Dex

๐Ÿ‘ฅ Recipe ยท User & Group Management

Create a New Entra ID User and Email Temporary Credentials

Provision an unlicensed Entra ID account with a secure temporary password and deliver the credentials to a designated recipient

Complexity

Beginner

Impact

onboarding + identity + user-lifecycle + credentials

Context

Why This Matters

Why this recipe exists

New-hire and contractor onboarding frequently requires a bare Entra ID identity before licensing, group membership, or manager assignment is finalized. A common pattern is to create an enabled account with a one-time password, force a password change at first sign-in, and hand the temporary credentials off to a hiring manager, IT coordinator, or the user's personal email so they can complete self-onboarding.

This recipe covers that exact workflow: verify the UPN is free, generate a strong temporary password, create the user with forceChangePasswordNextSignIn = true, and surface the credentials to a trusted recipient โ€” all without assigning a license.

When to use it

  • Day-zero onboarding when licensing decisions are still pending
  • Creating accounts for contractors or external staff who do not need a mailbox
  • Pre-provisioning identities for downstream automation (group sync, SCIM, HRIS)

Expected Outcomes

What you'll have when done

  • A new enabled Entra ID user at {user_upn} with display name {display_name}
  • A 16-character cryptographically-random temporary password
  • forceChangePasswordNextSignIn set to true so the user must rotate the password on first login
  • No licenses assigned (no mailbox, no SharePoint, no Teams) โ€” ready for selective license assignment later
  • The temporary credentials delivered to the designated recipient (manager, IT coordinator, or personal email)

Risks & Considerations

Warnings & gotchas

  • Credentials in email are sensitive. Never send the password and the UPN in the same message to an untrusted channel. Prefer a password manager share, an ephemeral secrets tool, or an out-of-band channel (SMS for the password, email for the UPN).
  • No license = no mailbox. The user cannot receive mail at {user_upn} until a license with Exchange Online is assigned. Don't send onboarding mail to the new UPN โ€” it will bounce.
  • UPN collisions. Always run the existence check first. Graph returns 404 for a free UPN and 200 for an existing one; creating over an existing user fails with 400.
  • Password policy. Tenants with custom banned-password lists or length requirements may reject weak generators. Use at least 14 characters and include mixed case, digits, and symbols.
  • Audit trail. User creation is logged in the Entra ID audit log. Document the business justification in your ticketing system before creating the account.
  • Conditional Access. If CA policies require MFA at first sign-in, ensure the user has a way to register an authenticator (TAP, phone, etc.) โ€” a forced password change alone will not satisfy MFA gates.

Required Permissions

PermissionWhy It's Needed
User.ReadWrite.AllCreate the new user object and set initial password profile
User.Read.AllCheck whether the target UPN already exists before creating
Directory.ReadWrite.AllRequired for writing directory objects in some tenant configurations
Mail.SendOnly if delivering credentials via Graph sendMail from a service mailbox

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Create a new Entra ID user: display name {display_name}, UPN {user_upn}, no license assigned. Generate a secure temporary password, force change at next sign-in, and email the credentials to {recipient_email}.
Try in Dex CoAdmin