Version: Angophra

Object Assignments

Menu path: Observe → Application Governance → Object Assignments
URL: /en/insights/dashboard/appGov/assignments

Purpose

The Object Assignments page examines how access to applications is being granted across your environment. In Entra ID, you can control who can access an enterprise application through "assignments" - either directly assigning individual users, or assigning groups (which is the preferred approach). This page surfaces the health of your access assignment model, tracks how the assignment landscape is growing, and identifies where access control enforcement is configured or missing.

Observation Cards

Direct User Assignments

What it means: 29 individual user accounts have been directly assigned to applications.

Why it matters: Direct user assignments are an IAM anti-pattern. When a user needs access to an application, the correct approach is to add them to a group that is assigned to the application. Direct assignments create governance problems: when a user changes role, you need to remember to remove their individual assignment; when you want to revoke access for a department, you cannot do so in bulk; and when you audit who has access to an application, you need to check both group assignments and individual assignments separately.

29 direct assignments is manageable, but left unaddressed, this number typically grows as users and managers find it easier to grant direct access than to manage groups properly.

Applications with Assignments

What it means: 27 distinct applications have at least one access assignment (either group-based or direct).

Why it matters: This tells you how much of your application estate is actively managing access through assignments. If "Assignment Required" is configured on an application but no assignments exist, no one can access it. Conversely, if many applications have no assignments and no "Assignment Required" setting, access to those applications is effectively open to all tenant users.

Group-Based Assignments

What it means: 633 assignment records are via groups (the preferred pattern).

Why it matters: The high proportion of group-based vs direct assignments (633 vs 29) is the "good" finding on this page - the majority of access is being managed through groups, which is the correct governance pattern. The goal is to drive the direct assignment count to zero while maintaining or growing the group-based assignment count.

Charts

How Are Users Accessing Applications?

Chart type: add example --> Donut chart
What it shows: 741 total assignment records, broken down by principal type: Group (the majority), Service Principal, and User (the small direct assignment portion).

Why it matters: This visual confirms the health of your assignment model. A large "Group" segment and a small "User" segment is the healthy pattern. The presence of "Service Principal" assignments typically means service-to-service access has been configured through the assignments mechanism.

Access Assignment Growth

Chart type: add example --> Time-series area chart
What it shows: How the total number of assignments has grown over time, broken down by type (Group, Service Principal, User).

Why it matters: This chart tells you whether your access model is maturing correctly. A healthy trend shows Group assignments growing (more applications bringing new access requests under group governance) while User (direct) assignments remain flat or decrease (existing direct assignments being migrated to groups). A growing User assignment line is a warning sign that direct access is proliferating.

From the example data, a significant jump in group assignments occurred around mid-2025 - this may correspond to a governance initiative or application onboarding event.

Access Control Enforcement Trend

Chart type: add example --> Time-series line chart
What it shows: Over time, how many newly onboarded applications have "Assignment Required" set to Required, Not Required, or Unknown.

Why it matters: This is the most important governance configuration for controlling application access. When "Assignment Required" is Not Required, any user in the Entra ID tenant can access the application - there is no access gate. When it is Required, users must be explicitly assigned before they can access the application.

The trend line for "Required" vs "Not Required" tells you whether your governance posture is improving. In the example, both "Not Required" and "Required" are growing, but ideally you want "Required" to grow faster and "Not Required" to decrease for existing applications being brought into governance.

The Assignments Table

The table lists individual assignment records with:

Resource - The application the assignment is for
Principal - The user or group being assigned
Principal Type - User or Group
App Role - The specific role being assigned (if configured)
Created - When the assignment was made

Using the table

Filter by "Assignment Type" = "User" to see all direct user assignments - these are the 29 assignments you should be working to migrate to groups. For each direct assignment, identify the user, find or create an appropriate group, add the user to the group, create a group assignment, and remove the direct assignment.

Filter by "Highest App Role Risk" to prioritise work on high-risk application role assignments.

Purpose​

Observation Cards​

Direct User Assignments​

Applications with Assignments​

Group-Based Assignments​

Charts​

How Are Users Accessing Applications?​

Access Assignment Growth​

Access Control Enforcement Trend​

The Assignments Table​

Using the table​