Assign a user or group to an enterprise app in Azure Active Directory

To assign a user or group to an enterprise app, you should have assigned any of these admin roles: global administrator, application administrator, cloud application administrator or be assigned as the owner of the enterprise app. For Microsoft Applications (such as Office 365 apps), use PowerShell to assign users to an enterprise app.

Note

For licensing requirements for the features discussed in this article, see the Azure Active Directory pricing page.

Assign a user to an app - portal

  1. Sign in to the Azure portal with an account that's a global admin for the directory.

  2. Select All services, enter Azure Active Directory in the text box, and then select Enter.

  3. Select Enterprise applications.

  4. On the Enterprise applications - All applications pane, you see a list of the apps you can manage. Select an app.

  5. On the appname pane (that is, the pane with the name of the selected app in the title), select Users & Groups.

  6. On the appname - User and groups pane, select Add user.

  7. On the Add Assignment pane, select Users and groups.

    Assign a user or group to the app

  8. On the Users and groups pane, select one or more users or groups from the list and then choose the Select button at the bottom of the pane.

  9. On the Add Assignment pane, select Role. Then, on the Select Role pane, select a role to apply to the selected users or groups, then select OK at the bottom of the pane.

  10. On the Add Assignment pane, select the Assign button at the bottom of the pane. The assigned users or groups have the permissions defined by the selected role for this enterprise app.

Allow all users to access an app - portal

  1. Sign in to the Azure portal with an account that's a global admin for the directory.
  2. Select All services, enter Azure Active Directory in the text box, and then select Enter.
  3. Select Enterprise applications.
  4. On the Enterprise applications pane, select All applications. This lists the apps you can manage.
  5. On the Enterprise applications - All applications pane, select an app.
  6. On the appname pane, select Properties.
  7. On the appname - Properties pane, set the User assignment required? setting to No.

The User assignment required? option:

  • If this option is set to yes, then users must first be assigned to this application before being able to access it.
  • If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access
  • Doesn't affect whether or not an application appears on the application access panel. To show the application on the access panel, you need to assign an appropriate user or group to the application.
  • Only functions with the cloud applications that are configured for SAML single sign-on, Application Proxy applications that use Azure Active Directory Pre-Authentication or applications built directly on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application. See Single sign-on for applications. See Configure the way end-users consent to an application.
  • This option has no effect when an application is configured for any of the other Single Sign-on modes.

Assign a user to an app - PowerShell

  1. Open an elevated Windows PowerShell command prompt.

    Note

    You need to install the AzureAD module (use the command Install-Module -Name AzureAD). If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

  2. Run Connect-AzureAD and sign in with a Global Admin user account.

  3. Use the following script to assign a user and role to an application:

    # Assign the values to the variables
    $username = "<You user's UPN>"
    $app_name = "<Your App's display name>"
    $app_role_name = "<App role display name>"
    
    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

For more information about how to assign a user to an application role visit the documentation for New-AzureADUserAppRoleAssignment

To assign a group to an enterprise app, you need to replace Get-AzureADUser with Get-AzureADGroup.

Example

This example assigns the user Britta Simon to the Microsoft Workplace Analytics application using PowerShell.

  1. In PowerShell, assign the corresponding values to the variables $username, $app_name and $app_role_name.

    # Assign the values to the variables
    $username = "britta.simon@contoso.com"
    $app_name = "Workplace Analytics"
    
  2. In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names.

    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    
  3. Run the command $sp.AppRoles to display the roles available for the Workplace Analytics application. In this example, we want to assign Britta Simon the Analyst (Limited access) Role.

    Shows the roles available to a user using Workplace Analytics Role

  4. Assign the role name to the $app_role_name variable.

    # Assign the values to the variables
    $app_role_name = "Analyst (Limited access)"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
  5. Run the following command to assign the user to the app role:

    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

Next steps