The Archive Manager Exchange Store Manager (ESM) service or a related scheduled task fails to authenticate. When reviewing the service logs or the OAuth sign-in logs, the following error is observed:
Error AADSTS50105: The signed in user is not assigned to a role for the application.
This occurs in environments configured to use Microsoft Entra ID (formerly Azure AD) for identity management via SAML/OAuth.
The Archive Manager Proxy account (the service account running the ESM service) has not been granted access to the Archive Manager Enterprise Application in Microsoft Entra ID.
By default, the Enterprise Application may be configured to require explicit user assignment, and the service account is missing from the allowed list.
This method maintains higher security by restricting access to specific accounts only.
Log in to the Microsoft Entra Admin Center https://entra.microsoft.com/
Navigate to Identity > Applications > Enterprise applications.
Search for and select the Archive Manager OAuth application.
Under the Manage menu on the left, select Users and groups.
Click + Add user/group.
Search for the Archive Manager Proxy account (or the specific service account running the ESM service).
Select the account and click Assign.
This method allows all users in your tenant to authenticate against the application without individual assignment.
Log in to the Microsoft Entra Admin Center.
Navigate to Identity > Applications > Enterprise applications.
Search for and select the Archive Manager OAuth application.
Under the Manage menu on the left, select Properties.
Locate the setting Assignment required? and toggle it to No.
Click Save.
