Use a group to manage access to SaaS applications

When you use Microsoft Entra ID with a Microsoft Entra ID P1 or P2 license plan, you can use groups to assign access to a software as a service (SaaS) application that's integrated with Microsoft Entra ID.

For example, if you want to assign access for a marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department. Then you can assign that group to the five SaaS applications that the marketing department needs.

With Microsoft Entra ID, you can save time by managing the membership of the marketing department in one place. Users then are assigned to the application when they're added as members of the marketing group. They have their assignments removed from the application when they're removed from the marketing group. You can use this capability with hundreds of applications that you can add from within the Microsoft Entra Application Gallery.


You can use this feature only after you start a Microsoft Entra ID P1 or P2 trial or purchase a Microsoft Entra ID P1 or P2 license plan. Group-based assignment is supported only for security groups. Nested group memberships aren't supported for group-based assignment to applications at this time.

Assign access for a user or group to a SaaS application


Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

  2. Go to Applications > Enterprise applications to open All applications in the Application Gallery.

    Screenshot that shows the Application Gallery.

  3. Select an application that you added from the Application Gallery to open it.

  4. On the left pane, select Users and groups, and then select Add user/group.

  5. On Add Assignment, select Users and groups to open the Users and groups selection list.

  6. Select as many groups or users as you want, and then click or tap Select to add them to the Add Assignment list. You can also assign a role to a user at this stage.

  7. Select Assign to assign the users or groups to the selected enterprise application.

Next steps

For more information on Microsoft Entra ID, see: