For assigning users to an existing application like App1, specific administrative roles are required. The Application Administrator (Admin1) and Cloud Application Administrator (Admin3) roles both include permissions to manage user and group assignments to enterprise applications. The Application Developer role does not have this permission for apps it doesn't own, and a standard User has no such administrative rights.

For registering a new application like App2, the default setting in an Azure AD tenant allows all users to register applications. Therefore, everyone listed—including the administrators (Admin1, Admin2, Admin3) and the standard user (User1)—can register App2. The administrative roles have this capability inherently, and the standard user has it via the default tenant-wide policy.

Microsoft Entra built-in roles: Microsoft Learn. (n.d.).

Application Administrator: "Users in this role can create and manage all aspects of enterprise applications, application registrations..." This includes "managing user and group assignments."

Cloud Application Administrator: "Users in this role have the same permissions as the Application Administrator, excluding the ability to manage application proxy." This also includes managing user assignments.

Application Developer: "Users in this role can create application registrations when the 'Users can register applications' setting is set to no." However, they can only manage the applications they create, not assign users to arbitrary applications like App1 registered by a Global Admin.

Reference found in the descriptions of each role under the "Azure AD built-in roles" documentation page.

Configure how users can consent to applications: Microsoft Learn. (n.d.).

Section: "User settings for app registrations"

Content: This document states, "It's possible for all users in a tenant to register application... This switch is set to Yes by default." This confirms that User1, along with all administrators, can register App2 under the default configuration.