Using Azure AD Self-Service to deploy Azure RemoteApp Applications


Last week Microsoft released the private preview of ‘publish applications to individual users’. In this blogpost I’ve described the steps needed to activate this functionality and how you can use it with Azure AD groups. In this blogpost I want to explain how Azure AD Group Self-service can be used to grant access to applications and provide user self-service functionalities. The Azure Groups functionality requires an Azure AD Premium license for each user. This license is included in the Enterprise Mobility license.

Let’s first defining the list of applications which we want to publish and to which users/groups:


User Group

Self Service


Windows Applications (Calc,etc)

All Users Group

Not needed

Not Needed

Chrome Browser Application

Azure AD Security Group



Notepad++ Editor Application

Azure AD Security Group



So based on the above table let’s login with a user without any group memberships:

Based on his current membership the user only gets the ‘standard’ published applications. To activate the Azure AD Self-service functionality, we first need to activate Azure AD Group Management in our Azure Active Directory. This can be done by going to > Active Directory > Configure. Configure the following settings to activate Azure AD Group Management:

After saving above settings the Azure AD Groups management functionality is activated. Now the Application Security groups can be created. So let’s continue with creating Azure AD Groups for both applications: Chrome and Notepad++. Go to Active Directory > Groups and create both groups.

After the creation of both groups we need to define the owner(s) of the groups. This can be done by opening the group and go to ‘Owners’ and click on ‘Add Owners’:

When the owners are configured these owners can define the self-service settings by visiting When the owner clicks on Groups the groups are shown for which he’s the owner:

The owner can now configure the self-service settings for his groups. Now let’s configure both groups as defined in the table above:

No we’ve configured the Azure AD groups. The next step is to login with a user and request or apply to above applications. The user also needs to login to The user can now see all Security Groups in the Azure Active Directory.

When the user opens the ‘APP_ARA_NotepadPlusPlus’ group he can add himself to this group without any approval by the owner of the group:

The user can add a Business justification to his request:

Because of auto approval is active for this group the user will get the following message:

When the user does the same for the Chrome application the owner of the group receives an email message with the request and asks for approval:

The owner can now approve this request by clicking on ‘Act on this Request‘:

When the request is approved the user will be added to the group:

With the script described in this blogpost you can sync the users of the Azure AD Group and grant access to the members of these groups. The result for the user will be:

So with the new capabilities of ‘publish applications to individual users’ combining with the Azure AD Groups capabilities we can provide Application Self Service to users. We can even use a light-weight approval workflow when applications cannot be assigned to every user.

If you have any questions, please let me know!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.