Azure AD exception - AADSTS50105 - "The signed in user is not assigned to a role for the application"

I'm setting up authentication with Azure AD for an ASP.NET Web API 2 REST API. I'd like all clients to be able to use a username & password to authenticate with the REST API. I've setup Azure AD (full steps below, but essentially - created a directory, added a user, added an application, added roles to application in manifest, assigned user to application). However, when I try to test via a Console Application (full code at bottom), I get the exception:

An unhandled exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information: AADSTS50105: The signed in user '[email protected]' is not assigned to a role for the application '8ed6bbe9-dce7-4bed-83af-aa5472ac4eef'.

I'm guessing something needs to be tweaked in the Manifest, but I don't know.

Here is the code:

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;

namespace WebApiClientTest
{
    class Program
    {
        static void Main(string[] args)
        {
            const string authorityUri = "https://login.microsoftonline.com/azureadwebapitest.onmicrosoft.com/";
            const string resource = "https://azureadwebapitest.onmicrosoft.com/test";
            const string clientId = "8ed6bbe9-dce7-4bed-83af-aa5472ac4eef";
            const string userId = "[email protected]";
            const string password = "[REMOVED for StackOverflow post]";

            UserCredential credentials = new UserCredential(userId, password);
            AuthenticationContext context = new AuthenticationContext(authorityUri);
            var authresult = context.AcquireToken(resource, clientId, credentials);
            Console.WriteLine("Access token: {0}", authresult.AccessToken);
            Console.ReadLine();
        }
    }
}

Full repro steps below:

1. Create new Azure AD Directory:

2. Add new Application:

3. Set "User assignment required to access app" to "YES". Set "Read directory data" application permissions. Copy client ID. Save:

4. Download manifest. Edit manifest and add two roles. Upload manifest:

5. Go back to directory from step 1 and Add User

6. Open new browser to https://account.activedirectory.windowsazure.com/ and sign in as user. Change password. Notice no applications available:

7. Go back to Classic Portal. Assign the user to the generalclient role in Application. Notice the user is now assigned to the application

8. Go back to user account portal and refresh. You might have to refresh a few times or click around. Notice the application is now shown

9. It seems at this point, setup should be complete.

10. Create a new console application.

11. Install the Nuget package "Microsoft.IdentityModel.Clients.ActiveDirectory"

12. Copy the code into the console application (top of post), insert your password into the "password" string, and Start Debugging:

Result:

An unhandled exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information: AADSTS50105: The signed in user '[email protected]' is not assigned to a role for the application '8ed6bbe9-dce7-4bed-83af-aa5472ac4eef'.

Expected Result:

The access token is written to the console output.

It would be worthwhile to mention that this allows anyone in the directory to use this application. In that case it does not make any sense in assigning users or groups to the application.