Microsoft Entra sign-in failed because the user is not assigned to the application
Your administrator has configured the application '{app name}' to block users unless they are specifically granted ('assigned') access to the application. The signed-in user '{email}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.
The enterprise application in Microsoft Entra ID has user assignment required enabled, meaning only explicitly assigned users or groups can sign in. The user attempting to sign in has not been assigned access, so Entra ID blocks the authentication even though their credentials are valid.
Your administrator has configured the application '{app name}' to block users unless they are specifically granted ('assigned') access to the application. The signed-in user '{email}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.
Why it happens
The enterprise application has 'Assignment required' set to Yes in its Properties, which restricts sign-in to only users and groups explicitly assigned to the application.
The user is not directly assigned to the application and is not a member of any group that has been assigned.
A group that was previously assigned to the application has been deleted or the user has been removed from the group.
The application was recently migrated or re-registered, and existing user assignments were not carried over to the new registration.
A self-service access request process is in place but the user has not yet submitted a request or had it approved.
How to fix it
To assign the user directly to the application: in the Microsoft Entra admin center, navigate to Enterprise applications > select the application > Users and groups > Add user/group > select the user > Assign.
To assign a group (preferred for scale): navigate to Enterprise applications > select the application > Users and groups > Add user/group > select a group that contains the affected users > Assign.
If the application should be accessible to all users in the tenant without individual assignment: navigate to Enterprise applications > select the application > Properties > set 'Assignment required' to No. This opens access to all users in the tenant.
Via Microsoft Graph API (to assign a user programmatically): create a `POST` request to `/servicePrincipals/{id}/appRoleAssignments` with the user's object ID and the appropriate app role ID.
Via PowerShell: `New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId '<SP ObjectId>' -PrincipalId '<User ObjectId>' -ResourceId '<SP ObjectId>' -AppRoleId '<Role ID or 00000000-0000-0000-0000-000000000000 for default role>'`
If a self-service access flow is configured: direct the user to My Apps (https://myapps.microsoft.com) to request access to the application, and ensure an approver is configured to action the request.
