When utilizing federated authentication with Azure AD to Bentley IMS, users may face an error with the following text:

AADSTS50105: Your administrator has configured the application <name in your portal> ('application guid') to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'username@domain.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application. 

When users are faced with this issue, they must contact their own help desk instead of Bentley's to have the appropriate permissions applied. This is because during federated authentication users are performing authentication with their works authentication portal. After the user authenticates at their portal, Bentley receives information about the user which satisfies the authentication with Bentley. During this period, Bentley cannot see the user performing authentication, nor do we ever know the users password. These portals are typically services like Azure AD, ADFS, Ping ID, Okta, etc.

Admins can refer to this Microsoft KB for guidance on assigning these permissions, and this Microsoft KB to learn more about this error.

Here's a sample of the error message displayed to users with the application ID and blocked user both removed from the image where the application name is Bentley IMS: