Understand how users are assigned to apps

This article helps you to understand how users get assigned to an application in your tenant.

How do users get assigned an application in Azure AD?

There are several ways a user can be assigned an application. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:

  • An administrator assigns a user to the application directly

  • An administrator assigns a group that the user is a member of to the application, including:

    • A group that was synchronized from on-premises
    • A static security group created in the cloud
    • A dynamic security group created in the cloud
    • A Microsoft 365 group created in the cloud
    • The All Users group
  • An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature without business approval

  • An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature, but only with prior approval from a selected set of business approvers

  • An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to without business approval

  • An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to, but only with prior approval from a selected set of business approvers

  • One of the application's roles is included in an entitlement management access package, and a user requests or is assigned to that access package

  • An administrator assigns a license to a user directly, for a Microsoft service such as Microsoft 365

  • An administrator assigns a license to a group that the user is a member of, for a Microsoft service such as Microsoft 365

  • A user consents to an application on behalf of themselves.

Next steps