Table of Contents
Consider Using User and Group Assignments for All Tenant-Created Applications
Following up the conversation about deactivating Entra ID applications, it’s worth noting that another method exists to limit the set of people who can use applications. That method is to assign users (or groups) to applications. When assignments are present, only those with assignments can use an application. It’s a good way to secure access to applications like the Microsoft Graph Command Line Tools application used to run interactive Microsoft Graph PowerShell SDK sessions.
Like deactivation, limiting the set of users with access to an application through assignments is a good way to prevent unauthorized use of an application. In the case of suspicious applications that you don’t recognize, creating a set of authorized users will stop malicious use because it’s highly unlikely that an attacker will have assigned access. Controlling access like this should be a checklist item for many of the applications created within tenants. It doesn’t hurt and can stop abuse.
Microsoft documentation explains how to make user and group assignments and doesn’t need to be repeated here. However, the documentation references “an enterprise application” when it discusses assignments. This is possibly done because the Entra admin center manages user and group assignments through the Enterprise applications section. It would be clearer if the documentation said service principal, which exist for both app registrations created by a tenant and multi-tenant applications created by Microsoft and other third parties. User and group assignments can be created for both app registrations and multi-tenant applications.
Adding User and Group Assignments
Take the example of the IdPowerToys application. Figure 1 shows that two users have assignments to use the application. As the note in the Entra admin center says, because these users have assignments, Entra ID automatically includes the application in the set shown in the My Apps screen.
Adding user and group assignments is easily done through the Entra admin center and can be assigned to either individual users or groups (including dynamic groups). There’s no need to add assignments through PowerShell unless you want to control the process programmatically.
The example below shows how to add a user assignment with the New-MgUserAppRoleAssignment cmdlet. In this case, we use the default role (a GUID with all zeros) to grant access. Custom app roles can be created to support granular levels of access, but the default app role is all that is needed to restrict access to an application.
Connect-MgGraph "Application.ReadWrite.All"
$SP = Get-MgServicePrincipal -Filter "displayName eq 'idPowerToys'"
$UserId = (Get-MgUser -UserId Lotte.Vetler@office365itpros.com).Id
$AppRoleId = '00000000-0000-0000-0000-000000000000'
$Params = @{
"PrincipalId" = $UserId
"ResourceId" = $SP.Id
"AppRoleId" = $AppRoleId
}
Try {
$Status = New-MgUserAppRoleAssignment -UserId $UserId -BodyParameter $Params -ErrorAction Stop
Write-Host ("Assignment successful for {0} to {1}" -f $SP.displayName, $Status.PrincipalDisplayName)
} Catch {
Write-Host ("Error adding assignment for {0}" -f $SP.displayName)
}
Adding Group Assignments
Adding individual user assignments is an effective way to grant access to specific people. However, group assignments are more scalable and easier to manage when large numbers of people need access to an application. Group assignments require Entra P1 or P2 licenses.
To make a group assignment, fetch the group identifier and use it in the request body. The assignment is then made by running the New-MgGroupAppRoleAssignment cmdlet:
$GroupId = (Get-MgGroup -Filter "displayname eq 'IT Department Ireland (Dynamic)'").Id
$Params = @{
"PrincipalId" = $GroupId
"ResourceId" = $SP.Id
"AppRoleId" = $AppRoleId
}
New-MgGroupAppRoleAssignment -GroupId $GroupId -BodyParameter $Params
The Get-MgServicePrincipalAppRoleAssignedTo cmdlet retrieves the assignees for an application:
[array]$Assignees = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $SP.Id $Assignees | Format-Table CreatedDateTime, PrincipalDisplayName, AppRoleId CreatedDateTime PrincipalDisplayName AppRoleId --------------- -------------------- --------- 14/03/2023 23:07:08 Tony Redmond 00000000-0000-0000-0000-000000000000 17/11/2023 17:16:09 Lotte Vetler (Paris) 00000000-0000-0000-0000-000000000000 17/02/2026 15:01:51 IT Department Ireland (Dynamic) 00000000-0000-0000-0000-000000000000 17/02/2026 14:56:07 Group Creation Control 00000000-0000-0000-0000-000000000000
To remove a user or group assignment, select the assignment and run the Remove-MgServicePrincipalAppRoleAssignedTo cmdlet. For example, to remove the last assignment from the set captured in the $Assignees array (see above):
Remove-MgServicePrincipalAppRoleAssignedTo -AppRoleAssignmentId $Assignees[-1].Id -ServicePrincipalId $SP.Id
Hiding Applications from MyApps
As mentioned above, when a user receives an assignment, Entra ID surfaces the app in the user’s My Apps screen (Figure 2) if the app is a “non-first-party Microsoft Enterprise Application.” In many cases, it doesn’t make sense to highlight apps in the My Apps screen. For example, apps used to run PowerShell scripts based on the Microsoft Graph PowerShell SDK in app-only mode usually cannot be run from My Apps.
The solution is to amend the application properties by adding a tag to instruct Entra ID to hide the app from My Apps. This won’t stop users signing into apps, but it will stop the My Apps screen becoming cluttered with apps that probably shouldn’t be there. To add the tag, fetch the set of existing tags from the service principal and add the HideApp tag if it’s not already there.
[array]$Tags = $SP.Tags
If ("HideApp" -notin $Tags) {
$Tags += "HideApp"
Update-MgServicePrincipal -ServicePrincipalId $SP.Id -Tags $Tags
}
$Tags
WindowsAzureActiveDirectoryIntegratedApp
HideApp
Once the HideApp tag is present for an application, Entra ID won’t include that application in the set it shows in My Apps.
Tenant Guidelines for User and Group Assignments
While it’s nice to have free and easy access to applications, the current state of threat and the way that attackers use Entra applications means that control is necessary. It’s a good idea for tenants to set guidelines for when applications should have user and group assignments. If you don’t control access to all applications, a good case can be made that any application with a high-profile Graph permission like Sites.FullControl.All or Mail.Send should be protected by user and group assignments. Better safe than sorry.
Learn about managing Entra ID apps and the rest of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.