You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
+13-5Lines changed: 13 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,17 +14,17 @@ ms.date: 09/24/2018
14
14
ms.author: kkrishna
15
15
ms.reviewer: jmprieur
16
16
ms.custom: aaddev
17
-
#Customer intent: As an application developer, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
17
+
#Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
18
18
---
19
-
# How to: Restrict your Azure AD app to a set of users
19
+
# How to: Restrict your Azure AD app to a set of users in an Azure AD tenant
20
20
21
21
Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.
22
22
23
23
Similarly, in case of a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) app, all users in the Azure AD tenant where this app is provisioned will be able to access this application once they successfully authenticate in their respective tenant.
24
24
25
25
Tenant administrators and developers often have requirements where an app must be restricted to a certain set of users. Developers can accomplish the same by using popular authorization patterns like Role Based Access Control (RBAC), but this approach requires a significant amount of work on part of the developer.
26
26
27
-
Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant.
27
+
Tenant administrators and developers can restrict an app to a specific set of users or security groups in the tenant by using this built-in feature of Azure AD as well.
28
28
29
29
## Supported app configurations
30
30
@@ -58,7 +58,7 @@ There are two ways to create an application with enabled user assignment. One re
58
58
59
59
1. Select the application you want to assign a user or security group to from the list.
60
60
1. On the application's **Overview** page, select **Properties** from the application’s left-hand navigation menu.
61
-
1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
61
+
1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
62
62
1. Select **Save** to save this configuration change.
63
63
64
64
### App registration
@@ -71,7 +71,7 @@ There are two ways to create an application with enabled user assignment. One re
71
71
1. Create or select the app you want to manage. You need to be **Owner** of this app registration.
72
72
1. On the application's **Overview** page, follow the **Managed application in local directory** link under the essentials in the top of the page. This will take you to the _managed Enterprise Application_ of your app registration.
73
73
1. From the navigation blade on the left, select **Properties**.
74
-
1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
74
+
1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
75
75
1. Select **Save** to save this configuration change.
76
76
77
77
## Assign users and groups to the app
@@ -85,6 +85,14 @@ Once you've configured your app to enable user assignment, you can go ahead and
85
85
A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
86
86
87
87
1. Once you are done selecting the users and groups, press the **Select** button on bottom to move to the next part.
88
+
1. (Optional) If you have defined App roles in your application, you can use the **Select role** option to assign the selected users and groups to one of the application's roles.
88
89
1. Press the **Assign** button on the bottom to finish the assignments of users and groups to the app.
89
90
1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
90
91
92
+
## More information
93
+
94
+
-[How to: Add app roles in your application](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
95
+
-[Add authorization using app roles & roles claims to an ASP.NET Core web app](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles)
96
+
-[Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=V8VUPixLSiM)
97
+
-[Azure Active Directory, now with Group Claims and Application Roles](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862)
98
+
-[Azure Active Directory app manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest)
0 commit comments