Understanding the AADSTS50105 User Not Assigned Role Error

If you're working with Microsoft 365 or Entra ID (formerly Azure AD), seeing the AADSTS50105 error probably means someone's hair is on fire about users not getting into an app. This error is all about access—specifically, when a user tries to sign in to an enterprise application and gets blocked because they haven’t been assigned the right role or access permissions in your identity system.

This error isn't just a random speed bump. It keeps unauthorized folks out of your tools and data, which is why understanding this error—and fixing it fast—matters for both security and business productivity. We’re diving headfirst into what this error means, why it pops up in Microsoft environments, and how to handle it like an old pro, not just to solve headaches but to prevent them, too.

What Does the AADSTS50105 Error Mean and What Causes It?

The AADSTS50105 error is the Microsoft way of saying, “Sorry, you’re not on the guest list.” Technically, it means the user is trying to access an application, but they haven’t been assigned to any of its roles or permissions within Microsoft Entra ID. The message usually looks like: “AADSTS50105: The signed-in user is not assigned a role for the application.”

This isn’t just a hiccup; it’s how Microsoft enforces access control. When your organization sets up an enterprise application in Entra ID, there’s an option to block all users from signing in unless they’re specifically granted access. If a user tries to get in without an assignment, the system shows them the door—in the form of this error.

The immediate cause is missing access assignments, but sometimes it’s more than that. This can happen if an administrator meant to limit who can use an app but forgot to finish the setup. It can also show up if a user’s role got removed, or if there’s a lag between making access changes and those changes taking effect—Entra ID doesn’t always update instantly.

Now, before you put all the blame on one side, know that sometimes bulk changes, expired assignments, or conditional access policies can cause issues that look exactly like this error, too. So, if someone’s yelling that they “should” have access, don’t ignore those edge cases—sometimes, it’s a system policy, not human error, causing the lockout.

Recognizing Symptoms and Detecting AADSTS50105 in Microsoft 365

You usually spot the AADSTS50105 error when a user tries to sign into an app—be it Teams, SharePoint, or a third-party SaaS added to Entra ID—only to get an error page instead of that sweet dashboard they were expecting. The most common symptom is a failed login with an explicit message about not being assigned a role for the application.

Users might say, “I’m signed in but can’t see the app,” or “my access was working last week, now I’m locked out.” Less direct complaints might be about missing buttons or grayed out services inside Microsoft 365, which really boils down to the same problem.

For IT admins and helpdesk folks, detecting the AADSTS50105 issue goes beyond just listening to users complain. Microsoft 365 and Entra ID audit logs are your best friends here. You can search for error code 50105 in Azure AD Sign-in Logs (or Entra ID Sign-in logs, depending on what you call it this week) to filter down to incidents of this exact problem.

The logs will show failed sign-in attempts, who tried them, from where, and to which app. This makes it much easier to confirm if the error is a legit missing assignment, or something more stubborn like a propagation delay after admin changes. Reading these logs helps you diagnose the root cause and keeps you from running in circles chasing permission ghosts.

How to Fix the AADSTS50105 User Not Assigned Role Issue

Let’s get straight to it: to fix AADSTS50105, you need to make sure the right users or groups are assigned the proper role for the application in Entra ID. This is usually handled in the “Enterprise Applications” section, using the “Users and Groups” blade. You find the app, pick “Users and groups,” and assign the user or group the necessary access role—simple if you know the path.

If you’re dealing with lots of users, manual assignment gets painful fast. That’s when tools like PowerShell come in handy for automating access (think: bulk adding users, even from HR lists). You can use a script to assign users to app roles or drive dynamic management via the Microsoft Graph API—perfect for shops with constant onboarding and offboarding. This proactive approach doesn’t just fix errors; it prevents them before they ruin your morning.

Keep in mind: changes might not take effect right away due to Entra ID’s backend replication and caching. If you just made the assignment and users are still locked out, expect some lag (a few minutes to an hour isn’t unusual). Review the token cache and consider revoking sessions if you suspect old permissions are hanging around.

Lastly, double-check for hidden blockers. Sometimes, conditional access policies or missing consent prevent access even when roles look right. Verifying both role assignments and policy overlays will stop those “I did everything right!” moments from turning into endless troubleshooting loops.

Summary and Additional Resources for AADSTS50105 Errors

AADSTS50105 is Microsoft’s way of telling you a user isn’t assigned to a role for a given app—no role, no access. This usually boils down to missing assignments in Entra ID, delayed propagation of changes, or sometimes conflicting policies like conditional access. The fix? Assign those users or groups directly, automate where possible, and be patient with sync times.

If you run into repeated headaches, check the logs for confirmation before making more changes. And if you want deeper insight on access governance, conditional access sprawl, or tools to enable scalable security, check out resources like this episode on identity as the control plane and this guide to Microsoft 365 data access governance. Microsoft’s official docs and support are always there if you find yourself truly stuck—just don’t let a single error keep your whole business on pause.