When you try to sign in to Copilot in Microsoft 365, you may see error AADSTS50105. This error means the user account is not assigned to the required license or application role. The error prevents access to Copilot features in apps like Word, Excel, and Teams. This article explains the root cause and provides step-by-step fixes for administrators and users.
Key Takeaways: Fixing AADSTS50105 for Copilot Access
- Microsoft 365 admin center > Users > Active users: Assign the Copilot for Microsoft 365 license to the affected user account.
- Azure AD > Enterprise applications > Copilot service: Verify the user is assigned to the Copilot application role in Azure Active Directory.
- PowerShell command
Set-MsolUserLicense: Use this cmdlet to bulk-assign Copilot licenses to multiple users at once.
Why the AADSTS50105 Error Occurs for Copilot
Error AADSTS50105 is an Azure Active Directory authentication failure. The exact message reads: “The user assigned to the application is not assigned to the required role for this application.” This happens when a user account does not have the Copilot for Microsoft 365 license or the Copilot service principal role in Azure AD. The root cause is a missing license assignment at the user level, not a problem with the Copilot software itself. Microsoft Entra ID checks two conditions during sign-in: the user must hold a valid Copilot license, and the user must be assigned to the Copilot enterprise application in the tenant. If either condition is false, Azure AD blocks access and returns AADSTS50105.
License vs. Role Assignment: What Each Controls
The Copilot for Microsoft 365 license grants the right to use the service. Without the license, the user cannot authenticate. The role assignment in the Copilot enterprise application controls which users can access the Copilot service endpoint. Both are required. A user can have the license but not the role assignment, or the role assignment but not the license. Either scenario triggers the error.
Steps to Assign the Copilot License and Role
Follow these steps in order. The first step resolves most cases. If the error persists, proceed to the second and third steps.
Method 1: Assign the Copilot License in the Microsoft 365 Admin Center
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Administrator or Billing Administrator account. - Navigate to Users > Active users
In the left navigation pane, select Users, then select Active users. - Select the affected user account
Click the name of the user who receives the AADSTS50105 error. - Open the Licenses and apps tab
In the user details panel, select the Licenses and apps tab. - Assign the Copilot for Microsoft 365 license
Under Licenses, check the box for Copilot for Microsoft 365. If the license is not listed, purchase it first through Billing > Purchase services. - Save the changes
Click Save changes at the bottom of the panel. Wait 5–10 minutes for the assignment to propagate.
Method 2: Assign the User to the Copilot Enterprise Application in Azure AD
- Sign in to the Azure portal
Go to portal.azure.com and sign in with a Global Administrator or Application Administrator account. - Navigate to Enterprise applications
In the search bar, type Enterprise applications and select it. - Search for the Copilot service application
In the All applications list, search for “Copilot” or “Microsoft Copilot Service”. Select the application named Microsoft Copilot Service. - Open Users and groups
In the left menu of the application, select Users and groups. - Add a user assignment
Click Add user/group. Under Users, select the affected user. Under Select role, choose the default role (usually User). Click Assign. - Verify the assignment
The user now appears in the Users and groups list. Wait 5–10 minutes and test the Copilot sign-in again.
Method 3: Use PowerShell to Assign Licenses in Bulk
- Install and connect to the MSOnline module
Open Windows PowerShell as Administrator. RunInstall-Module -Name MSOnlineand thenConnect-MsolService. Sign in with a Global Administrator account. - Get the Copilot license SKU
RunGet-MsolAccountSku | Where-Object {$_.AccountSkuId -like "COPILOT"}. Note the AccountSkuId value, for examplecontoso:COPILOT_MICROSOFT365. - Assign the license to a single user
RunSet-MsolUserLicense -UserPrincipalName "user@contoso.com" -AddLicenses "contoso:COPILOT_MICROSOFT365". Replace the email and SKU with your values. - Assign licenses to multiple users from a CSV
Create a CSV file with a column named UserPrincipalName. RunImport-Csv "users.csv" | ForEach-Object {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses "contoso:COPILOT_MICROSOFT365"}. - Confirm the assignments
RunGet-MsolUser -UserPrincipalName "user@contoso.com" | Select-Object Licensesto verify the Copilot license is present.
If Copilot Still Shows the Error After the Main Fix
Error persists immediately after license assignment
Azure AD and Microsoft 365 license changes can take up to 30 minutes to propagate. Wait 30 minutes, clear the browser cache, and sign in again. Do not attempt multiple consecutive sign-ins, as this can trigger additional Azure AD throttling.
User has the license but still sees AADSTS50105
The user may not be assigned to the Copilot enterprise application role. Follow Method 2 to add the user to the Microsoft Copilot Service application in Azure AD. After adding the user, have them sign out of all Microsoft 365 apps and sign back in.
Copilot role assignment is missing for guest users
Guest users from other tenants require explicit role assignment in the Copilot enterprise application. In the Azure portal, go to Enterprise applications > Microsoft Copilot Service > Users and groups. Add the guest user by typing their full email address. Guest users also need a Copilot license assigned in the B2B collaboration tenant.
Conditional Access policy blocks Copilot sign-in
A Conditional Access policy may block the Copilot application even after license and role assignment. In the Azure portal, go to Security > Conditional Access > Policies. Look for any policy that targets the Microsoft Copilot Service application. Ensure the affected user is either included with the correct grant controls or excluded from the policy. After changing a policy, wait 10 minutes and retry.
Copilot License Assignment vs. Azure AD Role Assignment: Key Differences
| Item | License Assignment | Azure AD Role Assignment |
|---|---|---|
| Where to configure | Microsoft 365 admin center > Users > Active users > Licenses and apps | Azure portal > Enterprise applications > Microsoft Copilot Service > Users and groups |
| What it grants | Right to use the Copilot service | Permission to authenticate against the Copilot service endpoint |
| Effect if missing | Error AADSTS50105 with no license | Error AADSTS50105 with missing role |
| Bulk assignment method | PowerShell Set-MsolUserLicense or Microsoft 365 admin center | Azure portal group-based assignment or PowerShell Add-AzureADGroupMember |
| Propagation time | Up to 30 minutes | Up to 10 minutes |
Error AADSTS50105 is a license or role assignment issue in Azure Active Directory. You can resolve it by assigning the Copilot for Microsoft 365 license in the admin center and by adding the user to the Microsoft Copilot Service enterprise application. For administrators managing many users, use PowerShell to assign licenses in bulk. After completing both assignments, clear your browser cache and sign in again. If the error persists, check Conditional Access policies that target the Copilot application.