revise per feedback

Author: msmimart

articles/active-directory/manage-apps/assign-user-or-group-access-portal.md

@@ -8,54 +8,67 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/24/2019
+ms.date: 02/21/2020
 ms.author: mimart
 ms.reviewer: luleon
 ms.collection: M365-identity-device-management
 ---
 
 # Assign a user or group to an enterprise app in Azure Active Directory
 
-To assign a user or group to an enterprise app, you should have assigned any of these admin roles: global administrator, application administrator, cloud application administrator or be assigned as the owner of the enterprise app.  For Microsoft Applications (such as Office 365 apps), use PowerShell to assign users to an enterprise app.
+This article shows you how to assign users or groups to enterprise applications in Azure Active Directory (Azure AD), either from within the Azure portal or by using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) access panel so they can easily access it. 
+
+For greater control over who can access an application, certain types of enterprise applications can be configured to *require* user assignment. With this option, you can limit access to only those users or groups that you've assigned to the application. If you don't require user assignment, all your users can navigate directly to the application’s URL (known as service provider-initiated sign-on), or they can use the **User Access URL** on an application’s **Properties** page (known as identity provider-initiated sign on). But by requiring user assignment, only those users you've assigned to the application can access it.
+
+To assign a user or group to an enterprise app, you'll need to sign in as a global administrator, application administrator, cloud application administrator, or the assigned owner of the enterprise app. 
+
+If you want to assign users to Microsoft Applications such as Office 365 apps, use PowerShell. You can also show or hide Office 365 applications in the My Apps access panel by [setting an option in the Enterprise applications **User settings**](hide-application-from-user-portal.md). 
 
 > [!NOTE]
-> For licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
+> Group-based assignment requires a paid Azure AD subscription and is determined by your [license agreement](https://azure.microsoft.com/pricing/details/active-directory). Group-based assignment is supported for Security groups only. Nested group memberships and Office 365 groups are not currently supported. 
 
-## Assign a user to an app - portal
+## Configure an application to require user assignment
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory.
-1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**.
-1. Select **Enterprise applications**.
-1. On the **Enterprise applications - All applications** pane, you see a list of the apps you can manage. Select an app.
-1. On the ***appname*** pane (that is, the pane with the name of the selected app in the title), select **Users & Groups**.
-1. On the ***appname*** **- User and groups** pane, select **Add user**.
-1. On the **Add Assignment** pane, select **Users and groups**.
+With the following types of applications, you have the option of requiring users to be assigned to the application before they can access it:
 
-   ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png)
+- Applications configured for federated single sign-on (SSO) with SAML-based authentication
+- Application Proxy applications that use Azure Active Directory Pre-Authentication
+- Applications built on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application.
+
+When assignment is not required, either because you've set this option to **No** or because the application uses another SSO mode, users can access the application with a direct link. Note that this setting doesn't affect whether or not an application appears on the My Apps access panel. Applications appear on users' My Apps access panels once you've assigned a user or group to the application.
+
+To require assignment:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with an administrator account, or as an owner of the application.
 
-1. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane.
-1. On the **Add Assignment** pane, select **Role**. Then, on the **Select Role** pane, select a role to apply to the selected users or groups, then select **OK** at the bottom of the pane.
-1. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane. The assigned users or groups have the permissions defined by the selected role for this enterprise app.
+2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
 
-## Allow all users to access an app - portal
+3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory.
-1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**.
-1. Select **Enterprise applications**.
-1. On the **Enterprise applications** pane, select **All applications**. This lists the apps you can manage.
-1. On the **Enterprise applications - All applications** pane, select an app.
-1. On the ***appname*** pane, select **Properties**.
-1. On the ***appname* - Properties** pane, set the **User assignment required?** setting to **No**.
+4. In the left navigation menu, select **Properties**.
 
-The **User assignment required?** option:
+5. Make sure the **User assignment required?** toggle is set to **Yes**.
 
-- If this option is set to yes, then users must first be assigned to this application before being able to access it.
-- If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access
-- Doesn't affect whether or not an application appears on the application access panel. To show the application on the access panel, you need to assign an appropriate user or group to the application.
-- Only functions with the cloud applications that are configured for SAML single sign-on, Application Proxy applications that use Azure Active Directory Pre-Authentication or applications built directly on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application. See [Single sign-on for applications](what-is-single-sign-on.md). See [Configure the way end-users consent to an application](configure-user-consent.md).
-- This option has no effect when an application is configured for any of the other Single Sign-on modes.
+6. Select the **Save** button at the top of the screen.
 
-## Assign a user to an app - PowerShell
+## Assign users or groups to an app via the Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with an administrator account, or as an owner of the application.
+2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
+3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
+4. In the left navigation menu, select **Users and groups**.
+5. Select the **Add user** button.
+6. On the **Add Assignment** pane, select **Users and groups**.
+7. Select the user or group you want to assign to the application, or start typing the name of the user or group in the search box. You can choose multiple users and groups, and your selections will appear under **Selected items**.
+8. When finished, click **Select**.
+
+   ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png)
+
+9. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane.
+10. If the application supports it, you can assign a role to the user or group. On the **Add Assignment** pane, select **Role**. Then, on the **Select Role** pane, choose a role to apply to the selected users or groups, then select **OK** at the bottom of the pane. Otherwise, the default access role is assigned, which means the application manages the level of access users have.
+11. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane.
+
+## Assign users or groups to an app via PowerShell
 
 1. Open an elevated Windows PowerShell command prompt.
 
@@ -123,7 +136,13 @@ This example assigns the user Britta Simon to the [Microsoft Workplace Analytics
     New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
     ```
 
-## Next steps
+## Related articles
+
+- [Learn more about end-user access to applications](end-user-experiences.md)
+- [Plan an Azure AD access panel deployment](access-panel-deployment-plan.md)
+- [Managing access to apps](what-is-access-management.md)
+- 
+- ## Next steps
 
 - [See all of my groups](../fundamentals/active-directory-groups-view-azure-portal.md)
 - [Remove a user or group assignment from an enterprise app](remove-user-or-group-access-portal.md)

articles/active-directory/manage-apps/manage-self-service-access.md

@@ -20,13 +20,13 @@ ms.collection: M365-identity-device-management
 
 # How to configure self-service application assignment
 
-Before your users can self-discover applications from their access panel, you need to enable **Self-service application access** to any applications that you wish to allow users to self-discover and request access to. This functionality is available for applications that were added from the [Azure AD Gallery](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app), [Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) or were added via [user or admin consent](https://docs.microsoft.com/azure/active-directory/develop/application-consent-experience). 
+Before your users can self-discover applications from their My Apps access panel, you need to enable **Self-service application access** to any applications that you wish to allow users to self-discover and request access to. This functionality is available for applications that were added from the [Azure AD Gallery](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app), [Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) or were added via [user or admin consent](https://docs.microsoft.com/azure/active-directory/develop/application-consent-experience). 
 
 This feature is a great way for you to save time and money as an IT group, and is highly recommended as part of a modern applications deployment with Azure Active Directory.
 
 Using this feature, you can:
 
--   Let users self-discover applications from the [Application Access Panel](https://myapps.microsoft.com/) without bothering the IT group.
+-   Let users self-discover applications from the [My Apps access panel](https://myapps.microsoft.com/) without bothering the IT group.
 
 -   Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.
 
@@ -40,51 +40,39 @@ Using this feature, you can:
 
 ## Enable self-service application access to allow users to find their own applications
 
-Self-service application access is a great way to allow users to self-discover applications, optionally allow the business group to approve access to those applications. You can allow the business group to manage the credentials assigned to those users for Password Single-Sign On Applications right from their access panels.
+Self-service application access is a great way to allow users to self-discover applications, and optionally allow the business group to approve access to those applications. For password single-sign on applications, you can also allow the business group to manage the credentials assigned to those users from their own My Apps access panels.
 
 To enable self-service application access to an application, follow the steps below:
 
-1.  Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
 
-2.  Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left hand navigation menu.
+2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
 
-3.  Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.
+3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
 
-4.  click **Enterprise Applications** from the Azure Active Directory left hand navigation menu.
+4. In the left navigation menu, select **Self-service**.
 
-5.  click **All Applications** to view a list of all your applications.
+5. To enable Self-service application access for this application, turn the **Allow users to request access to this application?** toggle to **Yes.**
 
-    * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
-
-6.  Select the application you want to enable Self-service access to from the list.
-
-7.  Once the application loads, click **Self-service** from the application’s left hand navigation menu.
-
-8.  To enable Self-service application access for this application, turn the **Allow users to request access to this application?** toggle to **Yes.**
-
-9.  Next, to select the group to which users who request access to this application should be added, click the selector next to the label **To which group should assigned users be added?** and select a group.
+6. Next to **To which group should assigned users be added?**, click **Select group**. Choose a group, and then click **Select**. When a user's request is approved, they'll be added to this group. When viewing this group's membership, you'll be able to see who has been granted access to the application through self-service access.
 
     > [!NOTE]
-    > Groups synchronized from on-premises are not supported to be used for the group to which users who request access to this application should be added.
-  
-10. **Optional:** If you wish to require a business approval before users are allowed access, set the **Require approval before granting access to this application?** toggle to **Yes**.
+    > This setting doesn't support groups synchronized from on-premises.
 
-11. **Optional: For applications using password single-sign on only,** if you wish to allow those business approvers to specify the passwords that are sent to this application for approved users, set the **Allow approvers to set user’s passwords for this application?** toggle to **Yes**.
+7. **Optional:** To require business approval before users are allowed access, set the **Require approval before granting access to this application?** toggle to **Yes**.
 
-12. **Optional:** To specify the business approvers who are allowed to approve access to this application, click the selector next to the label **Who is allowed to approve access to this application?** to select up to 10 individual business approvers.
+8. **Optional: For applications using password single-sign on only,** to allow business approvers to specify the passwords that are sent to this application for approved users, set the **Allow approvers to set user’s passwords for this application?** toggle to **Yes**.
 
-     > [!NOTE]
-     > Groups are not supported.
-     >
-     >
+9. **Optional:** To specify the business approvers who are allowed to approve access to this application, next to **Who is allowed to approve access to this application?**, click **Select approvers**, and then select up to 10 individual business approvers. Then click **Select**.
 
-13. **Optional:** **For applications which expose roles**, if you wish to assign self-service approved users to a role, click the selector next to the **To which role should users be assigned in this application?** to select the role to which these users should be assigned.
+    >[!NOTE]
+    >Groups are not supported. You can select up to 10 individual business approvers. If you specify multiple approvers, any single approver can approve an access request.
 
-14. Click the **Save** button at the top of the blade to finish.
+10. **Optional:** **For applications that expose roles**, to assign self-service approved users to a role, next to the **To which role should users be assigned in this application?**, click **Select Role**, and then choose the role to which these users should be assigned. Then click **Select**.
 
-Once you complete Self-service application configuration, users can navigate to their [Application Access Panel](https://myapps.microsoft.com/) and click the **+Add** button to find the apps to which you have enabled Self-service access. Business approvers also see a notification in their [Application Access Panel](https://myapps.microsoft.com/). You can enable an email notifying them when a user has requested access to an application that requires their approval. 
+11. Click the **Save** button at the top of the pane to finish.
 
-These approvals support single approval workflows only, meaning that if you specify multiple approvers, any single approver may approver access to the application.
+Once you complete Self-service application configuration, users can navigate to their [My Apps access panel](https://myapps.microsoft.com/) and click the **Add self-service apps** button to find the apps that are enable with self-service access. Business approvers also see a notification in their [My Apps access panel](https://myapps.microsoft.com/). You can enable an email notifying them when a user has requested access to an application that requires their approval.
 
 ## Next steps
 [Setting up Azure Active Directory for self-service group management](../users-groups-roles/groups-self-service-management.md)

articles/active-directory/manage-apps/methods-for-assigning-users-and-groups.md

@@ -15,6 +15,7 @@ ms.date: 04/26/2019
 ms.author: mimart
 
 ms.collection: M365-identity-device-management
+ROBOTS: NOINDEX
 ---
 
 # Assign users and groups to an application in Azure Active Directory

articles/active-directory/manage-apps/toc.yml

@@ -139,9 +139,7 @@
           href: grant-admin-consent.md
         - name: Configure admin consent workflow (preview)
           href: configure-admin-consent-workflow.md
-        - name: Methods for assigning users and groups to an app
-          href: methods-for-assigning-users-and-groups.md
-        - name: Assign a user to an app
+        - name: Assign a user or group to an app
           href: assign-user-or-group-access-portal.md
         - name: Create collections on My Apps
           href: access-panel-collections.md