Adding userGrants in Post Creation trigger (external auth flow) fails for Entra
Hi, I'm evaluating Zitadel for SSO and identity brokering. I'm following this guide to set up role authorizations based on information in claims from Entra Id.
I want to achieve something similar as described in https://discord.com/channels/927474939156643850/1259811021325864981 or https://discord.com/channels/927474939156643850/1255453819286851645 but for Post Creation trigger.
In a nutshell I would like to assign roles to users created by logging in through SSO via MS Entra. After setting up SSO with Entra and verifying that it works I followed the guide linked above but got "Errors.UserGrant.NoPermissionForProject (EVENT-Shu7e)" on UI and following log:
time="2025-08-19T11:01:46Z" level=info auth_req_id=334043235674488835 caller="/home/runner/work/zitadel/zitadel/internal/api/ui/login/renderer.go:353" error="ID=EVENT-Shu7e Message=Errors.UserGrant.NoPermissionForProject"
This message doesn't make sense to me as setting up authorization for this project is exactly what I'm trying to do in the action. Could you point me to some specific troubleshooting steps for this error? The user gets created but is not assigned to the project with any role. I'm running self hosted v4.0.2.
Thanks in advance!
ZITADEL Docs
In this guide, you will create a ZITADEL action.
1 Reply
hey @Tim_ For your use case,automatically assigning a role to a user created through SSO with Entra,this is currently only possible before post creation, not as part of post-authentication in the login UI.
https://zitadel.com/docs/guides/integrate/actions/migrate-from-v1