Entra sign-in logs show success but app still says unauthorized

Scenario

The identity platform records a successful sign-in, but the target app immediately returns an authorization error.

Recommended Resolution Path

1. Separate authentication success from application authorization logic.
2. Review group membership, app role assignment, and claims mapping for the affected user.
3. Test with another known-good user against the same app.
4. If a recent app registration change happened, compare token claims before and after the change.

Technician Notes

Confirm the result, document the root cause, and record any preventative action worth standardizing.