Understand how users are assigned to apps in Azure Active Directory

This article help you to understand how users get assigned to an application in your tenant.

How do users get assigned to an application in Azure AD?

For a user to access an application, they must first be assigned to it in some way. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:

  • An administrator assigns a user to the application directly
  • An administrator assigns a group that the user is a member of to the application, including:
    • A group that was synchronized from on-premises
    • A static security group created in the cloud
    • A dynamic security group created in the cloud
    • A Microsoft 365 group created in the cloud
    • The All Users group
  • An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature without business approval
  • An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature, but only with prior approval from a selected set of business approvers
  • An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to without business approval
  • An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to, but only with prior approval from a selected set of business approvers
  • An administrator assigns a license to a user directly for a first party application, like Microsoft 365
  • An administrator assigns a license to a group that the user is a member of to a first party application, like Microsoft 365
  • An administrator consents to an application to be used by all users and then a user signs in to the application
  • A user consents to an application themselves by signing in to the application

Next steps