Unable to Show Custom Mendix Page When Azure AD Returns AADSTS50105 Error (User Not Assigned)- Using SAML module

0
Hi all,I am integrating Azure AD SSO with my Mendix application. I am trying to show a custom access‑request page inside Mendix when a user tries to sign in but is not part of the required Azure AD group.When a user without access tries to log in, Azure AD shows this error:AADSTS50105: Your administrator has configured the application to block users unless they are specifically granted access. The signed‑in user is blocked because they are not a direct member of a group with access. My goal: 👉 When this happens, redirect the user to a Mendix anonymous-access page (/p/request-access)
asked
2 answers
0

You can’t redirect to a Mendix page when you get AADSTS50105, because that error is raised by Entra ID (Azure AD) before it redirects back to your app. Your Mendix app (and the OIDC callback) is never reached, so Mendix cannot intercept it and send the user to /p/request-access.


Use the OIDC SSO module’s custom Access Token processing to check group/role claims and decide what Mendix user roles to grant (or deny).





answered
0

hi,


his requirement cannot be implemented from the Mendix side when the error AADSTS50105 (User Not Assigned) occurs.

The reason is that this error is generated by Azure Active Directory before the authentication process is completed. When Azure AD is configured with User assignment required = Yes, Azure validates whether the user is assigned to the Enterprise Application before sending any SAML response back to Mendix.

If the user is not assigned, Azure AD blocks the authentication and displays the error page directly.

At this stage:

  • The SAML response is not returned to Mendix
  • No Mendix session is created
  • SAML microflows are not executed
  • Mendix runtime is never reached

Therefore, Mendix cannot redirect the user to a custom page such as /p/request-access.

Recommended Solution

The handling must be moved either to Azure AD configuration or to post-login authorization inside Mendix.

Option 1 – Recommended Approach

Allow users to authenticate first and control access within Mendix.

In Azure Portal:

  1. Go to Azure Active Directory
  2. Open Enterprise Applications
  3. Select the Mendix application
  4. Open Properties
  5. Set:

User assignment required = No

This allows Azure AD to complete authentication for all users.

After successful login, authorization can be handled inside Mendix.

Option 2 – Redirect Users After Login in Mendix

Use the After Sign-In microflow configured in the Mendix SAML module.

In this microflow:

  1. Check the user's Azure AD group or role.
  2. If the user does not belong to the required group:
    • Do not grant application roles
    • Redirect the user to a custom anonymous page such as /p/request-access.

This approach follows the standard enterprise SSO pattern where:

Authentication → handled by Azure AD

Authorization → handled by Mendix

Important Limitation

It is not possible to:

  • Capture AADSTS50105 inside Mendix
  • Override the Azure AD error page from Mendix
  • Redirect users before authentication completes

Because the request never reaches the Mendix application.

Conclusion

The behavior is expected and by design in Azure AD SAML authentication.

To display a custom Mendix access-request page, users must first be allowed to authenticate successfully, after which access control should be implemented within Mendix using the SAML After Sign-In logic.



answered