This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 24%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi, One of my users is getting this error when trying to log in to the other IDP using Entra federation:
Message: AADSTS50105: Your administrator has configured the application to block users unless they are specifically granted ('assigned') access to the application. The signed in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
The issue is that she is a group member and has the app assigned to her. None of my other users in this group are having this error.
I've checked everything I can think of unless there is a policy that may be blocking it for her. Could that be? Has anyone else run into this?
I'm new to this. Plz help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Hello @Mary,
Thank you for reaching out on Microsoft Q&A.
Based on your description, it looks like a user is encountering the error AADSTS50105: The signed-in user is blocked because they are not a direct member of a group with access. However, you mentioned that the user is already a member of the assigned group and has access to the application.
This error typically occurs when signing in to an application configured to use Microsoft Entra ID for identity management via SAML-based Single Sign-On.
To resolve this, please ensure that the user has been correctly assigned to the application by following the steps outlined in https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-assign-users.
Since the AADSTS50105 error is coming from Entra ID, it indicates that the authentication request is being blocked after Okta has verified the user, most likely due to Conditional Access policies.
A Conditional Access policy might be restricting access based on the user’s group membership, location, or device state. I recommend checking Microsoft Entra ID to review any policies that might be affecting this user.
You can also refer to this below link that helps you to identify which Conditional Access policy is causing the issue.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access
Let me know if this helps or if you need further clarification.
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Chaithra.
Hello @Mary,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello @Mary,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.