User, Group, and App Role Assignment in Microsoft Entra ID (SC-300)
Why Is User, Group, and App Role Assignment Important?
In any enterprise environment, controlling who can access applications and what level of access they receive is a foundational security requirement. User, Group, and App Role Assignment in Microsoft Entra ID (formerly Azure AD) provides the mechanism to ensure that only authorized identities — whether individual users, groups of users, or service principals — can access specific applications and resources. Without proper role assignment, organizations face risks such as unauthorized access, privilege escalation, and non-compliance with regulatory standards.
For the SC-300 (Microsoft Identity and Access Administrator) exam, this topic is critical because it falls under the domain of planning and implementing workload identities, which directly tests your ability to manage application access at scale.
What Is User, Group, and App Role Assignment?App Role Assignment is the process of granting users, groups, or other service principals access to an enterprise application by assigning them specific
app roles. App roles are custom roles defined within an application's registration that represent different levels of access or permissions.
Key Concepts:•
App Roles: These are custom roles defined in the app registration manifest. Examples include
Reader,
Writer,
Admin, etc. They allow fine-grained access control within an application.
•
User Assignment: Directly assigning a specific user to an app role on an enterprise application. The user receives the permissions associated with that role when they access the application.
•
Group Assignment: Assigning a security group or Microsoft 365 group to an app role. All members of that group inherit the app role assignment, simplifying administration at scale.
•
Service Principal Assignment: Assigning an app role to another service principal (workload identity), enabling application-to-application (app-to-app) authorization scenarios.
•
User Assignment Required: A property on the enterprise application that, when set to
Yes, restricts access so that only users or groups explicitly assigned to the application can access it. When set to
No, all users in the tenant can access the application.
How Does It Work?Step 1: Define App Roles in the App RegistrationNavigate to
Microsoft Entra ID → App registrations → your app → App roles. Create roles with a display name, value, description, and allowed member types (Users/Groups, Applications, or Both).
Step 2: Configure the Enterprise ApplicationNavigate to
Microsoft Entra ID → Enterprise applications → your app → Properties. Set
Assignment required? to
Yes if you want to restrict access only to assigned users and groups.
Step 3: Assign Users or GroupsNavigate to
Enterprise applications → your app → Users and groups → Add user/group. Select the user or group and choose the appropriate app role. Click
Assign.
Step 4: Token ClaimsOnce assigned, when a user authenticates to the application, the
roles claim is included in the ID token or access token. The application can then use this claim to enforce authorization logic.
How Group Assignment Works:When a group is assigned an app role, every member of that group receives that role. If a user is a member of multiple groups assigned to different roles, they receive all applicable roles in their token. Note that
nested groups are not supported for app role assignment — only direct members of the assigned group receive the role.
How App-to-App Assignment Works:For daemon applications or service-to-service scenarios, you define app roles with allowed member type set to
Applications. You then assign the client application's service principal to the target application's app role using the
Microsoft Entra admin center,
Microsoft Graph API, or
PowerShell. The client receives the role in the
roles claim of the access token when using the client credentials flow.
Microsoft Graph API:You can manage app role assignments programmatically using the Microsoft Graph API endpoint:
POST /servicePrincipals/{id}/appRoleAssignedTo. This is useful for automation and bulk assignment scenarios.
PowerShell:The
New-MgServicePrincipalAppRoleAssignment cmdlet in the Microsoft Graph PowerShell SDK can also be used to create app role assignments.
Key Scenarios to Understand:•
Restricting Application Access: Set "Assignment required" to Yes and assign only specific users/groups. Unassigned users receive an error when attempting to access the application.
•
Role-Based Access Within an Application: Define multiple app roles (e.g., Admin, Editor, Viewer) and assign different users or groups to different roles to implement RBAC within the application.
•
Automating Role Assignment: Use Microsoft Graph API or PowerShell for bulk operations, especially in large organizations or CI/CD pipelines.
•
Conditional Access Integration: App role assignments can work alongside Conditional Access policies. For example, you can target a Conditional Access policy to a specific application, and only assigned users who meet the policy conditions can access it.
•
Default Access Role: When no custom app roles are defined, a default role called
Default Access (also known as
msiam_access) is used. This role has no permissions by itself and simply indicates the user is assigned to the application.
Exam Tips: Answering Questions on User, Group, and App Role Assignment1. Know the "Assignment Required" Toggle:This is heavily tested. Remember: when
Assignment required = Yes, only explicitly assigned users and groups can access the app. When set to
No, all users in the directory can access the app, but only assigned users receive roles in their token.
2. Understand Nested Group Limitations:Exam questions may try to trick you with nested group scenarios. Remember that
nested group members do NOT inherit app role assignments. Only direct members of the assigned group get the role.
3. Differentiate Between App Registration and Enterprise Application:App roles are
defined in the
App registration, but role
assignments are made on the
Enterprise application (service principal). Exam questions may test whether you know where to perform each action.
4. Roles Claim in Tokens:Know that assigned app roles appear in the
roles claim of both ID tokens and access tokens. This is different from the
groups claim, which contains group memberships.
5. Client Credentials Flow and App Roles:For application-to-application scenarios (daemon apps), app roles with allowed member type set to
Applications are used. The assignment is made between service principals using the
.default scope in the client credentials grant flow.
6. Microsoft Graph Permissions vs. App Roles:Do not confuse Microsoft Graph API permissions (delegated or application) with custom app roles. Microsoft Graph permissions control access to Microsoft Graph resources, while app roles control access and authorization within your own applications.
7. Group Types That Can Be Assigned:Both
security groups and
Microsoft 365 groups can be assigned to app roles. However, if you are using group-based assignment with a P1 or P2 license, dynamic groups can also be used to automate membership.
8. License Requirements:Group-based assignment to enterprise applications requires at least a
Microsoft Entra ID P1 license. User-based assignment is available with free tier, but group assignment is a premium feature.
9. Watch for Scenario-Based Questions:The SC-300 exam favors scenario-based questions. You may be given a scenario where a user cannot access an application and asked to identify the cause. Common answers include: Assignment required is set to Yes and the user is not assigned, the user is a member of a nested group, or the user is assigned but lacks the correct app role.
10. PowerShell and Graph API Commands:Be familiar with the cmdlets and API calls for managing assignments. Know that
New-MgServicePrincipalAppRoleAssignment is used for creating assignments and
Get-MgServicePrincipalAppRoleAssignment is used for retrieving them.
11. Removing Assignments:Know how to remove app role assignments both from the portal (Enterprise applications → Users and groups → select and remove) and via Graph API or PowerShell. This is relevant for offboarding and access review scenarios.
12. Integration with Access Reviews:Microsoft Entra Access Reviews can be configured to review app role assignments, ensuring that only appropriate users maintain access over time. This is a governance topic that may overlap with assignment questions on the exam.
Summary:User, Group, and App Role Assignment is a core mechanism for controlling access to enterprise applications in Microsoft Entra ID. Understanding how to define roles, assign them to identities, enforce assignment requirements, and troubleshoot access issues is essential for both real-world identity administration and success on the SC-300 exam.
