<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Microsoft Office 365 Provisioning Error: "Instantiating an implicit user role is not supported."
Oct 9, 2025
Okta Integration Network
Okta Classic Engine
Okta Identity Engine
Overview

This article discusses an issue with Microsoft Office 365 Provisioning tasks failing with the following error:

 

Automatic provisioning of user XXX to app Microsoft Office 365 failed: Could not push profile for Office 365 user XXX@domain.com, received error: Received response with HTTP status code 400. httpStatusCode=400 errorCode=Request_BadRequest errorMessage="Instantiating an implicit user role is not supported." client-request-id=XYZ request-id=YYY timestamp='MMDDYYYY HH:MM:SS' method=POST url=https://graph.microsoft.com/v1.0/directoryRoles


Assignment errors 

Applies To
  • Microsoft Office 365 with provisioning enabled
  • Okta Integration Network (OIN)
  • The problematic Microsoft Office 365 app assignment was created with role assignment of one or more MS implicit user directory roles: User, Guest User, Restricted Guest User being selected.
Cause

The Office 365 provisioning 400 bad request error Instantiating an implicit user role is not supportedIt was thrown by Microsoft Graph API when an Okta Admin attempted to assign a user one or more Microsoft implicit user directory roles: UserGuest, or Restricted Guest User, as described in Microsoft Documentation.
 

This is an MS Graph call limitation. Not an Okta product issue. For more details about this MS Graph call limitation with implicit user directory role, please contact Microsoft Support Team directly for further assistance. 

Solution

To solve the failed O365 app provisioning error on the Okta end, please follow the steps below: 

  1. Navigate to Okta Admin Console > Dashboard > Tasks page, locate the failed O365 app assignment or provisioning task.

 Assignment 

  1. Click on the Edit Assignment button, review the current role assignment selection for each app assignment, and ensure to deselect/uncheck all of the MS implicit user directory roles, including the UserGuest, and Restricted Guest roles, from the current Office365 app assignment.  Edit Assignment 
  2. Scroll the page to the bottom, click the Save Assignment and Retry button. 

   Assignment                                 

  1. The app assignment should auto-retry and complete successfully without the previous provisioning error this time. 
  2. Repeat step 2-4 until all the failed tasks with the same error. 


 

Recommended content

Still looking for help?
Loading
Microsoft Office 365 Provisioning Error: "Instantiating an implicit user role is not supported."