In Office 365 SharePoint Online all users of an Office 365 tenant are visible in the people picker. But for end users this often does not make sense...
Use the people picker
So if your type a person´s name in any people picker in SPO the system shows a list of all users known to the system. Pick the desired one and the user object id is used for the field or property.
The only restriction of the people picker in SPO is that only ACTIVE users are shown.
Inactive users have the login status "blocked" and will not show up in the people picker. You can check this in the office 365 portal when filtering the blocked users, like in this sample screenshot here.
So, blocked users are not shown - which is good.
(Sorry for the german screenshot, this was just to illustrate the user properties website.)
Why all users?
Well, that sounds logic - otherwise an Admin could never add new users (of the tenant) to a SPO site (...if he wouldn´t see all users of an Office 365 tenant).
Ok, but imagine there´s a large company which uses many site collections. Each Site shall only be used by users of a location or a department. In such scenarios it absolutely would make sense that not ALL users are visible in the site, but only the ones who have rights in that SPO site.
So, unfortunately this is not possible in SPO right now.
In SharePoint on premises
In SharePoint there´s a workaround for that scenario. At least for restricting the people picker to a special OU... An Admin (with access to the SPO farm) can use Stsadm.exe tool to manage People Picker in SharePoint 2013, see these resources:
According to TechNet (link #1) this command would work to restrict People Picker to a certain OU in Active Directory, :
stsadm -o setsiteuseraccountdirectorypath -path <Valid OU name> -url <Web application URL>
But Office 365 is manageable only via Remote PowerShell (so no stsadm tool) ...
Not possible in SharePoint Online
Our investigation brought some forum entries about that topic (but no official MSFT site in TechNet or MSDN):
Test it: If you use the SPO API for reading all users with
<site-url>/_api/web/siteusers you get ALL active users of the tenant - not only the ones that have rights for that specific SPO site. Obviously the people picker uses the same method.
in SPO 2013 we have not found a way to restrict the people picker to a group of users. Sorry!
If someone finds a way in SPO - pls. let us know.
We hope Microsoft will change that in the next releases or deliver a way to accomplish that. #FeatureRequest