Let's say I am an Azure AD Administrator who wants to control which users can access a certain application created in my tenant (the application is local).
When I read here the following:
Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.
I'm inclined to believe I don't have to do anything special however that's not the case.
What I have done?
First thing I have done is disabled ability for the users in my tenant to give consent to 3rd party apps. For this I went to "Enterprise Applications" and then to "User Settings" and turned off consent setting as shown below.
This I believe is to ensure that users in my tenant can't give access to any random 3rd party application.
Next I created an application in my Azure AD. That application shows up in the list of "Enterprise Applications".
I select the application I just created and go to "Properties" and set "User assignment required" to yes as shown below.
After this I go into "Overview" and grant explicit permission to a user (Gaurav in this case) as shown below.
I can also see that two users have been granted access to the application.
Expected Behavior
After all this settings, I am expecting that this user (Gaurav) should be able to sign in into the application.
Actual Behavior (issue I'm facing)
However when this user tries to connect to this application, it does not work in the sense that the user gets a message that admin consent is required.
What can I do to avoid the issue I am facing? I am pretty sure there must be some setting that I overlook.
Please note that:
- The application I created is local to the tenant I am administering.
- It's a native app which by default are multi-tenant however I have changed the app's manifest and made it single tenant.
- As an administrator I don't want to give "admin consent" as it is my understanding that if I do that all users will have access to the application where as I only want certain users to have access to the application. Moreover, as an administrator I don't really want to sign in into that application.
