We use OIDC connections across all Panoramas, in both our production and staging environments, and our Identity Management System, Azure.

When a customer attempts to access a Panorama in TI without the required permissions for the associated IDM application, the IDM sends the error message to TI, then TI presents the error to the customer in an unfriendly and unhelpful format.

The "access denied, user not assigned to application" error in Azure AD with OpenID Connect (OIDC) indicates that the user attempting to access the application is not properly authorized within the Azure AD tenant. This means the user either hasn't been assigned to the application directly or is not a member of a group that has been assigned to the application. 

The request: We believe that it's important to handle this error in a way that enhances the user experience. Instead of the default message, we could use a custom message that is more user-friendly and informative. For example: "Access Denied: It seems you don't have the necessary permissions to access this resource. Please contact support for assistance."

Additionally, we should ensure that the error message on the TI page is visually consistent with the rest of the application, using clear and concise language.