Restrict your Azure AD app to a set of users in an Azure AD tenant

This time we are going to see together how to restrict some specific users or set of users or groups in Azure AD tenant – this scenario is useful when you want to provide access to some specific department only in your organization e.g.: Finance Department.

It is important to note that Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully – therefore the following steps are necessary to update the application to require user assignment.

Update the app to require user assignment

To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of Global administrator, Application administrator or Cloud application administrator directory roles.

1. Sign in to the Azure portal.
2. If you have access to multiple tenants, use the Directory + subscription filter  in the top menu to select the tenant in which you want to register an application.
3. Search for and select Azure Active Directory.
4. Under Manage, select Enterprise Applications > All applications.
5. Select the application you want to configure to require assignment. Use the filters at the top of the window to search for a specific application.
6. On the application’s Overview page, under Manage, select Properties.
7. Locate the setting User assignment required? and set it to Yes. When this option is set to Yes, users and services attempting to access the application or services must first be assigned for this application, or they won’t be able to sign-in or obtain an access token.
8. Select Save.

Assign the app to users and groups

Once you’ve configured your app to enable user assignment, you can go ahead and assign the app to users and groups.

1. Under Manage, select the Users and groups > Add user/group .
2. Select the Users selector. A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
3. Once you are done selecting the users and groups, select Select.
4. (Optional) If you have defined app roles in your application, you can use the Select role option to assign the app role to the selected users and groups.
5. Select Assign to complete the assignments of the app to the users and groups.
6. Confirm that the users and groups you added are showing up in the updated Users and groups list.

and bang!!! only the set of users which you specified are now able to access the app now.