Using a group to manage access to SaaS applications

Using Microsoft Entra ID, part of Microsoft Entra, with a Microsoft Entra ID P1 or P2 license plan, you can use groups to assign access to a SaaS application that's integrated with Microsoft Entra ID. For example, if you want to assign access for the marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department, and then assign that group to these five SaaS applications that are needed by the marketing department.

With Microsoft Entra ID, you can save time by managing the membership of the marketing department in one place. Users then are assigned to the application when they are added as members of the marketing group, and have their assignments removed from the application when they are removed from the marketing group. This capability can be used with hundreds of applications that you can add from within the Microsoft Entra Application Gallery.


You can use this feature only after you start a Microsoft Entra ID P1 or P2 trial or purchase Microsoft Entra ID P1 or P2 license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

To assign access for a user or group to a SaaS application


Steps in this article may vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Global Administrator.

  2. Navigate to Applications > Enterprise applications. This opens All applications in the Application Gallery.

    Screenshot of the Application Gallery.

  3. Select an application that you added from the Application Gallery to open it.

  4. On the left navigation bar, select Users and groups, and then select Add user/group.

  5. On Add Assignment, select Users and groups to open the Users and groups selection list.

  6. Select as many groups or users as you want, then click or tap Select to add them to the Add Assignment list. You can also assign a role to a user at this stage.

  7. Select Assign to assign the users or groups to the selected enterprise application.

Next steps

These articles provide additional information on Microsoft Entra ID.