$_ cmd

← decode · jargon mode

ERROR AADSTS

AADSTS50105

User not assigned to the app or role

in plain english

Sign-in worked, but this user account isn't assigned to the application (or its role). Microsoft Entra returns AADSTS50105 when an enterprise app has 'User assignment required' set to Yes and the signed-in user — or a group they're in — isn't on the Users and groups list for that app.

most likely causes

  • Enterprise application has 'Assignment required' = Yes and the user (or their group) is not assigned
  • App role exists but the user is assigned to a different role than the one the app is requesting
  • Group-based assignment relies on a dynamic group rule that hasn't evaluated the user yet
  • Conditional Access App Filter excluded the user from the assigned scope

fix path

  1. Entra portal → Identity → Applications → Enterprise applications → <app> → Users and groups → Add user/group
  2. If the app uses roles: assign the user to the specific role the app expects (check the app's documentation for which role to use)
  3. If group-based: confirm the user is a member, and that any dynamic group rule has evaluated (Members tab shows the user)
  4. Check Sign-in logs → Failure → AADSTS50105 to see the exact app and user that failed

seen in

Entra ID interactive sign-in · Enterprise application launch · Microsoft Graph · OAuth 2.0 / OpenID Connect token requests

microsoft learn docs →

related

verified