Azure Active Directory - Enterprise Application Group Assignment Not Working

0
votes

I am new to Azure, so sorry if this is an obvious problem.

I have setup an Enterprise Application inside Azure, and then added a Group with a few users under the Users and Groups section. However, when I try to login with a user thats in this group I get this error:

AADSTS50105: The signed in user is not assigned to a role for the application 'app guid'.

After I invite them individually (or add them directly as a User "Object Type") then they can login and everything works. So, it seems like the Group Assignment is not working for me.

When I look at the Users and Groups section of the app, I can see that the group has a "Role Assigned" of "Default Access" (same as that of a user that can actually login).

What am I doing wrong here?

Any advice would be of a huge help.

More info: The Membership type of the Group is defined as Dynamic User and Self-Service is enabled for this App.

1
azureazure-active-directory
Are these users nested members of the groups? Note that group assignment only applies to direct members of the group, and not to indirect [nested] group members.Zachafer
It is not a nested group (I also found this info when googling), it's a top level Dynamic Membership group. I actually tested with an Assigned Membership type group, and it worked. The problem is specific to top-level (non-nested) Dynamic type membership groups.SSH This
Now that I re-read your comment @Zachafer I wonder if Dynamic based membership is technically considered "nested" since they are not directly assigned?SSH This
I should also add that Self Service is enabled for this app, (im not sure if this matters)SSH This

1 Answers

-1
votes

If Self-Service is enabled for an Enterprise Application, then Dynamic-membership Groups do not work. I had to make a static-membership group, and add all our employees to that. Then add this group to the Enterprise Application. It works with this, but I have to maintain this group, as new people join the company.

This isn't mentioned in the documentation anywhere (only documented restriction on adding groups to apps is that you cannot nest groups within groups). So I think this is probably an Azure AD defect and not intended behavior.