User assignment required off with common tenant gives error AADSTS50105

Question

User assignment required off with common tenant gives error AADSTS50105

Avery Scott 1

We have an Enterprise application configured in Azure Active Directory with "User assignment required" turned off (screenshot attached for reference).

We want Microsoft users to be able to authenticate with it using the 'common' tenant. But some users are getting the error code AADSTS50105 when they try to authenticate.

Is there something we need to adjust to allow for all users to authenticate with our app using the 'common' tenant? Or is there something users need to adjust within their own tenants to authenticate?

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-03-04T08:18:01.547+00:00

Hi @Avery Scott · When User assignment required is set to No, this error should not occur. Could you please share the Request ID and Timestamp that you get along with the error, I will try to track that in order to identify the issue in our backend logs.
Avery Scott 1 Reputation point

2021-03-04T19:08:35.423+00:00

Hi,

Here are the Trace and Correlation IDs as well as the time stamp:

Trace ID: e5783048-bf01-4232-bc81-a2eb38680d00
Correlation ID: b93c608c-e641-4e77-96bb-e63c33a7dd60
Timestamp: 2021-02-09 23:29:23
Avery Scott 1 Reputation point

2021-03-15T17:34:27.23+00:00

Hi,
I was just following up to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!
Avery Scott 1 Reputation point

2021-04-06T18:35:47.82+00:00

Hi,
I was just following up again to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-04-07T06:36:25.327+00:00

Hi @Avery Scott · Sorry for delay in response. I missed your comments on this thread. Kindly use tagging functionality so that the person the comment is intended for, gets an email notification.
I tried to track the Request and Correlation ID but unfortunately the logs are retained only for 30 days as per GDPR guidelines. Could you please reproduce the issue once again and share the latest Request and Correlation ID along with timestamp.
Avery Scott 1 Reputation point

2021-04-07T18:25:34.77+00:00

Hi @AmanpreetSingh-MSFT

No worries. Thank you for getting back to me.

Here is the latest error response:

No HTTP resource was found that matches the request URI 'http://api.reliancenetwork.com:8001/Exchange/Code?error=interaction_required&error_description=AADSTS50105:+The+signed+in+user+'{EmailHidden}'+is+not+assigned+to+a+role+for+the+application+'a59a367e-c2ad-4073-b7bf-43efbf894592'(ExchangeSyncAuth).%0d%0aTrace+ID:+25ea4fd7-57a3-428c-b427-718c005a3401%0d%0aCorrelation+ID:+41c4569c-b6b8-4fae-9354-9dc638774cda%0d%0aTimestamp:+2021-04-07+18:00:23Z&error_uri=https:%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d50105&state=230.125401'.

Trace ID: 25ea4fd7-57a3-428c-b427-718c005a3401
Correlation ID: 41c4569c-b6b8-4fae-9354-9dc638774cda
Timestamp: 2021-04-07 18:00:23Z

Let me know if you need anything else.

1 answer

Your answer

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-03-04T08:18:01.547+00:00

Hi @Avery Scott · When User assignment required is set to No, this error should not occur. Could you please share the Request ID and Timestamp that you get along with the error, I will try to track that in order to identify the issue in our backend logs.
Avery Scott 1 Reputation point

2021-03-04T19:08:35.423+00:00

Hi,

Here are the Trace and Correlation IDs as well as the time stamp:

Trace ID: e5783048-bf01-4232-bc81-a2eb38680d00
Correlation ID: b93c608c-e641-4e77-96bb-e63c33a7dd60
Timestamp: 2021-02-09 23:29:23
Avery Scott 1 Reputation point

2021-03-15T17:34:27.23+00:00

Hi,
I was just following up to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!
Avery Scott 1 Reputation point

2021-04-06T18:35:47.82+00:00

Hi,
I was just following up again to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-04-07T06:36:25.327+00:00

Hi @Avery Scott · Sorry for delay in response. I missed your comments on this thread. Kindly use tagging functionality so that the person the comment is intended for, gets an email notification.
I tried to track the Request and Correlation ID but unfortunately the logs are retained only for 30 days as per GDPR guidelines. Could you please reproduce the issue once again and share the latest Request and Correlation ID along with timestamp.
Avery Scott 1 Reputation point

2021-04-07T18:25:34.77+00:00

Hi @AmanpreetSingh-MSFT

No worries. Thank you for getting back to me.

Here is the latest error response:

No HTTP resource was found that matches the request URI 'http://api.reliancenetwork.com:8001/Exchange/Code?error=interaction_required&error_description=AADSTS50105:+The+signed+in+user+'{EmailHidden}'+is+not+assigned+to+a+role+for+the+application+'a59a367e-c2ad-4073-b7bf-43efbf894592'(ExchangeSyncAuth).%0d%0aTrace+ID:+25ea4fd7-57a3-428c-b427-718c005a3401%0d%0aCorrelation+ID:+41c4569c-b6b8-4fae-9354-9dc638774cda%0d%0aTimestamp:+2021-04-07+18:00:23Z&error_uri=https:%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d50105&state=230.125401'.

Trace ID: 25ea4fd7-57a3-428c-b427-718c005a3401
Correlation ID: 41c4569c-b6b8-4fae-9354-9dc638774cda
Timestamp: 2021-04-07 18:00:23Z

Let me know if you need anything else.

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @Avery Scott · Thank you for sharing required information.

I tracked the details in our backend database. Please find my findings below:

The application is a multi-tenant app published at reliancenetwork.
User Assignment Required is set to NO in the publisher tenant.
When this application was accessed and consented by a user of your tenant, a service principal corresponding to this application was registered in your tenant.
In the service principal properties, User Assignment Required is set to YES in your tenant. This is why when a user, who is not assigned a role to the application in your tenant, access the application, ends up with AADSTS50105 error.

Looking at the screenshot that you have provided, I suspect the portal is not reflecting correct settings. I would suggest you to use below PowerShell Cmdlets:

To see the setting:
Run Get-AzureADServicePrincipal -ObjectId object_id_of_service_principal | fl app* and make sure AppRoleAssignmentRequired is set False in the output.

If the value is true, run Set-AzureADServicePrincipal -ObjectId object_id_of_service_principal -AppRoleAssignmentRequired $false to set it to False.

Note: You need to use Global Admin or Application Admin account to run the above cmdlet.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Avery Scott 1 Reputation point

2021-04-08T20:57:59.787+00:00
Hi @AmanpreetSingh-MSFT

Our IT guy got this error:

PS C:\Windows\system32> Get-AzureADServicePrincipal -ObjectId 24298ad1-4fb5-4406-8b9b-72736edcf933 | fl app*
Get-AzureADServicePrincipal : Error occurred while executing GetServicePrincipal
Code: Request_ResourceNotFound
Message: Resource '24298ad1-4fb5-4406-8b9b-72736edcf933' does not exist or one of its queried reference-property objects are not present.
RequestId: 882cdcfb-7aec-4daa-be4e-e0ef0b0c8915
DateTimeStamp: Thu, 08 Apr 2021 20:01:10 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1

Get-AzureADServicePrincipal -ObjectId 24298ad1-4fb5-4406-8b9b-72736ed ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : NotSpecified: (:) [Get-AzureADServicePrincipal], ApiException

FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetServicePrincipal
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-04-09T08:30:01.453+00:00

Hi @Avery Scott · The objectID 24298ad1-4fb5-4406-8b9b-72736edcf933 was from my lab tenant; I have updated my answer above. You need to find the "ExchangeSyncAuth" app under Azure AD > Enterprise Applications and use its object ID in the cmdlet.
Avery Scott 1 Reputation point

2021-04-09T19:58:45.95+00:00

Hi @AmanpreetSingh-MSFT

Our IT got this response from the cmdlet:

PS C:\Windows\system32> Get-AzureADServicePrincipal -ObjectId aa000428-9318-4408-9d8d-75ab5ecf9fed | fl app*

AppDisplayName : ExchangeSyncAuth
AppId : {Our App ID}
AppOwnerTenantId : {Our Tenant ID}
AppRoleAssignmentRequired : False
AppRoles : {}

Do you have any other suggestions or ideas about what could be happening?

Thanks!
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-04-12T18:12:29.343+00:00

Hi @Avery Scott · The Object ID you have used in the above command is not correct as it doesn't match with the one I can see in while tracking the request and correlation id. Make sure when connecting to AzureAD via powershell, use

Connect-AzureAD -TenantID floridaxxxxxxxxxxy.com

The object ID you need to use is: 1bbd42f5-xxxx-xxxx-xxxx-5c459862506a

I have masked few information to maintain confidentiality. If you need complete details, please send an email at AzCommunity[at]Microsoft[dot]Com with subject ATTN:Amanpreet and I will share complete details.
Avery Scott 1 Reputation point

2021-04-13T15:11:35.09+00:00

Hi @AmanpreetSingh-MSFT

Thanks for clarifying things for me.

My final comment/question on this subject:
Is there any way to allow for users outside of our tenant (Reliance Network)/application to authenticate against/access it without requiring both of our tenants to have "User Assignment Required" turned off?

Basically is there another way to get the common tenant to work without both tenants having that setting turned off?
Avery Scott 1 Reputation point

2021-04-22T19:19:43.97+00:00

Hi @AmanpreetSingh-MSFT

We had a client update their tenant and turn off "User Assignment Required", but that did not resolve the issue with using the "common" tenant ID.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-04-23T07:59:53.55+00:00

Hi @Avery Scott · I checked in our backend and "User Assignment Required" still shows YES. I have sent an email regarding this as well. Feel free to reach out to me via email if you need any help.

Ruchita Chavda | HubBroker ApS 5

Hello @AmanpreetSingh-MSFT I have this same issue and I have also checked my app settings which seem correct as per your suggestion. Do you know what causing the issue here?

{
    "error": "invalid_grant",
    "error_description": "AADSTS50105: Your administrator has configured the application MSD365Finance_Operation_MultiTenant ('45b3ab8a-ac3a-4a11-9e5b-de863784d602') to block users unless they are specifically granted ('assigned') access to the application.  The signed in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application. Trace ID: 7042b424-d1bf-4f65-a104-c60889527700 Correlation ID: 8afad8ac-11d7-428c-85f9-b0e8df5fed1f Timestamp: 2024-02-06 07:59:27Z",
    "error_codes": [
        50105
    ],
    "timestamp": "2024-02-06 07:59:27Z",
    "trace_id": "7042b424-d1bf-4f65-a104-c60889527700",
    "correlation_id": "8afad8ac-11d7-428c-85f9-b0e8df5fed1f",
    "error_uri": "https://login.microsoftonline.com/error?code=50105"
}

User's image

Diana Polyakova 0 Reputation points

2024-02-09T12:19:08.32+00:00

@AmanpreetSingh-MSFT Hello!

Unfortunately we also meet the issue, described in this conversation.

Currently we use our application, and we need to make it possible to all users to login, without assigning them to the application. I double-checked the Assignment required? setting in our application, it has option No

Also ran the command Get-AzureADServicePrincipal, where also see that AppRoleAssignmentRequired : False

What could be the reason? Currently this issue blocks our users to use SSO, which is the only option for them to authenticate in the system, means, that they cannot use it at all.

Thank you upfront for your support!

Share via

User assignment required off with common tenant gives error AADSTS50105

1 answer

Your answer