Understand how users are assigned to apps
This article helps you to understand how users get assigned to an application in your tenant.
There are several ways a user can be assigned an application. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:
An administrator assigns a user to the application directly
An administrator assigns a group that the user is a member of to the application, including:
- A group that was synchronized from on-premises
- A static security group created in the cloud
- A dynamic security group created in the cloud
- A Microsoft 365 group created in the cloud
- The All Users group
An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature without business approval
An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature, but only with prior approval from a selected set of business approvers
An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to without business approval
An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to, but only with prior approval from a selected set of business approvers
One of the application's roles is included in an entitlement management access package, and a user requests or is assigned to that access package
An administrator assigns a license to a user directly, for a Microsoft service such as Microsoft 365
An administrator assigns a license to a group that the user is a member of, for a Microsoft service.
A user consents to an application on behalf of themselves.