diff --git a/internal/services/applications/validate/tokens.go b/internal/services/applications/validate/tokens.go
index 0dfad9741a..1c66712a0c 100644
--- a/internal/services/applications/validate/tokens.go
+++ b/internal/services/applications/validate/tokens.go
@@ -1,7 +1,9 @@
 package validate
 
 import (
+	"fmt"
 	"regexp"
+	"strings"
 
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -44,5 +46,14 @@ func RoleScopeClaimValue(i interface{}, path cty.Path) (ret diag.Diagnostics) {
 		})
 	}
 
+	// See https://github.com/hashicorp/terraform-provider-azuread/issues/721
+	if strings.EqualFold(v, "User") {
+		ret = append(ret, diag.Diagnostic{
+			Severity:      diag.Error,
+			Summary:       fmt.Sprintf("Value cannot have the string value %q", "User"),
+			AttributePath: path,
+		})
+	}
+
 	return // nolint:nakedret
 }