MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 10 additions & 5 deletions b/‎.openpublishing.redirection.json
Lines changed: 10 additions & 5 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-fed-group-claims.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/hybrid/how-to-connect-fed-group-claims.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Lines changed: 61 additions & 30 deletions b/‎articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Lines changed: 61 additions & 30 deletions
@@ -36826,8 +36826,13 @@
     },
     {
       "source_path": "articles/active-directory/application-access-assignment-how-to-add-assignment.md",
-      "redirect_url": "/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
-      "redirect_document_id": true
+      "redirect_url": "/azure/active-directory/manage-apps/assign-user-or-group-access-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/active-directory/manage-apps/methods-for-assigning-users-and-groups.md",
+      "redirect_url": "/azure/active-directory/manage-apps/assign-user-or-group-access-portal",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/application-access-assignment-how-to-remove-assignment.md",
@@ -37156,17 +37161,17 @@
     },
     {
       "source_path": "articles/active-directory/active-directory-applications-guiding-developers-requiring-user-assignment.md",
-      "redirect_url": "/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+      "redirect_url": "/azure/active-directory/manage-apps/assign-user-or-group-access-portal",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/active-directory-applications-guiding-developers-assigning-users.md",
-      "redirect_url": "/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+      "redirect_url": "/azure/active-directory/manage-apps/assign-user-or-group-access-portal",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/active-directory-applications-guiding-developers-assigning-groups.md",
-      "redirect_url": "/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+      "redirect_url": "/azure/active-directory/manage-apps/assign-user-or-group-access-portal",
       "redirect_document_id": false
     },
     {
 
@@ -104,7 +104,7 @@ Groups assigned to the application will be included in the token.  Other groups
 
 To change the groups assigned to the application, select the application from the **Enterprise Applications** list and then click **Users and Groups** from the application’s left-hand navigation menu.
 
-See the document [Methods for assigning users and groups to an app](../../active-directory/manage-apps/methods-for-assigning-users-and-groups.md#assign-groups) for details of managing group assignment to applications.
+See the document [Assign a user or group to an enterprise app](../../active-directory/manage-apps/assign-user-or-group-access-portal.md) for details of managing group assignment to applications.
 
 ### Advanced options
 
@@ -219,6 +219,6 @@ To emit group names to be returned in netbiosDomain\samAccountName format as the
 
 ## Next steps
 
-[Methods for assigning users and groups to an app](../../active-directory/manage-apps/methods-for-assigning-users-and-groups.md#assign-groups)
+[Assign a user or group to an enterprise app](../../active-directory/manage-apps/assign-user-or-group-access-portal.md)
 
 [Configure role claims](../../active-directory/develop/active-directory-enterprise-app-role-management.md)
@@ -8,54 +8,79 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/24/2019
+ms.date: 02/21/2020
 ms.author: mimart
 ms.reviewer: luleon
 ms.collection: M365-identity-device-management
 ---
 
 # Assign a user or group to an enterprise app in Azure Active Directory
 
-To assign a user or group to an enterprise app, you should have assigned any of these admin roles: global administrator, application administrator, cloud application administrator or be assigned as the owner of the enterprise app.  For Microsoft Applications (such as Office 365 apps), use PowerShell to assign users to an enterprise app.
+This article shows you how to assign users or groups to enterprise applications in Azure Active Directory (Azure AD), either from within the Azure portal or by using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps access panel](https://myapps.microsoft.com/) for easy access. If the application exposes roles, you can also assign a specific role to the user.
+
+For greater control, certain types of enterprise applications can be configured to [require user assignment](#configure-an-application-to-require-user-assignment). 
+
+To [assign a user or group to an enterprise app](#assign-users-or-groups-to-an-app-via-the-azure-portal), you'll need to sign in as a global administrator, application administrator, cloud application administrator, or the assigned owner of the enterprise app.
 
 > [!NOTE]
-> For licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
+> Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Office 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory). 
 
-## Assign a user to an app - portal
+## Configure an application to require user assignment
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory.
-1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**.
-1. Select **Enterprise applications**.
-1. On the **Enterprise applications - All applications** pane, you see a list of the apps you can manage. Select an app.
-1. On the ***appname*** pane (that is, the pane with the name of the selected app in the title), select **Users & Groups**.
-1. On the ***appname*** **- User and groups** pane, select **Add user**.
-1. On the **Add Assignment** pane, select **Users and groups**.
+With the following types of applications, you have the option of requiring users to be assigned to the application before they can access it:
 
-   ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png)
+- Applications configured for federated single sign-on (SSO) with SAML-based authentication
+- Application Proxy applications that use Azure Active Directory Pre-Authentication
+- Applications built on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application.
+
+When user assignment is required, only those users you explicitly assign to the application will be able to sign in. They can access the app on their My Apps page or by using a direct link. 
+
+When assignment is *not required*, either because you've set this option to **No** or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the **User Access URL** in the application’s **Properties** page. 
+
+This setting doesn't affect whether or not an application appears on the My Apps access panel. Applications appear on users' My Apps access panels once you've assigned a user or group to the application. For background, see [Managing access to apps](what-is-access-management.md).
+
+
+To require user assignment for an application:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with an administrator account or as an owner of the application.
+
+2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
 
-1. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane.
-1. On the **Add Assignment** pane, select **Role**. Then, on the **Select Role** pane, select a role to apply to the selected users or groups, then select **OK** at the bottom of the pane.
-1. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane. The assigned users or groups have the permissions defined by the selected role for this enterprise app.
+3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
 
-## Allow all users to access an app - portal
+4. In the left navigation menu, select **Properties**.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory.
-1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**.
-1. Select **Enterprise applications**.
-1. On the **Enterprise applications** pane, select **All applications**. This lists the apps you can manage.
-1. On the **Enterprise applications - All applications** pane, select an app.
-1. On the ***appname*** pane, select **Properties**.
-1. On the ***appname* - Properties** pane, set the **User assignment required?** setting to **No**.
+5. Make sure the **User assignment required?** toggle is set to **Yes**.
 
-The **User assignment required?** option:
+   > [!NOTE]
+   > If the **User assignment required?** toggle isn't available, you can use PowerShell to set the appRoleAssignmentRequired property on the service principal.
+
+6. Select the **Save** button at the top of the screen.
+
+## Assign users or groups to an app via the Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with a global administrator, application administrator, or cloud application administrator account, or as the assigned owner of the enterprise app.
+2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
+3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
+4. In the left navigation menu, select **Users and groups**.
+   > [!NOTE]
+   > If you want to assign users to Microsoft Applications such as Office 365 apps, some of the these apps use PowerShell. 
+5. Select the **Add user** button.
+6. On the **Add Assignment** pane, select **Users and groups**.
+7. Select the user or group you want to assign to the application, or start typing the name of the user or group in the search box. You can choose multiple users and groups, and your selections will appear under **Selected items**.
+8. When finished, click **Select**.
 
-- If this option is set to yes, then users must first be assigned to this application before being able to access it.
-- If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access
-- Doesn't affect whether or not an application appears on the application access panel. To show the application on the access panel, you need to assign an appropriate user or group to the application.
-- Only functions with the cloud applications that are configured for SAML single sign-on, Application Proxy applications that use Azure Active Directory Pre-Authentication or applications built directly on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application. See [Single sign-on for applications](what-is-single-sign-on.md). See [Configure the way end-users consent to an application](configure-user-consent.md).
-- This option has no effect when an application is configured for any of the other Single Sign-on modes.
+   ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png)
+
+9. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane.
+10. If the application supports it, you can assign a role to the user or group. On the **Add Assignment** pane, choose **Select Role**. Then, on the **Select Role** pane, choose a role to apply to the selected users or groups, then select **OK** at the bottom of the pane. 
+
+    > [!NOTE]
+    > If the application doesn't support role selection, the default access role is assigned. In this case, the application manages the level of access users have.
 
-## Assign a user to an app - PowerShell
+2. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane.
+
+## Assign users or groups to an app via PowerShell
 
 1. Open an elevated Windows PowerShell command prompt.
 
@@ -123,6 +148,12 @@ This example assigns the user Britta Simon to the [Microsoft Workplace Analytics
     New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
     ```
 
+## Related articles
+
+- [Learn more about end-user access to applications](end-user-experiences.md)
+- [Plan an Azure AD access panel deployment](access-panel-deployment-plan.md)
+- [Managing access to apps](what-is-access-management.md)
+ 
 ## Next steps
 
 - [See all of my groups](../fundamentals/active-directory-groups-view-azure-portal.md)