Share via

How to manage users using user group for Enterprise app where specific role need to be add to users

Anuja Wickramarathna 20 Reputation points
2026-02-13T16:51:35.4+00:00

I have Enterprise application for SSO, where each user need to add application specific role. If user add to a group and the group is add to Enterprise application with the application specific role, the SSO is not working. The user is not inheriting the application specific role from the group. So I am not in a position to hand over user management to business users, as users unable to add to a group.

I need to know if I created https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps, custom role and assign to the application.

The application user add to that role need to manage users, will they need to sign in to azure portal to manage users? If I can't use that.

Is there any other method available to manage users for this type of enterprise applications?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. VEMULA SRISAI 9,345 Reputation points Microsoft External Staff Moderator
    2026-02-13T18:26:14.5266667+00:00

    Anuja Wickramarathna Thanks for your question. Based on the behavior you described, the issue is happening because the application is not inheriting app roles from groups. In Microsoft Entra ID, users can only receive application‑specific roles from groups if the enterprise application supports app role assignments via groups. Many custom/non‑gallery SSO applications do not support this feature, which is why:

    • You add a group to the Enterprise Application with an app role
    • But the user does not get the role during SSO
    • The app does not receive the required roles claim
    • SSO fails

    This is a limitation of the application, not the directory

    About your second question (Custom Directory Roles)

    Creating a custom Entra directory role (as described in the document you mentioned) will not allow business users to manage application users without accessing the Azure Portal.

    A custom role only grants permissions inside Azure (ex: assign users to the enterprise app). So yes—if you assign that role to someone, they would have to sign in to the Azure portal to manage user assignments. It will not provide a separate user-management interface.

    Available Options to Manage Users

    1. If the app needs application roles → The app must support group-based role assignment

    If the SSO application does not interpret group → role inheritance, then group assignment will not work. The app developer must support receiving role claims through group assignment.

    2.If business users should not use Azure Portal → Consider a custom portal using Microsoft Graph

    You can build a lightweight internal UI where business users add/remove users. The backend uses Microsoft Graph to assign users to the Enterprise App roles.

    This is a common approach for enterprise apps.

    3.If Azure Portal access is acceptable → Use built‑in roles

    You can assign:

    • Cloud Application Administrator, or
    • Application Administrator

    This allows the business team to manage user assignments for the specific application, without giving broader permissions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.