Quickstart: Assign users to an app that is using Azure AD as an identity provider
In the previous quickstart, you configured the properties for an app. When you set the properties you configured the experience for both assigned and unassigned users. This quickstart walks through the process of assigning users to the app.
To assign users to an app that you added to your Azure AD tenant, you need:
- An Azure account with an active subscription. Create an account for free.
- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
- Optional: Completion of View your apps.
- Optional: Completion of Add an app.
- Optional: Completion of Configure an app.
Use a non-production environment to test the steps in this quickstart.
Assign users to an app
In the Azure AD portal, select Enterprise applications. Then find and select the application you want to configure.
In the left navigation menu, select Users and groups.
Some of the Microsoft 365 apps require the use of PowerShell.
Select the Add user button.
On the Add Assignment pane, select Users and groups.
Select the user or group you want to assign to the application. You can also start typing the name of the user or group in the search box. You can choose multiple users and groups, and your selections will appear under Selected items.
When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.
Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the Azure Active Directory pricing page.
When finished, choose Select.
On the Users and groups pane, select one or more users or groups from the list and then choose the Select button at the bottom of the pane.
If the application supports it, you can assign a role to the user or group. On the Add Assignment pane, choose Select Role. Then, on the Select Role pane, choose a role to apply to the selected users or groups, then select OK at the bottom of the pane.
If the application doesn't support role selection, the default access role is assigned. In this case, the application manages the level of access users have.
On the Add Assignment pane, select the Assign button at the bottom of the pane.
You can unassign users or groups using the same procedure. Select the user or group you want to unassign and then select Remove. Some of the Microsoft 365 and Office 365 apps require the use of PowerShell.
Clean up resources
After you're done with the quickstart, consider deleting the app. That way you can keep your test tenant clean. Deleting the app is covered in the last quickstart in this series, see Delete an app.
Advance to the next article to learn how to set up single sign-on for an app.