diff --git a/src/Umbraco.Web/Security/BackOfficeSignInManager.cs b/src/Umbraco.Web/Security/BackOfficeSignInManager.cs
index b33487bc8d..8e5e532731 100644
--- a/src/Umbraco.Web/Security/BackOfficeSignInManager.cs
+++ b/src/Umbraco.Web/Security/BackOfficeSignInManager.cs
@@ -112,6 +112,19 @@ namespace Umbraco.Web.Security
                     return SignInStatus.LockedOut;
                 }
 
+                // We need to verify that the user belongs to one or more groups that define content and media start nodes.
+                // To do so we have to create the user claims identity and validate the calculated start nodes.
+                var userIdentity = await CreateUserIdentityAsync(user);
+                if (userIdentity is UmbracoBackOfficeIdentity backOfficeIdentity)
+                {
+                    if (backOfficeIdentity.StartContentNodes.Length == 0 || backOfficeIdentity.StartMediaNodes.Length == 0)
+                    {
+                        _logger.WriteCore(TraceEventType.Information, 0,
+                            $"Login attempt failed for username {userName} from IP address {_request.RemoteIpAddress}, no content and/or media start nodes could be found for any of the user's groups", null, null);
+                        return SignInStatus.Failure;
+                    }
+                }
+
                 await UserManager.ResetAccessFailedCountAsync(user.Id);
                 return await SignInOrTwoFactor(user, isPersistent);
             }