Using a group to manage access to SaaS applications

Using Azure Active Directory (Azure AD), part of Microsoft Entra, with an Azure AD Premium license plan, you can use groups to assign access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access for the marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department, and then assign that group to these five SaaS applications that are needed by the marketing department. This way you can save time by managing the membership of the marketing department in one place. Users then are assigned to the application when they are added as members of the marketing group, and have their assignments removed from the application when they are removed from the marketing group. This capability can be used with hundreds of applications that you can add from within the Azure AD Application Gallery.


You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

To assign access for a user or group to a SaaS application

  1. In the Azure portal.
  2. Browse to Azure Active Directory > Enterprise applications.
  3. Select an application that you added from the Application Gallery to open it.
  4. Select Users and groups, and then select Add user.
  5. On Add Assignment, select Users and groups to open the Users and groups selection list.
  6. Select as many groups or users as you want, then click or tap Select to add them to the Add Assignment list. You can also assign a role to a user at this stage.
  7. Select Assign to assign the users or groups to the selected enterprise application.

Next steps

These articles provide additional information on Azure Active Directory.