Skip to content

FAQ / Troubleshooting

This page lists common problems and solutions when authenticating with Azure AD.

Missing Application Access Policy

Your application (named A in the examples below) attempts to consume another application (named B).

When requesting a token from Azure AD, your application may receive a 400 Bad Request with an invalid_grant error response and the following message:

AADSTS501051:

Application '<client ID>' (<cluster>:<namespace>:<A>) is not assigned to a role for the application 'api://<cluster>.<namespace>.<B>' (<cluster>:<namespace>:<B>)"

Or the other variant:

AADSTS65001:

The user or administrator has not consented to use the application with ID '<client ID>' named '<cluster>:<namespace>:<A>'.

Send an interactive authorization request for this user and resource.

Solution / Answer
  • Ensure that the scope value in your application's request follows the correct format:

    api://<cluster>.<namespace>.<application>/.default>

  • Ensure that application B's access policy includes application A.

  • If all else fails, request assistance in the #nais channel on Slack.

Missing User Access Policy

When attempting to sign-in or perform the on-behalf-of flow, an application may receive a 400 Bad Request with an invalid_grant error response and the following message:

AADSTS50105:

Your administrator has configured the application <cluster>:<namespace>:<A> ('<client id>') to block users unless they are specifically granted ('assigned') access to the application.

The signed in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.

Please contact your administrator to assign access to this application

Solution / Answer
  • Ensure that application A has configured user access.
  • Ensure that the given user is a direct member of any configured group.
  • If all else fails, request assistance in the #nais channel on Slack.

Tenant Mismatch for Signed-in User

While attempting to log in, you may receive the following error message from Azure AD:

Selected user account does not exist in tenant 'some-tenant' and cannot access the application '<client-id>' in that tenant.

The account needs to be added as an external user in the tenant first.

Please use a different account.

Solution / Answer
  • Ensure that the user uses an account that matches your application's tenant when logging in.
  • If all else fails, request assistance in the #nais channel on Slack.