Azure AD provides several benefits for managing applications, including Single sign-on (SSO) for users, application management and provisioning, security and conditional access, reporting and monitoring, B2B and B2C collaboration and many more. For organizations, restricting access to an Azure AD application as an administrator is important for a number of reasons, such as increased security, compliance, following the principle of least privilege and last but not least application performance. See here how to allow applications only for certain users.
Use applications in the Azure AD tenant
We can manage all applications in our own Azure AD as an administrator, whether it is an internal Azure AD app or a third-party app. Here, we want to use a third party web application in our own M365 tenant. We open a web app URL in a browser, and the sign-in process of Azure AD follows, like here.
This application asks for permission in your tenant. It requires the sign-in permission “Sign you in and read your profile” with your organizational account and let the app read your profile. This permission also allows the app to read basic company information, like the Tenant Id, organization name, and some other basic tenant properties. “Maintain access to data you have given it access to” allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.
We can not only assign certain permissions. It's all or nothing. In this sample, we see that this app asks for minimal permissions (we follow the least privilege principle). As administrator, you can decide if you want to give consent on behalf of your organization, or not. In most cases, you would grant these permissions so that your users don't require an administrator to use the app. If the permissions are accepted, the application opens.
If you are interested in this application and what it does, see the website https://governancetoolkit365.com.
What happens in the background
With the first consent of an administrator or an entitled user, a copy of the Multi Tenant application is registered in your Azure AD. It has the same Application Id and properties as in the original tenant, but (of course) a different Object Id which is usually not used for management. The advantage of using multi-tenant apps is that each administrator in their own organization can control the permissions themselves. Here, we see the newly registered Enterprise App in our own Azure AD.
So far, so good.
Restrict access to the app in your Azure AD
By default, every user in your organization has access to the application (if not already restricted). Now, we want to restrict access only for specific users because in our case, it´s an app, that only a handful of administrators shall have access to. We navigate to the app Properties, and change the “Assignment required?” switch from No to Yes. If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it. That is exactly what we want to achieve.
Optionally, we can set the “Visible to users?” switch from Yes to No to control if this app shall be shown on the user´s “My Apps”. Then, we save the properties.
As second step, we just need to add users or – better – groups. In my sample tenant, I no longer have the Azure AD Premium P2 license available. This is, why I cannot assign groups to this app and I get this notification. However, working with groups is definitely preferable in real life. Here, we allow Adele and Christie access to the app.
When the users or groups are selected, we click on the “Assign” button. The Global Admin (my user) already was added before. So here we see three users that get access.
That´s it! Of course, we can use additional security features like conditional access. As mentioned above, I recommend to use security groups and dynamic security groups in larger organizations. So we can assign this app to users with specific properties, e.g. all users in department “IT”, or users with a specific cost center, or similar.
Open the web app as an authorized user
Let´s try it out. First, we try to open the web app with a user that got access. We open the URL and use Adele here.
We see that the web app opens properly for authorized users.
Verify access with a non-authorized user
Now let´s try another user that is not allowed to use the web app. We sign-in with user Alex.
After the successful login, Azure AD denies to redirect to the web app. The message says “Sorry, but we’re having trouble signing you in.”
The message also informs the user that the administrator has configured the application to block users unless they are specifically granted ('assigned') access to the application.
Mission accomplished! By following these steps, you can restrict access to an Azure AD application by specifically granting access to selected users or groups.
In this article, we have explored the straightforward process of restricting access to an Azure AD application to specific users. By implementing these access controls, organizations can enhance security, ensure compliance with regulatory standards, and protect sensitive data. Azure AD provides a robust framework for managing applications. By leveraging Azure AD's capabilities, organizations can effectively control and manage application access within their Microsoft 365 tenant.
I hope this step-by-step guide will help admins limit their application usage and only allow users who actually need the apps.