Office 365 Education Self-Sign up: Technical FAQ
Some of the URLs in this article will take you to another document set. If you'd like to maintain your place in this document's table of contents, please open links in a new window.
Office 365 Education provides self-service sign-up for your students, faculty, and staff using their school email addresses. After signing up, students and teachers are able to get started with Office 365 right away. Review the frequently asked questions to learn more about Office 365 Education benefits for your students, faculty, and staff.
How are you making it easier for my students, faculty, and staff to sign up for Office 365?
Students, faculty, and staff who have valid school email addresses can sign up and use Office 365 services, including OneDrive for Business. Microsoft will enable the capability for students, faculty, and staff to sign up for Office 365 simply by using their school email addresses.
What does this mean for my institution?
- Scenario 1: Your school already has an existing Office 365 environment with student accounts.
In this scenario, if a student, faculty, or staff already has a work or school account in the tenant (for example, contoso.edu) but doesn't yet have Office 365 A1, Microsoft will simply activate the plan for that account, and the student, faculty, or staff will automatically be notified of the additional services.
- Scenario 2: Your school has an existing Office 365 environment without student accounts.
In this scenario, the student, faculty, or staff doesn't yet have access to any Office 365 services. In this case, the student, faculty, or staff can sign up at Office 365 Education and will automatically be given an account. This lets the student, faculty, or staff access services included with Office 365 A1. For example, if a student named Sara uses her school email address (for example, Sara@contoso.edu) to sign up, Microsoft will automatically add Sara as a user in the contoso.nmicrosoft.com Office 365 environment and activate Office 365 A1 for that account.
How does this impact my security and compliance?
With OneDrive for Business, as with all Office 365 services, the IT administrators stay in control. The Microsoft 365 admin center provides a single location from which administrators can manage all of the aspects of OneDrive for Business, including site collection and user profile management, configuring search and discovery, permissions management and reporting, and more. In addition to centralized control, admins can manage many aspects of users and content, including access management, storage allocation, and content sharing limitations. Compliance management options include selective audits, e-Discovery, and current usage summaries that can be used to manage compliance and investigate any areas of concern. To learn more about managing security and compliance with OneDrive for Business, see OneDrive for Business.
What steps do we need to take to make this available to students, faculty, and staff?
There are no administrative actions your institution needs to take to enroll, in most countries/regions. (In some countries/regions, you'll need to opt in by following the steps below under Opt-in steps required for some countries/regions.) You can communicate the availability of Office 365 A1 to your students, faculty, and staff by using content from the Office 365 Campus Marketing toolkit. The toolkit contains template emails, posters, web banners and more to help you increase awareness among students, faculty, and staff. Contact your Microsoft representative with specific questions about the steps your school should take.
If your institution has multiple email domains, you may want all email address extensions to be in the same tenant. To do this, before any students, faculty, and staff sign-up for Office 365 A1, create your primary Office 365 tenant and add all of your email address domains to that tenant. It's important to do this first, because there's no automated way to move users across tenants after they've been created.
Opt in steps required for some countries/regions
Customers in certain countries/regions must opt in to allow new users to join existing Office 365 tenants. In those countries/regions, to make Office 365 A1 available to students and faculty, follow the steps below.
These steps require the use of Windows PowerShell. To get started with Windows PowerShell, see Getting Started with Windows PowerShell.
If you're using Windows 7, install the Microsoft Online Services Sign-In Assistant for IT Professionals. Download it here. This step isn't required for Windows 8 and later.
If you haven't already, install the latest 64-bit version of the Azure Active Directory Module for Windows PowerShell.
- After you select the link, select Run to run the installer package.
Open Windows PowerShell, and enter the following commands:
In the dialog box, enter your Office 365 username and password.
Enter the following Windows PowerShell command to enable new users to automatically join your Office 365 tenant:
Set-MsolCompanySettings -AllowEmailVerifiedUsers $true
What does this mean for my faculty and staff who are already using Office 365?
There will be no change for people who are already using Office 365 for Faculty plans. However, since new users could subscribe to the service at any time, you should ensure that you review your SharePoint site permission settings (if applicable).
If students, faculty, and staff are new to your Office 365 environment, faculty and staff should make sure that their sites have appropriate group permissions for read and/or write access. For information about setting permissions, see Share documents or folders in Office 365 and Permissions in Office 365.
How will this change the way I manage identities for users in my institution today?
If your school already has an existing Office 365 environment with student accounts, identity management won't change.
If your school already has an existing Office 365 environment without student accounts, Microsoft will create a user in the tenant and assign licenses based on the student’s school email address. This means that the number of users you're managing at any particular time will grow as students, faculty, and staff sign-up for the service.
If you're managing your directory on-premises, and use Active Directory Federation Services (AD FS), Microsoft won't add users to your tenant, and any students, faculty, and staff attempting to join your tenant will receive a message to contact their institution's admin.
If your school doesn't have an Office 365 environment connected to your email domain, there will be no change in how you manage identity. Students, faculty, and staff will be added to a new, cloud-only user directory, and you'll have the option to elect to take over as the tenant admin and manage them.
What is the process to manage a tenant created by Microsoft for my students?
If a tenant was created by Microsoft, you can claim and manage that tenant by following these steps:
Join the tenant by using an email address domain that matches the tenant domain you want to manage. For example, if Microsoft created the contoso.edu tenant, you'll need to join the tenant with an email address ending with @contoso.edu.
Claim admin control by verifying domain ownership: once you're in the tenant, you can promote yourself to the admin role by verifying domain ownership. To do so, in Office 365, choose Settings, choose Office 365 settings, and then choose Become an admin.
If I have multiple domains, can I control the Office 365 tenant that students, faculty, and staff are added to?
If you do nothing, a tenant will be created for each student email domain and subdomain.
If you want all students, faculty, and staff to be in the same tenant regardless of their email address extensions:
- Create a target tenant ahead of time or use an existing tenant, and add all the existing domains and subdomains that you want consolidated within that tenant. Then all the students, faculty, and staff with email addresses ending in those domains and subdomains will automatically join the target tenant when they sign up.
There is no supported automated mechanism to move users across tenants once they have been created. For more information on this process, see Add your users and domain to Office 365.
If I add a domain to Office 365 will e-mail flow be affected? What if the domain sets Exchange Online to authoritative by default?
Sub-domains are added to Exchange Online as "authoritative" accepted domains if the root domain in Office 365 is set up for e-mail in Exchange Online. Make sure to also set the domain as non-authoritative, internal relay. Modify send connectors as appropriate. For more information, see Manage accepted domains in Exchange Online.
How can I prevent students from joining my existing Office 365 tenant?
There are steps you can take as an admin to prevent students, faculty, and staff from joining your existing Office 365 tenant. If you do block this, students’ attempts to sign in will fail and they'll be directed to contact their institution’s admin.
These steps require the use of Windows PowerShell. To get started with Windows PowerShell, see the PowerShell getting started guide.
To perform the following steps, you must install the latest 64-bit version of the Azure Active Directory Module for Windows PowerShell.
After you select the link, select Run to run the installer package.
Disable automatic license distribution: Use this Windows PowerShell script to disable automatic license distributions for existing users. To disable automatic license distribution for existing users:
- Set-MsolCompanySettings -AllowAdHocSubscriptions $false
To enable automatic license distribution for existing users:
- Set-MsolCompanySettings -AllowAdHocSubscriptions $true
Disable automatic tenant join : Use this Windows PowerShell command to prevent new users from joining a managed tenant:
To disable automatic tenant join for new users:
- Set-MsolCompanySettings -AllowEmailVerifiedUsers $false
To enable automatic tenant join for new users:
- Set-MsolCompanySettings -AllowEmailVerifiedUsers $true
If you take these steps to block users from joining, the current Student Advantage provisioning process will remain in place. For more information, see Office 365 Education.
How do I verify if I have the block on in the tenant?
Use the following Windows PowerShell script:
Get-MsolCompanyInformation | fl allow*
Are students at my institution able to take advantage of this offer if we block external email?
E-mail verification is required for self-service sign-up for students, faculty, and staff who don't have an account. While this is the easiest way to verify a student is eligible, if you create a tenant with user accounts (for example, you did this using a CSV file, PowerShell cmdlet, or DirSync), then your students, faculty, and staff can take advantage of the auto-licensing feature to get access to the services we are providing.
Can I combine multiple Office 365 tenants?
No. As of today, you can't combine tenants.
How do I know when new users have joined my tenant?
Students, faculty, and staff who have joined your tenant as part of this program are assigned a unique license that you can filter on within your active user pane in the admin dashboard.
To create this new view, in the Microsoft 365 admin center, go to Users > Active Users, and on the Select a View menu, select New View. Name your new view, and under Assigned license, select Office 365 A1 for Students or Office 365 A1 for Faculty. Once the new view has been created, you'll be able to see all the students, faculty, and staff in your tenant who have enrolled in this program.
Does this change how I manage OneDrive and SharePoint security?
Ensure that you review your SharePoint site permission settings and user policies (if applicable). If students, faculty, and staff are new to your Office 365 tenant, faculty and staff should make sure their sites and OneDrive have the appropriate permissions for students. For information about setting permissions, see Share documents or folders in Office 365 and Permissions in Office 365.
Are there any additional things I should be prepared for?
You might experience an increase in password reset requests. For information about this process, see Reset a user's password.
For students who are under 13, you still need to provision student licenses through the standard student advantage licensing process.
You can remove a user from your tenant via the standard process in the Microsoft 365 admin center. However, if the user is still an active student, faculty, or staff with an active email address from your institution, they'll be able to rejoin unless you block all students, faculty, and staff from joining.
Overview of Office 365 licensing
An Office 365 A1 license is automatically assigned when a student or faculty/staff member uses the self-service sign-up process. An Office 365 admin can also assign licenses using the standard assignment processes. The availability of these licenses doesn't impact any preferences previously set on license assignment.
Following are answers to additional licensing questions.
- Why did 500 Office 365 A1 licenses show up in my Office 365 tenant?
Microsoft has provided these licenses to you in your Office 365 tenant to make it easier for you to provide this benefit to your students, faculty, and staff. For schools who allow students, faculty, and staff to self-provision you can point them to the sign-in page and after verification they'll be automatically assigned one of these licenses. You can also choose to assign these licenses through your standard processes, through the Microsoft 365 admin center.
- Should I still see the Office 365 A1 licenses in my tenant if I turned off self-service sign up?
Yes. The availability of these licenses won't impact your ability to manage the provisioning process. If your institution has chosen to block self-provisioning, no automatic license assignment will occur.
- Since Microsoft added these licenses, does this mean I will now see new student and/or faculty and staff accounts showing up in my tenant?
No. You have the ability to control whether students, faculty, and staff can self-join the tenant. If you would like to turn off self-provisioning, review the information above.
Who manages verification of eligibility for these licenses?
For un-managed tenants, Microsoft is responsible for verification. Individual students, faculty, and staff will receive an email to the institutional account they used to qualify for the offer in order to determine continued eligibility.
For school IT managed tenants, you're responsible for managing ongoing access to the subscriptions and ensuring that students, faculty, and staff are eligible for the Office 365 for Students, Faculty, and Staff offer, including eligibility after graduation, change of full-time student status, etc.
Office 365 Education and the Family Education Rights and Privacy Act
FERPA imposes requirements on U.S. educational organizations regarding the use or disclosure of student education records, including email and attachments. Microsoft agrees to the use and disclosure restrictions imposed by FERPA that limit Microsoft’s use of student education records, including agreeing to not scan emails or documents for advertising in the Office 365 Services.
Below are answers to frequently asked questions.
- Does the ability for self-service sign-up for Office 365 create issues with FERPA compliance when a school has not yet created an Office 365 tenant?
FERPA compliance isn't an issue when the school isn't managing the Office 365 tenant. In this scenario, the school doesn't have administrative control and isn't expected to be accessing or using students, faculty, and staff educational records therefore, FERPA doesn't apply.
Independently, Microsoft commits to the security and privacy of the new users in an unmanaged Office 365 tenant as it does with any existing Office 365 customers.
- In a scenario where a school has not created an Office 365 tenant, email addresses may become visible in unmanaged domains when documents are being shared with one another. In this scenario, the schools do not have the ability to control this. Does this impact a school’s compliance with FERPA?
In the scenario when the school isn't managing the Office 365 tenant the school isn't the administrator of the tenant. Microsoft is the Office 365 tenant administrator. As a result the question of school’s compliance with FERPA doesn't arise.
- In a scenario where the school takes control of an unmanaged tenant, how can the school continue to stay FERPA compliant?
According to FERPA, schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students, faculty, and staff about directory information and allow parents and eligible students, faculty, and staff a reasonable amount of time to request that the school doesn't disclose directory information about them.
Countries/regions that require Opt-In steps to add new users to existing Office 365 tenants
Pakistan, United Arab Emirates, Kazakhstan, Turkey, Yemen, Azerbaijan, Kuwait, Jordan, Qatar, Bahrain, Oman, Lebanon, Cyprus, Saudi Arabia, Israel, United Kingdom of Great Britain and Northern Ireland, Ukraine, Switzerland, Sweden, Svalbard, Spain, Slovenia, Slovakia, Serbia, San Marino, Russian Federation, Romania, Portugal, Poland, Norway, Netherlands, Montenegro, Monaco, Moldova, Malta, Macedonia, Luxembourg, Lithuania, Liechtenstein, Latvia, Jersey, Italy, Isle of Man, Ireland, Iceland, Hungary, Holy See (Vatican City), Guernsey, Greece, Gibraltar, Germany, France, Finland, Faroe Islands, Estonia, Denmark, Czech Republic, Croatia, Bulgaria, Bosnia and Herzegovina, Belgium, Belarus, Austria, Andorra, Albania, Aland Islands.