How to: Restrict your Azure AD app to a set of users in an Azure AD tenant

Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.

Similarly, in case of a multi-tenant app, all users in the Azure AD tenant where this app is provisioned will be able to access this application once they successfully authenticate in their respective tenant.

Tenant administrators and developers often have requirements where an app must be restricted to a certain set of users. Developers can accomplish the same by using popular authorization patterns like Azure role-based access control (Azure RBAC), but this approach requires a significant amount of work on part of the developer.

Tenant administrators and developers can restrict an app to a specific set of users or security groups in the tenant by using this built-in feature of Azure AD as well.

Supported app configurations

The option to restrict an app to a specific set of users or security groups in a tenant works with the following types of applications:

  • Applications configured for federated single sign-on with SAML-based authentication.

  • Application proxy applications that use Azure AD pre-authentication.

  • Applications built directly on the Azure AD application platform that use OAuth 2.0/OpenID Connect authentication after a user or admin has consented to that application.

    Note

    This feature is available for web app/web API and enterprise applications only. Apps that are registered as native cannot be restricted to a set of users or security groups in the tenant.

Update the app to enable user assignment

There are two ways to create an application with enabled user assignment. One requires the Global Administrator role, the second does not.

Enterprise applications (requires the Global Administrator role)

  1. Sign in to the Azure portal as a Global Administrator.
  2. If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select Enterprise Applications > All applications.
  5. Select the application you want to assign a user or a security group to from the list. Use the filters at the top of the window to search for a specific application.
  6. On the application's Overview page, under Manage, select Properties.
  7. Locate the setting User assignment required? and set it to Yes. When this option is set to Yes, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
  8. Select Save.

App registration

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select App registrations.
  5. Create or select the app you want to manage. You need to be the Owner of this application.
  6. On the application's Overview page, select the Managed application in local directory link in the Essentials section.
  7. Under Manage, select Properties.
  8. Locate the setting User assignment required? and set it to Yes. When this option is set to Yes, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
  9. Select Save.

Assign users and groups to the app

Once you've configured your app to enable user assignment, you can go ahead and assign users and groups to the app.

  1. Under Manage, select the Users and groups > Add user/group .

  2. Select the Users selector.

    A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.

  3. Once you are done selecting the users and groups, select Select.

  4. (Optional) If you have defined App roles in your application, you can use the Select role option to assign the selected users and groups to one of the application's roles.

  5. Select Assign to complete the assignments of users and groups to the app.

  6. Confirm that the users and groups you added are showing up in the updated Users and groups list.

More information