ERROR AADSTS
AADSTS50105
User not assigned to the app or role
in plain english
Sign-in worked, but this user account isn't assigned to the application (or its role). Microsoft Entra returns AADSTS50105 when an enterprise app has 'User assignment required' set to Yes and the signed-in user — or a group they're in — isn't on the Users and groups list for that app.
most likely causes
- Enterprise application has 'Assignment required' = Yes and the user (or their group) is not assigned
- App role exists but the user is assigned to a different role than the one the app is requesting
- Group-based assignment relies on a dynamic group rule that hasn't evaluated the user yet
- Conditional Access App Filter excluded the user from the assigned scope
fix path
- Entra portal → Identity → Applications → Enterprise applications → <app> → Users and groups → Add user/group
- If the app uses roles: assign the user to the specific role the app expects (check the app's documentation for which role to use)
- If group-based: confirm the user is a member, and that any dynamic group rule has evaluated (Members tab shows the user)
- Check Sign-in logs → Failure → AADSTS50105 to see the exact app and user that failed
seen in
Entra ID interactive sign-in · Enterprise application launch · Microsoft Graph · OAuth 2.0 / OpenID Connect token requests
related
verified