Automating User/Group Assignment in Azure for SSO Applications

Question

Automating User/Group Assignment in Azure for SSO Applications

DiptiRanjan Swain 216

An application in Microsoft Entra is used for federated single sign-on (SSO) with SAML-based authentication. The goal is to automate the assignment of users and groups to this application using a service account, while facing the following challenges:

According to organizational policy, the automation account cannot be granted roles such as Cloud Application Administrator, Application Administrator, or User Administrator. While it is possible to make the account the owner of the application, bypassing MFA during automatic login is not feasible.

Has anyone successfully implemented automation for user/group assignment under these constraints?

Navya 18,595 Reputation points Microsoft External Staff Moderator

2025-05-07T14:13:02.1433333+00:00

Hi @DiptiRanjan Swain

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Accepted answer

2 additional answers

Your answer

Navya 18,595 Reputation points Microsoft External Staff Moderator

2025-05-07T14:13:02.1433333+00:00

Hi @DiptiRanjan Swain

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Navya 18,595 Microsoft External Staff Moderator

Hi @DiptiRanjan Swain

To automate user or group assignments in Azure for Single Sign-On (SSO) applications, follow these steps:

1.Create a Dynamic Group in Azure:

Navigate to Microsoft Entra ID > Groups > New group.

Set the group type to Security and membership type to Dynamic User.

Define a membership rule based on user attributes. user.department -eq ABC

2.Assign the Dynamic Group to Your Application:

Go to Enterprise Applications > Your Application > Users and groups.

Click add user/group, select the dynamic group, and assign it to the application.

3.Ensure that users who should have access to the application have their department attribute set to "ABC" With this setup, any user whose department attribute is set to "ABC" will automatically be added to the dynamic group.

Since this group is assigned to the application, these users will gain access without manual intervention.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

DiptiRanjan Swain 216 Reputation points

2025-05-07T14:25:12.99+00:00

Hi @Navya, thank you for suggesting the solution. We have to add any user from any department to the dynamic group, so setting up a constant attribute may not be feasible. So what I am thinking is, I have to create separate dynamic group for each department. One of my other requirement is I need to make sure each department has separate group, so that access in the SSO application integrated via the Azure App can be mapped to separate groups for access isolation.
Navya 18,595 Reputation points Microsoft External Staff Moderator

2025-05-09T13:11:29.94+00:00
Hi @DiptiRanjan Swain

Thank you for providing more information on your requirements.

You're absolutely right. If users from all departments need access, and access must be isolated by department, creating a separate dynamic group for each department is a practical and scalable solution.

Create One Dynamic Group per Department Example: user.department -eq "HR", user.department -eq "Finance"

Assign Each Dynamic Group to the Application Optionally, map them to different roles, depending on how access should be segmented in the application.
Navya 18,595 Reputation points Microsoft External Staff Moderator

2025-05-12T11:18:37.6233333+00:00

Hi @DiptiRanjan Swain

Thank you for sharing your solution here. Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.

Answer 2

HI DiptiRanjan,

I'd like to understand your need to auto-assign admin accounts to your app.

Typically admin accounts are limited and only enabled when needed like with PIM.

The application can be assigned a managed identity, to which admin roles can be applied.

The onboarding of users to your app should not involve admin level privileges.

However it's possible I don't understand your specific requirements for adding admins to your app.

Here are some references which may help:

Microsoft Graph API Documentation

Microsoft Graph API for Application Management: https://learn.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0

App Role Assignments with Graph API: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0

Microsoft Entra ID Automation

Custom Roles in Microsoft Entra ID: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-overview

Permissions and Consent Framework: https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview

Enterprise Application Management

Managing Enterprise Applications: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management

Automated User Provisioning: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning

Security Best Practices

Security Best Practices for Application Management: https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

Best regards.

DiptiRanjan Swain 216 Reputation points

2025-05-07T17:31:21.72+00:00

Hi @David Broggy , my requirement is I need a service account in Azure which can assign users and groups to an enterprise application used for SSO authentication for a 3rd party application. What all options I have for creating a service account for this work? What type of service account I can create for automation in Python and what permission that account need to achieve the goal?
DiptiRanjan Swain 216 Reputation points

2025-05-09T14:36:21.5266667+00:00

I turned off "Assignment Required" option on the application in Azure. Now I don't need to add any user/group to it. Just mapping their object id to the 3rd party application's role, allows them to login only with their role.

Answer 3

DiptiRanjan Swain 216

Hi @Navya, I turned off "Assignment Required" option on the application in Azure. Now I don't need to add any user/group to it. Just mapping their object id to the 3rd party application's role, allows them to login only with their role.

Share via

Automating User/Group Assignment in Azure for SSO Applications

2 additional answers

Your answer