![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 93%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
25,167 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
Could you please check which roles the user holds by reviewing the assigned roles on the user’s page in Microsoft Entra ID? If the user has the Global Administrator (GA) role, they will be able to access the application even though the "User assignment required?" flag is set to YES.
This behavior is by design to handle scenarios where:
- The list of assigned users is removed, preventing the app from becoming orphaned.
- After the app is initially provisioned, administrators need to assign users or app owners.
Since Global Administrators have full control over Entra ID, they can bypass the user assignment restriction and access the application. If you want to strictly enforce access control, you may need to implement custom authorization rules within your application to validate user roles and claims.
For more details, you can refer to the following documentation:
Microsoft Entra built-in roles
Secure applications and APIs by validating claims
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
