Entra user is able to sign in to an application to which he is not assigned

Question

Entra user is able to sign in to an application to which he is not assigned

Marty Papesh 0

Two of our external facing applications used for SSO are configured to only allow a limited set of users to access. User ******@cuone.org is not in the groups which have access to this application, yet he is able to use SSO on the external service to gain access. Need assistance remediating this issue and preventing this user account from accessing the external service.

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-10T21:57:36.45+00:00

Sure hes going through your SSO and not direct?

I would check the Azure sign in logs and see if that reveals anything.
Marty Papesh 0 Reputation points

2025-04-10T22:02:57.5333333+00:00

Yes, completely sure!

Unfortunately this question format didn't allow for entering much supporting information. He is showing in the Azure sign-in logs as successfully signing in to the application and passing MFA - which would be great if he was supposed to be able to sign in!

Access to the application is controlled by two on-prem sync'd security groups, which the user isn't a member of. So this sign-in should be failing, and does fail if I test with another user account to which I have access.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-10T23:37:46.4633333+00:00

and Assignment must be required to access the app if that other account is blocked in your test it seems. Interesting. I suppose in the mean time, you could create a conditional access policy to block access to the app for that account until you can track down how this is being allowed. So in your test, the account that was rejected, was an Azure error stating the account wasnt assigned to the app or was the error from the service provider?

IOW, one way I could see this is if assignment was not required and the app itself was allowing the first user in but rejecting the second versus Entra itself preventing access.
Marty Papesh 0 Reputation points

2025-04-11T13:09:10.13+00:00

Yes, assignment is required, no doubt. When attempting to login using my standard / not-authorized login, I get a proper error message from Azure for the user not being in a group with access to the application. So this should happen for the other user account as well. That user account is a Global Admin - I'm curious if, for some reason, GAs are given access to applications even if they aren't assigned to them?
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-11T13:29:16.6333333+00:00

From what I have seen it has to be assigned for a GA as well unless something is broke now or the changed something.

BTW, does the account in question own the app?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-11T17:01:07.92+00:00

Hello Marty Papesh,

We understand that one user is able to access the application where he is not in groups which have access to the application.

And he is not a member of the security group which you have added in users and groups of the application.

If App require assigment is enabled, even Global Admin has to be explicitely added to the application.

If the effected user is owner of the application, he doesn't require to be added.

Is the Enterprise Admin part of any group that is assigned to the app
Marty Papesh 0 Reputation points

2025-04-11T17:19:10.62+00:00

The account in question doesn't own the app, or either of the two security groups which have access to the app.

What do you mean by the Enterprise Admin? The user I'm trying to troubleshoot?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-15T07:53:09.19+00:00

Hello Marty Papesh,

For some applications, the option to require user assignment isn't available in the application's properties. In these cases, you can use PowerShell to set the appRoleAssignmentRequired property on the service principal.

For applications in the Microsoft 365 or other paid suites, users are granted access through license assignment either directly to their user account, or through a group using our group-based license assignment capability.

For applications that Microsoft or a non-Microsoft organization publishes freely for anyone to use, users can be granted access through user consent. The users sign in to the application with their Microsoft Entra work or school account and allow it to have access to some limited set of data on their account.

For applications that Microsoft or a non-Microsoft organization publishes freely for anyone to use, users can also be granted access through administrator consent. This means that an administrator has determined the application can be used by everyone in the organization, so they sign in to the application with a Privileged Role Administrator role and grant access to everyone in the organization.

I suggest you refer the below document :

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-access-management

If you want to strictly enforce access control, you may need to implement custom authorization rules within your application to validate user roles and claims.

For more details, you can refer to the following documentation:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation

Hope this helps. Do let us know if you any further queries.
Marty Papesh 0 Reputation points

2025-04-15T20:42:36.5833333+00:00

Hi Venkata,

Thanks for reaching out. Unfortunately, this doesn't solve the issue and is mostly background information. This application is published by a non-Microsoft organization to the Entra Gallery and is intended to allow users access to a third-party web service (and generally does, correctly). This has access granted by an administrator (myself) and again, mostly works fine. The switch to require user assignment is included in the application's Properties panel, and for fun, I verified the value of AppRoleAssignmentRequired on both service principals to see if the UI was reporting information incorrectly (although if this value were not set, other tests would have failed and my normal user account would have access to this application, which it should not.)

I may go in depth on implementing custom authorization rules, but I shouldn't have to do this - all I am trying to do is prevent users who aren't assigned to the application, from accessing the application (and being passed to the relevant web service).
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-15T20:54:56.9333333+00:00

Yea honestly, I have never heard of that and its prob worthy of a ticket to Entra support.
Marty Papesh 0 Reputation points

2025-04-15T21:33:38.81+00:00

This thread is my ticket to Entra support.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-17T07:29:47.7966667+00:00

Hello Marty Papesh,

When user assignment isn't required, unassigned users don't see the app on their My Apps, but they can still sign in to the application itself (also known as SP-initiated sign-on) or they can use the User Access URL in the application’s Properties page (also known as IDP-initiated sign on).

Assignment required option has no effect on users' access to the application when you configure it for any of the other single sign-on modes.

This option only applies to the following types of applications and services:

Applications using Security Assertion Markup Language (SAML)

OpenID Connect

OAuth 2.0

WS-Federation for user sign

Application Proxy applications with Microsoft Entra preauthentication enabled

Applications or services for which other applications or service are requesting access tokens

Users with a Global Administrator role can sign in to applications, regardless of the assignment required settings.

Reference :

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-properties
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-17T10:28:48.8+00:00

Is this new? From what I have seen in the past, even GA needs to be assigned to the app to allow it. If so, then that explains why this allows it now. Your previous comment was "If App require assigment is enabled, even Global Admin has to be explicitely added to the application."
Marty Papesh 0 Reputation points

2025-04-17T13:36:28.6866667+00:00

Verified, the documentation does now say Global Admins can sign into any application. This would explain the issue.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-17T13:55:22.42+00:00

Yep!

well at least we know now haha
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-18T09:58:58.7566667+00:00

Hello Marty Papesh,

I do apologize for providing the incorrect answer that "GA needs additional permissions to access the application if require assignment is enabled on the app".

As Andy David mentioned, GA has access to all applications in the tenant.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-23T11:49:54.5333333+00:00

Hello Marty Papesh,

Please let us know if you need any additional information on this issue.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-24T15:35:08.82+00:00

Hello Marty Papesh,

Please let us know if you need any additional information on this issue.

Your answer

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-10T21:57:36.45+00:00

Sure hes going through your SSO and not direct?

I would check the Azure sign in logs and see if that reveals anything.
Marty Papesh 0 Reputation points

2025-04-10T22:02:57.5333333+00:00

Yes, completely sure!

Unfortunately this question format didn't allow for entering much supporting information. He is showing in the Azure sign-in logs as successfully signing in to the application and passing MFA - which would be great if he was supposed to be able to sign in!

Access to the application is controlled by two on-prem sync'd security groups, which the user isn't a member of. So this sign-in should be failing, and does fail if I test with another user account to which I have access.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-10T23:37:46.4633333+00:00

and Assignment must be required to access the app if that other account is blocked in your test it seems. Interesting. I suppose in the mean time, you could create a conditional access policy to block access to the app for that account until you can track down how this is being allowed. So in your test, the account that was rejected, was an Azure error stating the account wasnt assigned to the app or was the error from the service provider?

IOW, one way I could see this is if assignment was not required and the app itself was allowing the first user in but rejecting the second versus Entra itself preventing access.
Marty Papesh 0 Reputation points

2025-04-11T13:09:10.13+00:00

Yes, assignment is required, no doubt. When attempting to login using my standard / not-authorized login, I get a proper error message from Azure for the user not being in a group with access to the application. So this should happen for the other user account as well. That user account is a Global Admin - I'm curious if, for some reason, GAs are given access to applications even if they aren't assigned to them?
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-11T13:29:16.6333333+00:00

From what I have seen it has to be assigned for a GA as well unless something is broke now or the changed something.

BTW, does the account in question own the app?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-11T17:01:07.92+00:00

Hello Marty Papesh,

We understand that one user is able to access the application where he is not in groups which have access to the application.

And he is not a member of the security group which you have added in users and groups of the application.

If App require assigment is enabled, even Global Admin has to be explicitely added to the application.

If the effected user is owner of the application, he doesn't require to be added.

Is the Enterprise Admin part of any group that is assigned to the app
Marty Papesh 0 Reputation points

2025-04-11T17:19:10.62+00:00

The account in question doesn't own the app, or either of the two security groups which have access to the app.

What do you mean by the Enterprise Admin? The user I'm trying to troubleshoot?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-15T07:53:09.19+00:00

Hello Marty Papesh,

For some applications, the option to require user assignment isn't available in the application's properties. In these cases, you can use PowerShell to set the appRoleAssignmentRequired property on the service principal.

For applications in the Microsoft 365 or other paid suites, users are granted access through license assignment either directly to their user account, or through a group using our group-based license assignment capability.

For applications that Microsoft or a non-Microsoft organization publishes freely for anyone to use, users can be granted access through user consent. The users sign in to the application with their Microsoft Entra work or school account and allow it to have access to some limited set of data on their account.

For applications that Microsoft or a non-Microsoft organization publishes freely for anyone to use, users can also be granted access through administrator consent. This means that an administrator has determined the application can be used by everyone in the organization, so they sign in to the application with a Privileged Role Administrator role and grant access to everyone in the organization.

I suggest you refer the below document :

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-access-management

If you want to strictly enforce access control, you may need to implement custom authorization rules within your application to validate user roles and claims.

For more details, you can refer to the following documentation:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation

Hope this helps. Do let us know if you any further queries.
Marty Papesh 0 Reputation points

2025-04-15T20:42:36.5833333+00:00

Hi Venkata,

Thanks for reaching out. Unfortunately, this doesn't solve the issue and is mostly background information. This application is published by a non-Microsoft organization to the Entra Gallery and is intended to allow users access to a third-party web service (and generally does, correctly). This has access granted by an administrator (myself) and again, mostly works fine. The switch to require user assignment is included in the application's Properties panel, and for fun, I verified the value of AppRoleAssignmentRequired on both service principals to see if the UI was reporting information incorrectly (although if this value were not set, other tests would have failed and my normal user account would have access to this application, which it should not.)

I may go in depth on implementing custom authorization rules, but I shouldn't have to do this - all I am trying to do is prevent users who aren't assigned to the application, from accessing the application (and being passed to the relevant web service).
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-15T20:54:56.9333333+00:00

Yea honestly, I have never heard of that and its prob worthy of a ticket to Entra support.
Marty Papesh 0 Reputation points

2025-04-15T21:33:38.81+00:00

This thread is my ticket to Entra support.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-17T07:29:47.7966667+00:00

Hello Marty Papesh,

When user assignment isn't required, unassigned users don't see the app on their My Apps, but they can still sign in to the application itself (also known as SP-initiated sign-on) or they can use the User Access URL in the application’s Properties page (also known as IDP-initiated sign on).

Assignment required option has no effect on users' access to the application when you configure it for any of the other single sign-on modes.

This option only applies to the following types of applications and services:

Applications using Security Assertion Markup Language (SAML)

OpenID Connect

OAuth 2.0

WS-Federation for user sign

Application Proxy applications with Microsoft Entra preauthentication enabled

Applications or services for which other applications or service are requesting access tokens

Users with a Global Administrator role can sign in to applications, regardless of the assignment required settings.

Reference :

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-properties
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-17T10:28:48.8+00:00

Is this new? From what I have seen in the past, even GA needs to be assigned to the app to allow it. If so, then that explains why this allows it now. Your previous comment was "If App require assigment is enabled, even Global Admin has to be explicitely added to the application."
Marty Papesh 0 Reputation points

2025-04-17T13:36:28.6866667+00:00

Verified, the documentation does now say Global Admins can sign into any application. This would explain the issue.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-04-17T13:55:22.42+00:00

Yep!

well at least we know now haha
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-18T09:58:58.7566667+00:00

Hello Marty Papesh,

I do apologize for providing the incorrect answer that "GA needs additional permissions to access the application if require assignment is enabled on the app".

As Andy David mentioned, GA has access to all applications in the tenant.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-23T11:49:54.5333333+00:00

Hello Marty Papesh,

Please let us know if you need any additional information on this issue.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-24T15:35:08.82+00:00

Hello Marty Papesh,

Please let us know if you need any additional information on this issue.

Share via

Entra user is able to sign in to an application to which he is not assigned

Your answer