user assignment required azure ad

Mickaël Derriey's blog

© 2024 Mickaël Derriey

Powered by Jekyll and GitHub Pages Theme based on Hyde by @mdo with modifications by @todthomson

The consequences of enabling the 'user assignment required' option in AAD apps

Introduction.

Applications in Azure Active Directory have an option labelled “user assignment required”. In this blog post, we’ll talk about how this affects an application.

💡 Quick heads-up — all the examples in this blog post are based on a web application using AAD as its identity provider through the OpenID Connect protocol.

By default, applications created in Azure Active Directory have the “user assignment required” option turned off, which means that all the users in the directory can access the application, both members and guests.

While this might sound like a sensible default, we find ourselves at Readify with a growing number of guests in the directory as we collaborate with people from other companies. Some of our applications contain data that should be available to Readify employees only, so we decided to make use of the “user assignment required” option.

To access this option, in the Azure portal, go to “Azure Active Directory > Enterprise applications > your application > Properties” and the option will be displayed there.

Some of the behaviour changes were expected, but others were not! Let’s go through them.

1. People not assigned to the application can’t use it

Well, duh, isn’t that what the option is supposed to do?!

You’re absolutely right! If someone that hasn’t been explicitly assigned to the application tries to access it, then AAD will reject the authorisation request with a message similar to the following:

AADSTS50105: The signed in user ‘Microsoft.AzureAD.Telemetry.Diagnostics.PII’ is not assigned to a role for the application ‘<application-id>’ (<application-name>)

The message is straightforward and the behaviour expected.

There are several ways to assign someone to the application. I typically use the Azure portal, navigate to “Azure Active Directory > Enterprise applications > my application > Users and groups” and add them there.

2. Nested groups are not supported

This is the first surpise we had. It’s our bad, because it’s well documented on that documentation page in the “Important” note: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps

In other words, if you assign a group to an application, only the direct members of that group will gain access to the application. So instead of using our top-level “all employees” type of group, we had to assign several lower-level groups which only had people inside of them.

3. All permissions need to be consented to by an AAD administrator

Applications in Azure Active Directory can request two types of permissions:

• the permissions which are scoped to the end user, like “Access your calendar”, “Read your user profile”, “Modify your contacts” — these permissions are shown to the user the first time they access an application, and they can consent to the application performing those actions on behalf of them;
• another type of permissions usually have a broader impact, outside of the user’s scope, like “Read all users’ profiles” or “Read and write all groups” — those permissions need to be consented to by an AAD administrator on behalf of all the users of the application.

When the access to the application is restricted via the “user assignment required”, an Azure Active Directory administrator needs to consent to all the permissions requested by the application, no matter whether users can normally provide consent for them.

As an example, I created an application with only one permission called “Sign in and read user profile”. After enabling the “user assignment required” option, I tried to log in through my web application and got prompted with a page similar to the screenshot below:

While I don’t fully understand that behaviour, it is alluded to in the tooltip associated with the “user assignment required” option, shortened for brevity and emphasis mine.

This option only functions with the following application types: […] or applications built directly on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application .

The solution is to have an AAD admin grant consent to the permissions for the whole directory. In the Azure portal, go to “Azure Active Directory > Enterprise application > your application > Permissions” and click the “Grant admin consent” button.

4. Other applications not assigned to the application can’t get an access token

It’s not uncommon to see integration between applications. As an example, an application “A” could run a background job every night and call the API of application “B” to get some data.

Before we enabled the “user assignment required” option in application “B”, it was possible for application “A” to request an access token to AAD, allowing it to call the API of application “B”. This is done using the client_credentials OAuth2 flow, where application “A” authenticates itself against AAD with either a client secret (it’s like a password, but an app can have different secrets) or a certificate.

However, after requiring users to be assigned to the application “A”, the token request returns the following error:

AADSTS501051: Application ‘<application-b-id>’ (<application-b-name>) is not assigned to a role for the application ‘<application-a-id>’ (<application-a-name>).

While it’s similar to the first error we talked about in this post, the resolution is different, as the Azure portal doesn’t let us assign applications to another application in the “User and groups” page.

I found the solution in this Stack Overflow answer which advises to take the following steps:

• create a role in application “A” that can be assigned to applications;
• have application “B” request this permission; and
• get an AAD admin to grant consent for the permissions requested by application “B”.

Let’s go through these steps one by one.

4.1 Create a role that can be assigned to applications

If you want to get some background information on AAD app roles, I highly suggest reading the following pages on docs.microsoft.com : Application roles and Add app roles in your application and receive them in the token .

To create a role aimed at applications, we’ll use the “Manifest” page and replace the appRoles property with the following:

4.2 Request that permission in application “B”

Wait, we were talking about creating a role and now we request a permission?

I agree, sorry about the confusion, but the following will hopefully make sense. There’s a change in the terminology we use because assigning that role to application “B” is actually done the other way around, by requesting that role from the settings of application “B”.

To do so, we navigate in the Azure portal to “Azure Active Directory > App registrations > application “B” > Required permissions” and then click on the “Add” button. In the new “Add API Access”, we look for application “A”, select it, then pick the “Access application A” application permissions we created in the previous step:

💡 Another heads-up — at the time of writing, the Azure portal has a new App registrations experience in preview. The steps mentioned above are for the GA App registrations blade, but the experience is pretty similar in the preview one. If you want to try it out, follow “App registrations (preview) > application “B” > API permissions > Add a permission > APIs my organization uses > application “A” > Application permissions”, then finally pick the “Access application A” one.

4.3 Grant consent for application “B” to access application “A”

Because there’s no user involved, application permissions automatically require admin consent. Follow the steps taken previously, but this time for application “B”. After doing so, the token request from application “B” to access application “A” will work as expected.

When we first used that “user assignment required” option, I was only expecting unassigned users to be bounced by AAD when trying to log in. Little did I know we would encounter all those “bumps” along the way 🤣.

This was a great learning opportunity, and hopefully it’ll be useful to others.

Related Posts

Ensure node.js opentelemetry instrumentations are compatible with installed packages 08 apr 2024, a new and easy way to use aad authentication with azure sql 23 jul 2021, how to lock down your csp when using swashbuckle 14 dec 2020.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Azure AD application - User assignment required option enabled, newly added user can't login

We have an application setup to use Azure AD. The 'User Assignment Required' option is enabled because we wanted to restrict access to a specific set of AD users. It's working fine for existing users.

However, we recently added a new user from the Enterprise Applications section for that app, and he is not able to log in. He gets the 'Need admin approval' message. When we disable the 'User Assignment Required' option, it works fine for him as well.

Please advise.

• azure-activedirectory

When you enable the 'User Assignment Required' option you have to give Admin Consent for that Applications permissions. When enabling this option normal users can not give consent on their own anymore, they only can give consent when that option is off. But you probably want that option on so you can control who can access the Application so you need an Admin (Global admin, Cloud Application admin or Application Admin) to give the consent for that App.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged azure azure-activedirectory ..

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• What are some limitations of this learning method?
• Can a 20A circuit mix 15A and 20A receptacles, when a 20A is intended for occassional space heater use?
• Why believe in the existence of large cardinals rather than just their consistency?
• How can I add cache information to InboundPathProcessor?
• Is it ok if I was wearing lip balm and my bow touched my lips by accident and then that part of the bow touched the wood on my viola?
• How to interpret odds ratio for variables that range from 0 to 1
• A novella (?) about "experts" in the theory of time-travel and their "socratic" mentor
• How can "chemical-free" surface cleaners work?
• Why did mire/bog skis fall out of use?
• How can one win a teaching award?
• recenter-top-bottom does not work in elisp code
• GeometricScene not working when too many polygons are given
• Writing in first person for fiction novel, how to portray her inner dialogue and drag it out to make a chapter long enough?
• Why is it surprising that the CMB is so homogeneous?
• Which law(s) bans medical exams without a prescription?
• If morality is real and has causal power, could science detect the moment the "moral ontology" causes a measurable effect on the physical world?
• Does Tempestuous Magic allow you to avoid attacks of opportunity *after* they have already triggered?
• How much would you trust a pre-sales inspection from a "captured" mechanic?
• My one-liner 'delete old files' command finds the right files but will not delete them
• Combustion gas of gas generator right through nozzle?
• Can I have multiple guardians of faith?
• SF story set in an isolated (intergalactic) star system
• How to achieve 24t-38t front chainrings
• Is an entirely sailing-ship based civilization feasible?

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not clear that tenant-wide admin consent is required after turning on "user assignment required" #59982

DouglasHeriot commented Jul 30, 2020

• 👍 4 reactions

psmanhas commented Jul 30, 2020

Sorry, something went wrong.

shashishailaj commented Jul 30, 2020

kenwith commented Jan 28, 2021

magic-happenz commented Apr 26, 2021

martinjaegerdk commented Jun 4, 2021

magic-happenz commented Jun 4, 2021

psignoret commented Jun 18, 2021

• 👍 2 reactions

martinjaegerdk commented Jun 18, 2021

bjoljo commented Feb 22, 2022

magic-happenz commented Feb 22, 2022

psignoret commented Feb 22, 2022

commakoerschgen commented Jun 7, 2022

psignoret commented Jun 7, 2022 • edited Loading

audunsolemdal commented Oct 18, 2022

psignoret commented Oct 18, 2022

magic-happenz commented Oct 18, 2022

psignoret commented Oct 20, 2022

magic-happenz commented Oct 20, 2022

psignoret commented Oct 21, 2022

ghost commented Sep 27, 2023

psignoret commented Sep 27, 2023

• 👍 1 reaction

tkent commented Jul 16, 2024

No branches or pull requests

• Intro to Decisions
• Installing Decisions
• Organize a Meeting & Create Agenda
• Run a Meeting
• Meeting Roles & Access
• Meeting List
• Agenda Builder
• Agenda sub-items
• Manage Meeting Attendees
• Tasks (Microsoft Planner)
• Logging a Decision
• In-meeting Experience
• Meeting Minutes
• Meeting Engagement Score™️
• Time Tracker
• Meeting Book
• Meeting Planner
• Ordered Speaker List
• Meeting Feedback Score
• Functionality
• Recurring meetings
• Delegate Access & Shared Calendar/Mailbox
• AI tools (Decisions AI)
• Secure Voting
• Case Submission
• Annotations
• Decisions for Teams
• Decisions for Outlook
• Decisions Mobile Apps
• Vote Now for Teams
• Speak Now for Teams
• Using Office 365
• Troubleshoot
• Customization
• Initial setup and Configurations
• Settings and Customizations
• Requirements
• Admin Portal
• Microsoft Intune
• Microsoft App Source / Marketplace
• Security & Trust
• Public Meetings
• Executive Assistant
• Meeting Attendee
• Product Updates
• Informational
• Help Center

Managing access for users and groups in Azure Active Directory

If you want to limit access to decisions to only a few selected users, this guide shows you how to do so using existing security controls in azure active directory (ad)..

Limiting access to Decisions this way is only recommended when you have a limited set of people using Decisions. To manage access to Decisions using Azure AD you need to have the role of either global administrator or application owner.  Step I: Go to the Azure Admin portal at https://portal.azure.com Step II: Select the "Azure AD" tab and then select the Decisions application under enterprise applications Step III: Go to properties and set the “User assignment required” to “Yes” and hit “Save”

Step IV: Select “Users and groups” Step V: Add the users and/or groups who should have access to the Decisions application

Note: Only users (or groups) listed here will have access to use Decisions. When someone not granted access to Decisions tries to use Decisions, it will present them with an authentication error and message informing them that the role assignment is missing. Learn more from Microsoft: Assign users and groups to an application in Azure Active Directory

Tip: To simplify user administration for Decisions, you can turn off User assignment required for the Decisions enterprise application in Azure AD, and instead use the Decisions License Admin. Read more

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Understand how users are assigned to apps

• 25 contributors

This article helps you to understand how users get assigned to an application in your tenant.

How do users get assigned an application in Microsoft Entra ID?

There are several ways a user can be assigned an application. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:

An administrator assigns a user to the application directly

An administrator assigns a group that the user is a member of to the application, including:

• A group that was synchronized from on-premises
• A static security group created in the cloud
• A dynamic security group created in the cloud
• A Microsoft 365 group created in the cloud
• The All Users group

An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature without business approval

An administrator enables Self-service Application Access to allow a user to add an application using My Apps Add App feature, but only with prior approval from a selected set of business approvers

An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to without business approval

An administrator enables Self-service Group Management to allow a user to join a group that an application is assigned to, but only with prior approval from a selected set of business approvers

One of the application's roles is included in an entitlement management access package , and a user requests or is assigned to that access package

An administrator assigns a license to a user directly, for a Microsoft service such as Microsoft 365

An administrator assigns a license to a group that the user is a member of, for a Microsoft service.

A user consents to an application on behalf of themselves.

• Quickstart Series on Application Management
• What is application management?
• What is single sign-on?

Was this page helpful?

Additional resources

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Microsoft Graph: "Need admin approval" for non admin consent required scope "User.ReadBasic.All" during login

I have the following setup:

AAD Directory A with an app registration. The app registration is marked as a Multi-Tenant app and has no permissions requested per default:

During login my webapp redirects to the Microsoft Login like this (nonce and redirect uri is removed):

The scopes are:

• offline_access
• User.ReadBasic.All

My test user is in AAD Directory B (and without any special setting that only admins can consent to an application). When I try to login to my application this is the result:

The scope "User.ReadBasic.All" doesn't require a Admin consent , but somehow when I remove this requested scope the user can just login to the application without any admin consent.

Question is: Why does the admin consent show up with the "User.ReadBasic.All" scope?

The target would be, that a "normal" user can login to our application without hasseling with a tenant wide approval from the administrators. Does the "require admin consent" differ for "Multitenant" applications?

• azure-active-directory
• microsoft-graph-api

• 1 Azure Active Directory -> Enterprise applications -> User settings->Users can consent to apps accessing company data on their behalf If the option is set to No, the normal user will not have the permission to consent the app from another different tenant. –  Sruthi J Commented Aug 13, 2020 at 11:56
• "Users can consent to apps accessing company data on their behalf" is set to "yes" "Users can consent to apps accessing company data for the groups they own" is set to "yes" Also both "Allow user consent for apps" are selected - so I'm really not sure why the "Admin approval" pops up with the "User.ReadBasic.All" scope :-/ Confusing: User.Read doesn't trigger the "Admin approval" –  Robert Muehsig Commented Aug 13, 2020 at 14:01

4 Answers 4

I have experienced a similar issue and found that it was because user assignment was required. Check your Enterprise Application under properties and select Assignment Required = No.

MS documents it here

Another scenario in which this error might occur is when the user assignment is required for the application, but no administrator consent was provided. In this case, the administrator must first provide administrator consent.

Yes, as @Sruthi J said, when you select the Do not allow user consent tab in the Consent and permissions , all applications must require the administrator’s consent. Try to select the Allow user consent for apps tab to solve your problem.

1.Sign in to the Azure portal as a Global Administrator.

2.Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.

3.Under User consent for applications, select which consent setting you'd like to configure for all users.

4.Select Save to save your settings.

please see: here .

• "Users can consent to apps accessing company data on their behalf" is set to "yes" "Users can consent to apps accessing company data for the groups they own" is set to "yes" –  Robert Muehsig Commented Aug 13, 2020 at 13:59
• Also both "Allow user consent for apps" are selected - so I'm really not sure why the "Admin approval" pops up with the "User.ReadBasic.All" scope :-/ Confusing: User.Read doesn't trigger the "Admin approval". –  Robert Muehsig Commented Aug 13, 2020 at 14:01

It is possible user consent is disallowed because of risk-based step-up consent .

You can confirm if this is the case by looking in the audit log (in "AAD Directory B"): Azure portal > Azure AD > Audit logs (under the "Monitoring" category).

When user consent is disallowed due to risk-based protection, a failed "Consent to application" event is emitted under the "ApplicationManagement" category, indicating it failed due to risk-based detections.

In Multi-tenant scenarios

If this is the first time a user from another tenant is logging in, and your app requires permissions that need administrator consent, the first user who signs in must be an admin.

You should have some kind of onboarding flow in which you include prompt=admin_consent in the authorize URL as above. Though this time you would use common instead of a tenant id/domain:

Please refer to this document

• This makes sense, but all the above listed app permissions doesn't require admin consent or do I miss something? –  Robert Muehsig Commented Aug 14, 2020 at 6:13
• Yes, some permission doesn't require admin consent. Please refer to this document –  Sruthi J Commented Aug 14, 2020 at 18:30

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure-active-directory microsoft-graph-api or ask your own question .

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network
• What does a new user need in a homepage experience on Stack Overflow?
• Announcing the new Staging Ground Reviewer Stats Widget

Hot Network Questions

• Why does constexpr prevent auto type deduction in this statement?
• Returning to the US for 2 weeks after a short stay around 6 months prior with an ESTA but a poor entry interview - worried about visiting again
• Is it ok if I was wearing lip balm and my bow touched my lips by accident and then that part of the bow touched the wood on my viola?
• Numerical integration of ODEs: Why does higher accuracy and precision not lead to convergence?
• How much would you trust a pre-sales inspection from a "captured" mechanic?
• In The Martian, what does Mitch mean when he is talking to Teddy and says that the space program is not bigger than one person?
• Frequent Statistics updates in SQL Server 2022 Enterprise Edition
• Why believe in the existence of large cardinals rather than just their consistency?
• Why Doesn't the cooling system on a rocket engine burn the fuel?
• How can I add cache information to InboundPathProcessor?
• PCB design references and roadmap
• Enter a personal identification number
• Can there be a proper class of Dedekind-finite cardinals?
• Flyback DCM Calculation
• Does "Speak with animals" allow you to improve the attitude of an animal like "wild empathy"?
• Email from Deutsche Bahn about a timetable change - what do I need to do?
• Can a 20A circuit mix 15A and 20A receptacles, when a 20A is intended for occassional space heater use?
• My team is not responsive to group messages and other group initiatives. What should be the appropriate solution?
• Are There U.S. Laws or Presidential Actions That Cannot Be Overturned by Successor Presidents?
• What early 60s puppet show similar to fireball XL5 used the phrase "Meson Power?"
• Wondering about ancient methods of estimating the relative planetary distances
• Should coffee machines be placed at the region's boundary?
• What's wrong with using the word "Credit" in a table header using spreadtab and siunitx?
• If morality is real and has causal power, could science detect the moment the "moral ontology" causes a measurable effect on the physical world?