Merge pull request #249965 from omondiatieno/assign-user

prmerger-automator[bot] · web-flow · commit 2dee6f79c01e · 2023-09-01T05:41:30.000Z
Assign user and group portal updates
diff --git a/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md b/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
@@ -1,5 +1,5 @@
 ---
-title: Assign users and groups
+title: Manage users and groups assignment to an application
 description: Learn how to assign and unassign users, and groups, for an app using Azure Active Directory for identity management.
 services: active-directory
 author: omondiatieno
@@ -16,7 +16,7 @@ zone_pivot_groups: enterprise-apps-all
 #customer intent: As an admin, I want to manage user assignment for an app in Azure Active Directory using PowerShell
 ---
 
-# Assign users and groups to an application
+# Manage users and groups assignment to an application
 
 This article shows you how to assign users and groups to an enterprise application in Azure Active Directory (Azure AD) using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) portal for easy access. If the application exposes app roles, you can also assign a specific app role to the user.
 
@@ -36,13 +36,16 @@ To assign users to an enterprise application, you need:
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 - Azure Active Directory Premium P1 or P2 for group-based assignment. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
 
-
+## Assign users, and groups, to an application
+ 
 :::zone pivot="portal"
 
 To assign a user or group account to an enterprise application:
 
-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Enterprise applications**, and then search for and select the application to which you want to assign the user or group account.
-1. Browse to **Azure Active Directory** > **Users and groups**, and then select **Add user/group**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
+1. Enter the name of the existing application in the search box, and then select the application from the search results.
+1. Select **Users and groups**, and then select **Add user/group**.
 
     :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to an application in your Azure AD tenant.":::
 
@@ -51,12 +54,18 @@ To assign a user or group account to an enterprise application:
 1. Select **Select**.
 1. On the **Add Assignment** pane, select **Assign** at the bottom of the pane.
 
+## Unassign users, and groups, from an application
+
+1. Follow the steps on the [Assign users, and groups, to an application](#assign-users-and-groups-to-an-application) section to navigate to the **Users and groups** pane.
+1. Search for and select the user or group that you want to unassign from the application.
+1. Select **Remove** to unassign the user or group from the application.
+
 :::zone-end
 
 :::zone pivot="aad-powershell"
 
 1. Open an elevated Windows PowerShell command prompt.
-1. Run `Connect-AzureAD -Scopes "Application.Read.All", "Directory.Read.All", "Application.ReadWrite.All", "Directory.ReadWrite.All"` and sign in with a Global Administrator user account.
+1. Run `Connect-AzureAD` and sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 1. Use the following script to assign a user and role to an application:
 
     ```powershell
@@ -118,7 +127,8 @@ This example assigns the user Britta Simon to the Microsoft Workplace Analytics
 ## Unassign users, and groups, from an application
 
 1. Open an elevated Windows PowerShell command prompt.
-1. Run `Connect-AzureAD -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"` and sign in with a Global Administrator user account. Use the following script to remove a user and role from an application.
+1. Run `Connect-AzureAD` and sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Use the following script to remove a user and role from an application.
 
     ```powershell
     # Store the proper parameters
@@ -165,7 +175,7 @@ $assignments | ForEach-Object {
 :::zone pivot="ms-powershell"
 
 1. Open an elevated Windows PowerShell command prompt.
-1. Run `Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"` and sign in with a Global Administrator user account.
+1. Run `Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"` and sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 1. Use the following script to assign a user and role to an application:
 
 ```powershell    
@@ -194,7 +204,7 @@ New-MgUserAppRoleAssignment -UserId $userId -BodyParameter $params |
 ## Unassign users, and groups, from an application
 
 1. Open an elevated Windows PowerShell command prompt.
-1. Run `Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"` and sign in with a Global Administrator user account. Use the following script to remove a user and role from an application.
+1. Run `Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"` and sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). Use the following script to remove a user and role from an application.
 ```powershell
 # Get the user and the service principal
 
@@ -229,7 +239,7 @@ $assignments | ForEach-Object {
 
 :::zone pivot="ms-graph"
 
-1. To assign users and groups to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+1. To assign users and groups to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
     You'll need to consent to the following permissions: 
 
@@ -269,6 +279,7 @@ $assignments | ForEach-Object {
     In the example, both the resource-servicePrincipal-id and resourceId represent the enterprise application.
 
 ## Unassign users, and groups, from an application
+
 To unassign user and groups from the application, run the following query.
 
 1. Get the enterprise application. Filter by displayName.
