending Password Reset Req – Cancels a pending password reset request for selected users (when such a request is active).
• Send Setup Instructions – Sends onboarding/setup instructions to selected users (delivery method depends on configuration).
• Set UPN as Default Domain – Applies UPN default domain logic for selected users (identity-domain behavior depends on your directory configuration).
• Set Risky Users – Flags selected users as risky (used for security workflows and heightened monitoring).
• Unset Risky Users – Removes risky-user flag from selected users.
• Send Verification Request – Sends a verification request to selected users (used to confirm identity/contact readiness depending on workflow).
• Set Manager – Assigns a manager relationship for selected users (organizational metadata for workflows and reporting).

---

Filters and list controls

All Locations

All Locations is a dropdown filter that scopes the Active Users list by location. Use this when the Hosted Organization has multiple sites/branches and you need to manage users for a specific location only.

View filter

The All dropdown (view selector) controls the current list view. Depending on configuration, different views may represent saved filters, pre-defined user subsets, or scoped lists.

Search

The Search field filters the list as you type. Use it to quickly find users by display name, login, or email (depending on your environment’s search indexing rules).

Column Visibility

Column Visibility allows you to show/hide table columns. Use it to simplify the list during operational work (for example, focusing only on identity columns).

Page size

The page size selector (for example, 25) controls how many users are shown per page.

---

Users table

The main table lists all active users in the Hosted Organization. Each row includes identity fields, service classification indicators, and quick-access icons for services/features associated with the user.

Core identity columns

• Selection checkbox – Select users for bulk actions.
• Display Name – User’s display name as shown in MSPControl. A status/identity icon is displayed next to the name for quick recognition.
• Login – The login identifier (commonly email-format UPN or mailbox-style identity, depending on configuration).
• PrimaryEmail – The primary email address for the user. This column may also show classification badges (examples seen in the UI include Product Support Only, Service Account, and External Guest User).

Service and feature icons

On the right side of each row, MSPControl shows small icons representing services/features associated with the user. These icons are designed for fast visibility and expose additional details via hover tooltips.

• Microsoft 365 / licensing icon – Hovering shows assigned license names and plans (for example, Microsoft 365 E5, Teams, Planner, Project, and other SKU/service plan names).
• OneDrive icon – Hovering shows OneDrive usage (for example, “used X MB of Y GB, Z%”).
• RDS icon – Indicates RDS-related status/association for the user (tooltip shows RDS).
• Delete (trash) – Deletes the user (where permitted). Use cautiously due to identity and licensing impact.

Tip: Tooltips are the primary way to view full details for compact icons (especially licensing and storage usage) without opening a user details screen.

---

Create User

The Create User window is used to create a new user inside the Hosted Organization. It contains multiple expandable sections (for example, General, Device Profile, Address, Company Information, and more). Use the expand/collapse chevrons on the right side of each section header to show or hide blocks while you work.

---

Create User sections

Use this quick navigation list to jump to each section inside the Create User window.

• Organization metadata
• General
• Password and security
• Device Profile
• Address
• Company Information
• Additional Contact Information
• Groups
• Cloud Folder
• Rds Collections
• Applications
• Setup Letters
• Create

---

Organization metadata

This top block defines organizational attributes used for classification, filtering, and service-level/quota logic.

• Job Title – Defines the user’s job title. This field is split into two inputs:
  • Select from list – Pick an existing job title value.
  • Enter new value here – Add a new job title value if the required one does not exist yet.
• Department – Defines the user’s department. This field is also split into two inputs:
  • Select from list – Pick an existing department value.
  • Enter new value here – Add a new department value if needed.
• Organization Location – Assigns the user to an organization location (default shown as Default). This field is used with the All Locations filter on the Active Users page and may also drive location-based policy behavior.
• Service Level – Assigns a service-level classification to the user (shown as <Select Service Level> until selected). This classification is referenced in Quotas Usage (service-level buckets) and can also be used by operational workflows.
  • The small button/icon to the right of the dropdown opens a helper/list view for selecting or reviewing service level entries (environment-dependent behavior).
• VIP – Marks the user as VIP. VIP is used for prioritization workflows (for example, escalations, special handling rules, or visibility in reporting depending on your configuration).

---

General

The General section defines the user’s identity fields and email addresses.

• First Name – User’s first/given name.
• Middle Initial – Optional middle initial.
• Last Name – User’s last/family name.
• Display Name – The display name shown in MSPControl lists and UI (for example, the name shown in the Active Users table).
• Primary E-mail Address – Primary email address for the user. This field is split into:
  • Local part (text input) – The part before @.
  • Domain selector (dropdown) – The domain part after @ (for example, virtuworks.com).
• Alternate E-mail Address – Optional alternate email address (commonly used for a secondary mailbox or an additional contact method).
• External E-mail Address – Optional external email address (commonly used for non-corporate contact, recovery, or guest/external scenarios depending on policy).

---

Password and security

This block defines how the user password is set and what password lifecycle controls apply.

• Send Password Request – When enabled, the system sends a password-related request/flow instead of (or in addition to) manually setting the password during creation (exact behavior depends on your configured identity workflow).
• Password – The initial password value for the account.
  • The eye icon reveals/hides the password.
• Confirm Password – Must match the password value exactly.
  • The eye icon reveals/hides the confirm value.
• Generate Password – Generates a strong password automatically. Use this to avoid weak manual passwords.

The following policy checkboxes control password lifecycle and operational handling:

• Password Never Expires – Prevents password expiration for this user (use only when policy allows; commonly used for specific service accounts).
• User must change password at next logon – Forces the user to set a new password on first sign-in.
• Auto Renew Password – Enables automatic password renewal behavior for this account (environment-dependent implementation).
• Save Password in Password Manager – Stores the password record in the system password manager feature (if enabled), allowing controlled access workflows.
• Exclude from inactivity report – Excludes this user from inactivity-related reporting (useful for service accounts or special-purpose identities).
• Exclude from Mailchimp syncing – Excludes this user from Mailchimp synchronization flows (if Mailchimp integration is used).

• Two Factor Provider – Selects the two-factor provider for this user (shown as Email in the screenshot). This defines the 2FA delivery/validation method where supported.
• New Azure AD user – When enabled, the user is treated as an Azure AD user creation/sync candidate (use in Azure AD integrated environments where the user should exist in Azure AD).
• Schedule Activation – Enables scheduled activation behavior (used when accounts should be created now but activated later, depending on workflow configuration).

---

Device Profile

The Device Profile section controls device-profile behavior for the user.

• Device Profile Override – Overrides the default device profile applied to this user (shown as None by default). Use this when a specific user requires a different device policy/profile than the organization standard.
• The small button/icon on the right side of the field opens a helper/selection view (environment-dependent) to assist in choosing or reviewing device profile options.

---

Address

The Address section stores the user’s location and phone contact details.

• Address – Multi-line address field (text area). The icon on the right provides a quick UI helper (environment-dependent).
• City – City field. The icon on the right provides a quick UI helper (environment-dependent).
• Country – Country dropdown (for example, “Select Country…”).
• State – State/region field.
• Zip – Postal code field.
• Phone Number 1 – Primary phone number field with country code selector (flag + code) and a quick action icon on the right.
• Extension – Optional phone extension for the phone number field(s).
• Direct Phone – Direct phone number field (commonly used for desk phone DID).
• Extension (Direct Phone) – Optional extension associated with the direct phone entry.
• Mobile Phone – Mobile number field.
• Fax – Fax number field (legacy contact method, where needed).

---

Company Information

The Company Information section defines internal organizational metadata used for reporting and organizational relationships.

• Company – Company name field (pre-filled in the screenshot as VirtuWorks).
• Office – Office field (used for office assignment metadata).
• Manager – Manager relationship selector. Choose another user as this user’s manager for organizational structure workflows (also referenced by the Set Manager bulk action on the Active Users list).
• Birth Date – Date picker field (format shown as mm/dd/yyyy).
• Hire Date – Date picker field (format shown as mm/dd/yyyy).

---

Additional Contact Information

Additional Contact Information is an expandable section for extended user contact/profile data. Expand it when you need to capture non-standard contact attributes beyond the default Address and Company Information blocks.

---

Groups

The Groups section assigns the user to one or more groups.

• Select… – Group selection field. Add the user to the appropriate groups so they inherit correct permissions and access to resources.

---

Cloud Folder

The Cloud Folder section configures personal/shared folder behavior for the user.

Personal Folder

• No folder – Do not create a personal folder for this user.
• Create new – Create a new personal folder for this user.

Shared Folders

• Shared Folders – Shared folder selection field.
• Permission level – Permission dropdown shown as Read-Only in the screenshot. Use this to control the user’s access level to the selected shared folders.

---

Rds Collections

The Rds Collections section assigns the user to one or more RDS collections (where RDS services are part of the Hosted Organization setup).

• Select… – Choose which RDS collections the user should be associated with.

---

Applications

The Applications section is used to assign applications to the user (environment-dependent). This may represent published apps, assigned packages, or user-targeted application entitlements.

• Select… – Application selector field used to choose an application before adding it.
• Add – Adds the selected application to the user’s applications list.

The applications table shows assigned items:

• Name – Application name.
• Publisher – Application publisher/vendor.
• Type – Application type/category.

• Delete – Removes selected application assignments from the user (button below the table).

---

Setup Letters

The Setup Letters section controls onboarding communication for the new user.

• Send New User Welcome Email – When enabled, MSPControl sends a welcome/onboarding email to the new user after creation (based on your configured templates).
• Message / template input – A text field is available below the checkbox for custom content or template selection (behavior depends on your environment configuration).

---

Create

The Create button at the bottom of the window finalizes user creation using the provided values. Before clicking Create, verify:

• identity fields (name + display name) are correct,
• primary email is correct (local part + domain),
• password options match your policy,
• service level and location are set correctly (if used for quotas and workflows),
• group membership and folder/app assignments are correct.

---

User Settings

After a user is created (or when you open an existing user from the Active Users list), MSPControl provides a multi-tab user profile where you can manage identity, security, licensing, storage, membership, and audit history. This section is intentionally comprehensive because Active Users can represent both AD and Azure AD synced identities within the Hosted Organization.

---

User Settings tabs

The user profile includes the following tabs. Use this list as a navigation reference for the rest of this document (we will describe them one-by-one):

• General
• Microsoft 365
• Entra ID Roles
• OneDrive
• Cloud Folders
• RDS Collections
• Setup
• Member Of
• Archives
• Notes
• Photos
• Passwords
• Documents
• Bot
• Audit Log
• Entra ID Authentication Methods
• App Deployments

---

General tab

The General tab is the primary place to manage core identity fields, password handling, security actions, service classification, and basic profile/contact details. The tab is organized into multiple subsections. The order below matches the UI order shown in the navigation panel.

---

General Settings

The General Settings block contains the core account identity fields and password controls.

• Login Name – The user’s login identifier. It is split into:
  • Local part – The text input (for example, asilverman).
  • Domain selector – Dropdown after the @ icon (for example, Virtuworks.Com). This commonly represents the UPN domain used for sign-in.

• Update Azure AD UPN – Checkbox that enables updating the Azure AD UPN value for this user (only relevant for Azure AD connected/synced environments).
• Update – Action link/button used to apply the UPN update when the checkbox is selected. Use this carefully because changing UPN affects sign-in identity and may impact downstream integrations.

• Display Name – The user-friendly name shown throughout MSPControl (for example, in the Active Users list).

• Thumbnail Photo – User profile photo area.
• Delete – Removes the current thumbnail photo (if one is set).

This block also includes password controls and security actions:

• Password – New password value. The eye icon reveals/hides the value.
• Confirm Password – Must match the password value. The eye icon reveals/hides the value.
• Generate Password – Generates a strong password.
• Set Password – Applies the password defined in the Password and Confirm Password fields.
• Send Password Reset Request – Triggers a password reset request workflow (delivery method and flow depend on your environment and identity provider).
• Force Reset Password – Forces a password reset requirement for the user (commonly used when credentials may be compromised or during security resets).
• Revoke Sessions – Revokes active sessions for the user, forcing re-authentication.
• Remove Mobile Devices – Removes all mobile device associations for the user.
• Remove From All Groups – Removes the user from all groups (use with extreme caution because it may remove access broadly).
• Two-Factor Provider – Dropdown selecting the 2FA method for the user (example shown: SMS).
• Password Expiration date – Shows when the password will expire.
• Password Age – Shows how old the current password is (for example, 27 day(s)).
• Alternate E-mail Address – Optional alternate email field (visible below the password metadata area).

---

Scheduled Actions

The Scheduled Actions block is used to schedule account state changes, such as disabling the user at a future date.

• Scheduled Disable Date – Date picker for when the user should be disabled.
• Schedule Disable – Schedules the disable operation using the selected date.

---

Contact Information

This section contains additional identity/contact fields and notes.

• First Name – User’s first/given name.
• Middle Initial – Optional middle initial.
• Last Name – User’s last/family name.
• External Email – External contact email address.
• Notes – Free-text notes field for internal context about the user.
• Home Phone – Optional home phone.
• Pager – Optional pager field.
• Web Page – Optional website field.
• Birth Date – Date picker field.
• Hire Date – Date picker field.

---

Service Level Information

This block controls the user’s service classification and VIP status. These values are used for quota categories and may also drive policy behavior in other modules.

• Service Level – Dropdown selecting a service level classification (example shown: Product Support Only).
• VIP – Checkbox to mark/unmark the user as VIP.

---

Company Information

This block stores organizational metadata about the user and is often used for reporting and structure.

• Job Title – Job title value.
• Company – Company name.
• Department – Department value.
• Office – Office value.
• Manager – Manager assignment.

---

Location

The Location block assigns the user to an organization location, which is used for filtering and potentially for location-based policies.

• Organization Location – Dropdown selecting the user’s assigned location (example: Virtuworks Main Office).

---

Address

This is a structured address and phone information block, commonly used for contact and operational context.

• Street Address 1 – Primary street address line.
• City – City.
• Select Country – Country selector (required as indicated by the asterisk in the UI).
• Region (State) – State/region selector.
• Postal Code – ZIP/postal code.
• Phone Number 1 – Primary phone number (with country code selector).
• Extension – Extension for Phone Number 1.
• Direct Phone – Direct phone number.
• Extension – Extension for Direct Phone.
• Mobile Phone – Mobile number.
• Fax – Fax number.

---

Org User-to-Peer Binding

This section links the organization user to a Peer identity (a platform-level user object used by MSPControl for cross-module identity handling).

• Please select a Peer – Dropdown to choose the peer object (example shows: Aaron Silverman (asilverman@virtuworks.com)).
• Initiate New Peer Creation – Starts a guided process to create a new peer record and bind it to this org user.
• Edit – Opens editing for the selected peer binding (where supported).
• Unbind – Removes the link between the org user and the peer record.
• Delete – Deletes the peer record (use with extreme caution, as it may affect other modules).

---

Device Profile

The Device Profile block allows overriding the default device profile policy for this user.

• Device Profile Override – Dropdown to select a specific device profile override (example: None).

---

Custom Fields

The Custom Fields section is available for environments that extend user profiles with organization-specific fields. Expand and complete these values if your Hosted Organization uses custom attributes for automation, reporting, or integration mapping.

---

Save actions

At the bottom of the user profile page, MSPControl provides the following save controls:

• Cancel – Discards changes made since the last save and returns you to the previous context.
• Save Changes And Exit – Saves updates and exits the user profile page.
• Save Changes – Saves updates and keeps you on the user profile page.

---

Microsoft 365 tab

The Microsoft 365 tab is used to manage the user’s Microsoft 365 / Entra ID linkage and to view or adjust license assignments. It contains two primary sections: General Settings (identity sync + license add) and Assigned Licenses (current licenses and their service plans).

---

General Settings

This section defines how the user is linked to Microsoft Entra ID (Azure AD) and provides a controlled way to add licenses.

• Sync User with Microsoft Entra ID – When enabled, MSPControl treats this user as linked/synced with Microsoft Entra ID. This is required when you want the user’s licenses and cloud identity state to be managed through the Microsoft 365 integration.
• Azure Object ID – The Entra ID Object ID for this user (GUID). This value uniquely identifies the user in Microsoft Entra ID.
  • Copy (clipboard icon) – Copies the Object ID to the clipboard for troubleshooting, support cases, or portal navigation.
  • Update – Applies the current Object ID / sync-related change. Use this after changing the Object ID value or when you need to re-apply the binding.
• Microsoft Azure Management Portal – A quick link label that indicates where the Azure Object ID is referenced and verified (Entra ID user object in the Azure portal).
• Licenses for Add – A dropdown used to select a license SKU to add to this user (shown as Select License until a value is chosen). Use this to assign an additional license on top of existing ones.

---

Assigned Licenses

This section shows all licenses currently assigned to the user. Licenses appear as separate blocks. Each block contains action buttons (for license-level operations) and a list of service plans/features that belong to that license.

---

License block actions

Each assigned license block can include some or all of the following buttons:

• Remove – Removes the entire license from the user. This typically revokes access to all services included in that license.
• Change – Opens a license change flow (for example, switching SKUs or adjusting which service plans are enabled/disabled under the license, depending on your integration rules).
• External License – Indicates the license is managed externally (for example, outside MSPControl licensing automation). This may affect what can be changed from MSPControl.
• Add-On – Adds an additional component/entitlement to the user (shown on some license types such as add-on style “Business Apps (free)” in the screenshot).

---

Service plans inside a license

Under each license, MSPControl shows the related service plans/features. These appear as checkboxes to indicate whether a specific service plan is enabled for the user under that license.

• A checked plan means the service plan is enabled for this user under the license.
• An unchecked plan means the plan is disabled for this user (or not selected / not enabled in that license scope).

Some service plans can also display usage context inline, for example:

• OneDrive / SharePoint usage indicator – A small bar and text line showing consumed storage and remaining capacity (example shown: “OneDrive usage … of … MB, available … MB”). This is informational and helps validate consumption for the licensed service.

---

Expandable examples of license contents

You do not need to review every individual service plan entry in the UI during routine work. Use the expandable summaries below as a reference for what the license blocks typically contain.

Example: MICROSOFT_365_COPILOT (service plan checklist)

• Microsoft Viva Insights Backend
• Copilot Studio in Copilot for M365
• Graph Connectors in Microsoft 365 Copilot
• Microsoft 365 Copilot in Productivity Apps
• Microsoft Copilot with Graph-grounded Chat
• Microsoft Viva Insights
• Microsoft 365 Copilot for SharePoint
• Power Platform Connectors in Microsoft 365 Copilot
• Microsoft 365 Copilot in Microsoft Teams
• Intelligent Search

Example: MICROSOFT 365 E5 (NO TEAMS) (EXTERNAL) (service plan checklist)

• INSIGHTS_BY_MYANALYTICS
• MICROSOFT_MYANALYTICS_FULL
• Windows Autopatch / Windows Update for Business Deployment Service
• Defender / Cloud App Security related plans
• Exchange Online / Information Protection / Compliance related plans
• SharePoint and OneDrive-related plans (may show usage inline)
• Microsoft Search / Planner / To-do and other collaboration services

Example: BUSINESS APPS (FREE) (EXTERNAL) (service plan checklist)

• Microsoft Invoicing
• Microsoft Bookings

Example: MICROSOFT TEAMS ENTERPRISE / PREMIUM (EXTERNAL) (service plan checklist)

• Microsoft Teams
• Immersive Spaces for Teams
• OneDrive for Business (may show usage inline)
• Microsoft Teams Premium features (queues, webinars, secure, intelligent, virtual appointments, etc.)

---

Exit

At the bottom of the Microsoft 365 tab, the Exit button closes the current user view and returns you to the previous context. Use this after reviewing assigned licenses or making changes through the available license actions.

---

Entra ID Roles tab

The Entra ID Roles tab is used to manage Microsoft Entra ID (Azure AD) role assignments for the selected user. It supports both Eligible assignments and Active assignments, which is commonly used in environments that implement just-in-time role activation (for example, role eligibility vs currently active role membership).

---

Tab navigation

The tab contains two sub-tabs at the top:

• Eligible assignments – Shows roles the user is eligible to activate (time-bound or policy-controlled eligibility).
• Active assignments – Shows roles that are currently active for the user (effective privileges right now).

---

Eligible assignments

The Eligible assignments view lists eligible role entries for the user and provides controls to create new eligible role assignments.

Actions

• Add Eligible Assignment – Opens the Role Assignment modal to create a new eligible role assignment.
• Column Visibility – Controls which columns are shown in the eligible assignments table.
• Exit – Leaves the Entra ID Roles tab and returns to the previous context.

Table columns

• Role – The Entra ID role name.
• User Principal Name – The user’s UPN identity the role applies to.
• Start Time – When the eligibility starts.
• End Time – When the eligibility expires (unless permanently assigned).

While data loads, the table may show a Loading… state.

---

Active assignments

The Active assignments view lists currently active role assignments for the user and provides controls to create new active role assignments.

Actions

• Add Active Assignment – Opens the Role Assignment modal to create a new active role assignment.
• Column Visibility – Controls which columns are shown in the active assignments table.
• Exit – Leaves the Entra ID Roles tab and returns to the previous context.

Table columns

• Role – The Entra ID role name.
• User Principal Name – The user’s UPN identity the role applies to.
• Start Time – When the active assignment begins.
• End Time – When the active assignment expires (unless permanently assigned).

While data loads, the table may show a Loading… state.

---

Role Assignment modal

Clicking Add Eligible Assignment or Add Active Assignment opens the Role Assignment modal. This modal configures the assignment type, role, timing, and (for active assignments) justification.

Fields

• Assignment type – Dropdown that determines whether you are creating an Eligible assignment or an Active assignment. The modal reflects the source you opened it from, but it can be changed where permitted.
• Role – Dropdown to select the Entra ID role to assign (shown as Select item until chosen).
• Start time – Date/time when the assignment begins. Includes a calendar picker icon.
• Permanently assigned – Checkbox indicating the assignment should not expire. When enabled, the end time is treated as not applicable (behavior may vary by implementation).
• End time – Date/time when the assignment ends. Includes a calendar picker icon.

Justification (Active assignments)

When creating an Active assignment, the modal includes a Justification text area. Use it to document why elevated access is required (for example, emergency admin work, configuration changes, incident response). This supports auditability and aligns with least-privilege practices.

---

Modal actions

• Create Assignment – Creates the selected assignment with the configured type, role, and timing.
• Cancel – Closes the modal without creating the assignment.
• Close (X) – Closes the modal window.

---

OneDrive tab

The OneDrive tab is used to manage ownership access for the user’s OneDrive. This is typically used during offboarding, account recovery, or administrative continuity scenarios, where additional owners must be granted access to the user’s OneDrive content.

---

OneDrive Owners

The OneDrive Owners section allows you to add or remove owners for the user’s OneDrive.

• Select new Owners – Dropdown selector used to choose a user to be added as an additional OneDrive owner (shown as Select item until chosen).
• Add – Adds the selected user as a OneDrive owner.

After adding an owner, they appear in the Owners list below.

---

Owners list

The Owners list shows current OneDrive owners for the user.

• Display Name – The owner’s display name.
• User Principal Name – The owner’s login identity (UPN / email).
• Delete – Removes the selected owner from the OneDrive owners list.

---

Exit

The Exit button closes the OneDrive tab view and returns you to the previous context.

---

Cloud Folders tab

The Cloud Folders tab is used to manage user folder provisioning and bindings. It typically controls whether a user has a personal folder, how it is created or linked, and how quota enforcement is applied. This tab is commonly used during onboarding (create a personal folder), migrations (bind to an existing folder), or operational updates (adjust quotas and drive letters).

---

Sub-tabs

The Cloud Folders tab contains two sub-tabs:

• Personal Folder – Create, bind, or keep the user’s personal folder unchanged.
• Shared Folders – Manage access to shared folders (covered later when we continue this tab).

---

Personal Folder

The Personal Folder sub-tab provides three mutually exclusive options that define what MSPControl should do with the user’s personal folder.

• No Change – Leaves the current personal folder configuration unchanged. Use this when you are reviewing settings or making changes unrelated to folder provisioning.
• Create New – Creates a new personal folder for the user. Selecting this option reveals additional configuration fields.
• Use Existing – Binds the user to an existing folder. Selecting this option reveals a binding selector.

---

Create New (personal folder)

When you select Create New, MSPControl displays configuration fields that define the new folder’s quota settings and how it will be presented to the user.

• Limit Size – Maximum size allowed for the personal folder (example shown: 10.00). The unit depends on your hosting configuration (commonly GB).
• Drive Letter – Select the drive letter used to map the personal folder for the user (example shown: U:). This is commonly used in RDS/VDI environments where folders are mapped as drives.
• Quota Type – Defines how quota enforcement works:
  • Soft – Allows exceeding the quota while tracking/flagging overage (behavior depends on platform implementation).
  • Hard – Prevents exceeding the quota by enforcing a strict limit.

---

Use Existing (bind to existing folder)

When you select Use Existing, MSPControl allows you to bind this user to a folder that already exists in the environment. This is typically used during migrations, rebuilds, or when recreating users while retaining previous storage.

• Bind to Existing Folder – Dropdown selector used to choose the existing folder that should be linked to this user.

---

Save actions

The Cloud Folders tab provides two save actions in the bottom-right corner of the page.

• Save Changes – Saves the current configuration and keeps you on the Cloud Folders tab.
• Save Changes And Exit – Saves the configuration and exits the current view (returns to the previous context).

---

RDS Collections tab

The RDS Collections tab is used to assign the user to one or more Remote Desktop Services (RDS) collections. This controls which RDS environments or published desktop/application collections the user can access (depending on how your Hosted Organization is configured).

---

Add user to an RDS collection

Use this flow to add the user to an additional collection.

• Collection selector – Dropdown at the top of the page (shown as Select) used to choose the RDS collection you want to assign to the user.
• Add – Adds the selected collection to the user’s assigned collections list.

---

Assigned collections list

The table shows which RDS collections are currently assigned to the user.

• Select checkbox – Select one or more rows for bulk removal.
• Collection Name – The name of the assigned RDS collection (example shown: Virtuworks-RDSTECH).
• Delete (trash icon) – Removes the user from the selected collection (row-level delete).

• Delete Selected – Bulk removal action that deletes the assignments for all selected rows.

---

Save actions

After modifying the user’s RDS collection assignments, use one of the save buttons in the bottom-right corner:

• Save Changes – Saves updates and keeps you on the RDS Collections tab.
• Save Changes And Exit – Saves updates and exits the current user view (returns to the previous context).

---

Setup tab

The Setup tab is used to send onboarding/setup instructions to the user via email. It provides a simple “send” interface with recipient fields and an email preview, so you can confirm the content before delivery.

---

Send via E-mail

The main section on this tab is Send via E-mail. Use it when you need to deliver setup instructions or onboarding information to the user (for example, first login steps, password setup, or general getting-started guidance).

• To – Primary recipient email address. This is where the setup message will be sent.
• CC – Optional carbon-copy recipients. Use this to include additional recipients (for example, a manager or onboarding coordinator) when appropriate.
• Send – Sends the email using the currently shown content in the preview.

---

E-Mail Preview

The E-Mail Preview pane shows the email content exactly as it will be sent. Review the preview before sending to confirm:

• the recipient address is correct,
• the message content is appropriate for the user,
• any embedded links (for example, password reset links) are present and visible.

The preview area is scrollable, allowing you to inspect the full message body before sending.

---

Member Of tab

The Member Of tab is used to manage the user’s group memberships. It provides a simple way to add the user to a group and remove the user from one or more groups. This is commonly used for access control, mailbox/distribution behavior, and policy targeting.

---

Add group membership

Use the controls at the top of the page to add the user to a new group.

• Select – Dropdown used to pick a group to add the user to (shown as Select until chosen).
• Add – Adds the selected group membership to the user.

---

Group memberships list

The table lists all groups the user is currently a member of.

• Select checkbox – Select one or more group rows for bulk removal.
• Display Name – The group’s display name (friendly name shown to admins).
• E-mail Address – The group email address (where applicable, typically for distribution lists and mail-enabled groups).
• Type – The group type (examples in the UI include OnlineDistributionList and SecurityGroup).
• Delete (trash icon) – Removes the user from that specific group membership (row-level remove).

---

Delete

The Delete action at the top-right of the table is used for removing membership from selected groups.

• Delete – Removes the user from all groups selected via the checkbox column.

Important: Removing group membership may immediately remove access to resources or stop the user from receiving group emails, depending on how the group is used in your environment.

---

Archives tab

The Archives tab is used to generate and manage exported mailbox archive files for the user. It provides a workflow to archive the user’s online mailbox to a PST file and then view the resulting archive records in a table.

---

Archive Online Mailbox To PST

The main action on this page is Archive Online Mailbox To PST. Use it when you need a portable mailbox export for retention, legal hold workflows, investigation support, or offboarding.

• Archive Online Mailbox To PST – Starts the archive/export process for the user’s online mailbox.

---

Filters and controls

• All – View selector used for filtering the archive list (depends on your UI configuration).
• Search – Filters archive records by name or other visible fields.
• Column Visibility – Controls which columns are displayed in the archives list.
• Page size – Controls the number of records shown per page (example shown: 25).

---

Archives list

The archives table shows PST exports created for this user. If no exports exist yet, the page displays an empty state (for example, No Records Yet).

Columns

• Name – Archive file name or record name.
• Date – When the archive was created.
• Size – Archive file size.

---

Exit

The Exit button closes the Archives tab view and returns you to the previous context.

---

Notes tab

The Notes tab is used to store free-form notes linked to the user. Notes are typically used for operational context (onboarding details, exception justifications, security remarks) and can be scoped with tags and optional authorization requirements.

---

Primary actions

• Add Note – Opens the Create Note dialog to create a new user note.

---

Filters and controls

• All – View selector used for filtering the notes list (depends on your UI configuration).
• Search – Filters notes by content and/or visible fields depending on indexing rules.
• Column Visibility – Controls which columns are displayed in the notes table.
• Page size – Controls how many notes are shown per page (example shown: 25).

---

Notes list

The table displays notes created for the user. If no notes exist, the page shows an empty state (for example, No records…).

Columns

• Note – The note content or preview text.
• Tags – Tag context associated with the note.
• Created Date – Date/time when the note was created.
• Updated Date – Date/time when the note was last modified.
• Requires Authorization – Indicates whether authorization is required to access the note.
• Actions – Row actions (for example, edit/delete depending on configuration).

---

Create Note dialog

Clicking Add Note opens the Create Note dialog. Use this dialog to write the note content, apply tags, and optionally require authorization before the note can be accessed.

Note editor

The Note field uses a rich-text editor. It supports basic formatting and structured content (for example, bold/italic/underline, alignment, lists, links, and format blocks).

---

Tags

Tags scope the note to the relevant context and make it easier to filter and control access.

• Users Tags – Associates the note with specific users.
• Locations Tags – Associates the note with one or more locations.
• Devices Tags – Associates the note with one or more devices.
• Assets Tags – Associates the note with one or more assets.

---

Authorization

• Requires Authorization – When enabled, additional authorization is required to access/view the note (exact workflow depends on your security configuration).

---

Dialog actions

• OK – Saves the note and links it to the user.
• Cancel – Closes the dialog without saving.
• Close (X) – Closes the dialog window.

---

Photos tab

The Photos tab is used to store and organize user-related images in albums. Albums help keep photos grouped by purpose (for example, ID photos, onboarding screenshots, device photos, or other user-related evidence). Each album tile shows a cover preview and a Photos: X counter indicating how many images are stored in that album.

---

Add Album

Click Add Album to create a new album for the user. Albums act as containers for photos and can also be protected with authorization if required by your security policy.

• Add Album – Opens the album creation flow (album details are confirmed via a dialog).

---

Album grid

The main area displays albums as tiles. Each tile includes:

• Album cover preview – A thumbnail preview (or placeholder if the album has no images).
• Album name – The label shown under the tile (for example, Assets, Infrastructure).
• Photos counter – A badge showing how many photos are inside the album (for example, Photos: 2).

---

Edit Album dialog

When editing an album, MSPControl shows an Edit Album dialog. This dialog is used to set the album name and (optionally) enforce authorization requirements.

• Album name – Sets or updates the album title displayed in the album grid.
• Requires Authorization – When enabled, access to the album and its photos requires authorization (workflow depends on your security configuration).

Dialog actions

• OK – Saves the album changes.
• Cancel – Closes the dialog without saving.
• Close (X) – Closes the dialog window.

---

Passwords tab

The Passwords tab is used to store and manage credentials linked to the user. This may include local device passwords, application credentials, service logins, or MFA secrets. Entries can be scoped using tags and optionally protected by an authorization workflow.

---

Primary actions

• Add Password – Opens the Create Password dialog to create a new password entry for this user.

---

Filters and controls

• All – View selector used for filtering the list (depends on your UI configuration).
• Search – Filters password entries by description and/or visible fields.
• Column Visibility – Controls which columns are displayed in the passwords table.
• Page size – Controls how many entries are shown per page (example shown: 25).

---

Passwords list

The table lists all password entries stored for the user.

Columns

• Description – A human-readable label describing what the password is for (for example, a device name + account type).
• Tags – Tags applied to the password entry (example shown as a user tag badge).
• Created Date – Date/time when the password entry was created.
• Updated Date – Date/time when the password entry was last modified.
• Requires Authorization – Indicates whether authorization is required to view/access this password entry.
• Actions – Row-level actions for managing the entry (for example, edit, disable/revoke, delete depending on configuration).

---

Create Password dialog

Clicking Add Password opens the Create Password dialog. This dialog is used to define the secret value(s), apply tags, and configure access controls.

Fields

• Description – Short label describing the credential (use a clear naming convention, such as <Device> – <Account>).
• Password – The secret value. The dialog provides:
  • Copy – Copies the password value.
  • Show – Reveals/hides the password value.
  • Generate Password – Generates a strong password automatically.
• MFA Secret – Optional field for storing an MFA/TOTP secret associated with this credential. Provides:
  • Copy – Copies the MFA secret value.
  • Show – Reveals/hides the MFA secret value.

Tags

Tags scope the password entry to relevant context and can be used to filter and enforce access rules.

• Users Tags – Associates the password entry with selected users.
• Locations Tags – Associates it with one or more locations.
• Devices Tags – Associates it with one or more devices.
• Assets Tags – Associates it with one or more assets.

---

Access controls

• Requires Authorization – When enabled, users must go through an authorization workflow before the credential can be revealed.
• Notify on Access – When enabled, the system generates a notification/audit signal whenever the credential is accessed, improving accountability for privileged secrets.

---

Dialog actions

• OK – Saves the password entry.
• Cancel – Closes the dialog without saving.
• Close (X) – Closes the dialog window.

---

Documents tab

The Documents tab is used to store and manage files linked to the user. Documents can be tagged for filtering and can be associated with assets, users, locations, and devices to keep operational documentation searchable and properly scoped.

---

Filtering and list controls

The top filter area is used to narrow down the document list.

• Name – Text filter to search documents by file name.
• Select Assets… – Filters documents by associated asset tags/links.
• Select Users… – Filters documents by user tags/links.
• Select Locations… – Filters documents by location tags/links.
• Select Devices… – Filters documents by device tags/links.
• Reload – Refreshes the document list using the current filter values.
• Actions – Dropdown for bulk operations on selected documents (used together with Apply).
• Apply – Executes the selected bulk action on all checked document rows. (This button may remain disabled until at least one row is selected and an action is chosen.)

---

Documents list

The documents table shows all files currently linked to the user. If no documents exist, the table shows an empty state (for example, No records…).

Columns

• Select checkbox – Select one or more documents for bulk actions.
• Name – Document file name.
• Tags – Tags associated with the document (assets/users/locations/devices).
• Created – Date/time when the document was uploaded/created.
• Modified – Date/time when the document was last modified.
• Size – File size.

• Column Visibility – Allows showing/hiding table columns to match your workflow.
• Page size – Controls the number of rows displayed per page (example shown: 25).

---

Uploading documents

The lower section of the page contains a document upload panel.

• Drag & Drop – Drop one or more files into the upload area to attach them to the user.
• Click to choose file(s) – Click the upload area to open the file picker and select files manually.

Uploaded files become visible in the documents table above and can then be tagged and managed using the available filters and actions.

---

Bot tab

The Bot tab shows the status and activity history for the MSPControl bot integration used by the user (VirtuBot). It is primarily used to verify whether the bot is installed for the user, control a small set of bot-related flags, and review bot message history within a selected time range.

---

Bot status and flags

The upper block provides installation and version visibility, plus user-level flags that affect bot behavior.

• Bot installed – Indicates whether the bot is installed for this user. The UI displays a status badge (example shown: True).
• Version – Shows the installed bot version for this user (example shown: 1.0.20).

• Is Admin – Marks the user as a bot admin (enables elevated bot capabilities for this user where supported).
• Is Debug Enabled – Enables additional debugging behavior for this user’s bot interaction (useful when investigating bot issues or validating workflows).
• Save – Saves changes to the bot flags.

---

Bot History

The Bot History section is used to review bot-related messages and events for this user. If no history exists for the chosen date range, the table shows an empty state (for example, No records…).

---

Filters

• Date From – Start date for the history query. Includes a calendar picker icon.
• Date To – End date for the history query. Includes a calendar picker icon.
• Search – Text search field to filter results by message content or other visible fields (depending on indexing rules).

• Export Log – Exports the currently filtered bot history as a log file for offline review or support/troubleshooting.
• Display Records – Runs the query using the current filters and displays matching history records in the table below.

---

History table

The table lists bot interactions for the user.

• User Message – The message content sent by the user to the bot.
• Bot Message – The bot response content.
• Details – Additional event context (for example, action type, processing notes, or system metadata depending on configuration).
• Message Date – Timestamp when the message/event was recorded.

• Column Visibility – Shows/hides columns in the bot history table.
• Page size – Controls the number of rows displayed per page (example shown: 25).

---

Audit Log tab

The Audit Log tab provides a chronological record of actions performed on the user account. It is used for traceability, troubleshooting, accountability, and compliance review. Each row shows who performed the action, what happened, and when it happened.

---

Audit log table

The table lists recorded actions related to the user profile and account lifecycle.

• User – The actor who performed the action. The value is displayed in a combined format that may include:
  • login/username
  • display name / full name
  • organization name

  For example, entries may appear like asilverman / Aaron Silverman / Virtuworks or serveradmin / Enterprise Administrator / Virtuworks.

• Scheduler – Indicates whether the action was performed by a scheduled/automated process. In the screenshot, values are shown as No, meaning the action was not triggered by the scheduler.
• Message – Description of the action that occurred (for example, Password changed or User general settings updated).
• Action Date – The exact date and time when the action was recorded.

---

Column and page controls

• Column Visibility – Allows showing or hiding columns in the audit log table to match your review needs.
• Page size – Controls the number of rows displayed per page (example shown: 25).

---

How to use the Audit Log

• Use Message to quickly identify the type of change that occurred.
• Use User to determine whether the action was performed by the account owner, another administrator, or a privileged/system-level actor.
• Use Scheduler to distinguish manual actions from scheduled automation.
• Use Action Date to reconstruct the timeline of changes during troubleshooting or security review.

---

Entra ID Authentication Methods tab

The Entra ID Authentication Methods tab is used to review and manage the authentication methods registered for the user in Microsoft Entra ID. This is commonly used during MFA onboarding, recovery, device cleanup, and security troubleshooting.

---

Primary actions

• Add Authentication Method – Starts the flow to add a new authentication method for the user.
• Re-Register MFA – Forces the user to re-register MFA methods. Use this when MFA enrollment must be reset, for example after device replacement or security remediation.
• Revoke MFA Sessions – Revokes active MFA sessions for the user, forcing fresh MFA verification on next sign-in.

---

Filters and controls

• All – View selector used to filter the methods list.
• Search – Filters authentication methods by method type or visible details.
• Column Visibility – Controls which columns are displayed in the table.
• Page size – Controls how many rows are shown per page (example shown: 25).

---

Authentication methods table

The table lists all currently registered Entra ID authentication methods for the user.

Columns

• Authentication Method – The registered method type (for example, Phone or Windows Hello for Business).
• Details – Method-specific details shown inline in the table.
• Delete (trash icon) – Removes the selected authentication method registration from the user.

---

Method details

The Details column changes depending on the authentication method type.

• Phone – Displays details such as:
  • Phone number – The registered phone number.
  • Phone type – The phone category (for example, Mobile).
  • SMS Sign-In State – Status of SMS sign-in availability/policy (example shown: NotAllowedByPolicy).
• Windows Hello for Business – Displays device-related details such as:
  • Display name – Device display name (for example, VW-STUDIO-DELL, VW-WK-PC11A).
  • Model – Device model (if populated in Entra ID).

---

Delete method

Use the Delete icon on a row to remove that specific authentication method from the user. This is commonly used when:

• a phone number is outdated,
• a Windows Hello device is no longer used,
• a stale or incorrect MFA method must be removed before re-registration.

Important: Removing authentication methods may prevent the user from completing MFA until a new method is registered.

---

App Deployments tab

The App Deployments tab is used to assign deployable applications/packages to the user. This is typically used when the Hosted Organization delivers applications through the Agent and the user must be explicitly targeted for a package.

---

Add deployment

Use the selector at the top of the section to choose an application/package and assign it to the user.

• Select… – Dropdown used to choose the application/package to deploy to the user.
• Add – Adds the selected application/package to the deployment list for this user.

---

Deployment list

The table shows all applications currently assigned to the user through this deployment mechanism. If no applications are assigned, the table shows an empty state (for example, No records…).

Columns

• Select checkbox – Select one or more assigned application rows for removal.
• Name – Application/package name.
• Publisher – Vendor or publisher of the application.
• Type – Application/package type or category.

---

Delete

The Delete button removes selected application assignments from the user.

• Delete – Deletes all selected deployment assignments from the list.

---

Save actions

After making changes to the deployment assignments, use one of the save buttons in the bottom-right corner:

• Save Changes – Saves updates and keeps you on the App Deployments tab.
• Save Changes And Exit – Saves updates and exits the current user view.

---

Best Practices

• Keep identity data consistent – Make sure Login Name, Display Name, Primary Email, and company/contact fields follow a consistent naming standard across the Hosted Organization.
• Use service levels intentionally – Service level values affect quotas, reporting, and operational grouping. Assign them deliberately and review them periodically.
• Prefer least privilege – Add users only to the groups, RDS collections, applications, and Entra ID roles they actually need.
• Treat elevated access as temporary – For Entra ID roles, prefer time-bound and justified assignments where possible instead of broad permanent access.
• Use dedicated secrets and enforce authorization – In the Passwords tab, store credentials with clear descriptions, tag them properly, and enable Requires Authorization for sensitive entries.
• Protect traceability – Use Notes, Documents, and the Audit Log to preserve context around important changes, exceptions, and security events.
• Review Microsoft 365 licensing regularly – Remove unused licenses, verify enabled service plans, and watch for duplicate or inconsistent plan presentation in the UI.
• Use MFA and authentication cleanup proactively – Re-register MFA, revoke sessions, and remove stale authentication methods when users change devices or after suspected compromise.
• Be careful with destructive actions – Actions such as Delete User, Remove From All Groups, Delete authentication methods, and Delete app assignments can affect access immediately.
• Validate onboarding and offboarding end to end – When creating or changing users, check related tabs such as Microsoft 365, Cloud Folders, RDS Collections, Setup, and Member Of so no dependency is missed.