App registration default role permissions

If I assign a user or group of users “Default Access” in users and groups, what access does that grant to the users?

If I don’t assign users, and leave the “Assignment required?” property set to “No”, does that mean that All Users get “Default Access” to the application?

Assigning a user to “Default Access” means only users or groups assigned to a role are granted access to the application. Users not assigned will get a prompt from Entra Id telling them to contact their administrators to gain access. By default when flipping to “Assignment required” the individual flipping that switch is assigned the “default” role and will be the only one available to login to that application until more users or groups are granted access.

Roles will be unique to each application. If an application is setting up RBAC they will define the access and role names and will have to provide documentation on the privileges they provide.

Thanks Craig, so if I understand correctly, the Default Access is whatever the App developer defines uses assigned will get if user assignment is required. If not, ALL users get that default access?

Access (for assigned users) is different from application/delegation permissions which the app requires consent for potentially to resources in the tenant right?

You are correct Default Access is whatever the developer defined. If User Assignment is not set to required none of the roles matter. If you dig deeper from a developer perspective when the User Assignment is turned on the assigned role(s) are actually included with the JWT token from Entra Id and are readable for the service.

This access is completely independent from API permissions either application or delegated.

I am trying to learn more about app roles that are available, and I guess it depends on the developer of the app. I have found in Entra ID app registrations that I can add custom app roles. I see that a test app registration I created automatically has the “msiam_access” app role, so would that be the “Default Access” we have been talking about in prior posts?

I am not an app developer, so want to understand from an IT Administrator’s perspective

If msiam_access is the only role then it will be the default when assigning a new user as it’s the only one that exists.