If you’re trying to log in to Azure or an enterprise app and see the error AADSTS5000225, it can be frustrating—especially if you haven’t used your account in a while. This error means your account is not assigned to any role for the application or subscription you’re trying to access.
“AADSTS5000225: The signed in user is not assigned to a role for the application.”
Common Causes of AADSTS5000225
- Your account was inactive or disabled by an admin.
- You’re signed in to the wrong tenant/directory.
- You’re missing role assignments (Reader, Contributor, Owner, etc.).
- The Azure subscription linked to your account is expired.
- Azure Policy requires conditions like MFA, device compliance, or license assignment that your account doesn’t meet.
Fix Guide for Users and Admins
1. Verify Account Access
- Go to Azure Portal.
- Try signing in with your account.
- If you cannot sign in, your account may be disabled or unlicensed. Contact your admin to confirm.
2. Check Tenant Selection
- In the Azure Portal, click your profile icon (top-right).
- Make sure you’re in the correct directory/tenant.
- If you see multiple tenants, switch to the one with your subscription.
3. Confirm Role Assignment
Only admins can perform this step.
- Navigate to:
Azure Active Directory > Users > [Your Account] > Assigned roles - If no roles are assigned, add one:
- Reader – view only.
- Contributor – make changes but cannot assign roles.
- Owner – full control.
- For enterprise apps:
Azure AD > Enterprise Applications > [App Name] > Users and groups > Add user.
4. Reactivate Inactive Accounts
- If the account was disabled due to inactivity, admins must re-enable it.
- For personal subscriptions, log into the Azure Account Portal and check if the subscription is still active.
5. Review Azure Policy Requirements
Your organization may enforce policies. Common ones include:
- Multi-Factor Authentication (MFA).
- Only compliant devices can log in.
- Users must have a license (Office 365, Azure AD Premium, etc.).
Check with your admin to confirm if you need to complete MFA setup or assign a missing license.
PowerShell / CLI Fix for Admins
For administrators who prefer scripting:
Check role assignments
Get-AzRoleAssignment -SignInName [email protected]Assign a Reader role
New-AzRoleAssignment -SignInName [email protected] -RoleDefinitionName "Reader" -Scope "/subscriptions/{subscriptionId}"This ensures the user has at least read access to the subscription.
Troubleshoot – When Nothing Works
If you’re still blocked after trying the above:
- Ask your Global Admin to verify directory and license status.
- If you are the subscription owner, open a Microsoft Support ticket here:
Azure Support Request
FAQs: AADSTS5000225 error
Q. Does resetting the password fix AADSTS5000225?
No. This error is permission-based, not authentication-based.
Q. Can I fix this without an admin?
If you’re part of an organization, only your admin can reassign roles. If it’s your personal subscription, you can fix it yourself.
Q. Is this related to MFA?
Sometimes. If your company enforces MFA via Azure Policy, missing MFA setup can cause blocked access.
The AADSTS5000225 error in Azure AD is almost always tied to missing roles or disabled accounts. While end-users can check their login and tenant, the actual fix usually requires an admin to assign roles or re-enable the account. With the steps above, you’ll know exactly what to check and how to get your Azure access back quickly.
