Summary: SSO providers often have specific characteristics that could lead to errors during login or initial setup. This is an example of a misconfiguration encountered when using Azure Active Directory (AAD).


Problem/Symptoms: After the initial setup (setting up the parameter in AAD and transferring the XML to Aqua Support), the user encountered this error:

AADSTS50105: Your administrator has configured the application <Aqua Application> to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'user@domain.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.


Solution: This issue could have been caused by the "Assignment required" parameter in AAD Aqua App settings:

If this option is selected, the user should manually add a group in the enterprise application in the AAD "Users and groups" section, even if JIT is enabled.


Related Information: https://support.aquasec.com/a/tickets/20819