Low severityauthentication
Power BI Error:
AADSTS16003
What does this error mean?
SSO sign-in failed because the user account is not a member or guest of the resource tenant being accessed.
Common causes
- 1User is signing in to a multi-tenant app or cross-tenant resource (e.g. a shared Power BI workspace, Fabric capacity, or ADF instance) in a tenant where their account doesn't exist
- 2User has not been invited as a B2B guest (External Identity) in the resource tenant of the Azure AD / Microsoft Entra ID directory
- 3Cross-tenant access settings or External Collaboration settings block automatic guest provisioning for the user's home tenant
- 4User is hitting a tenant-specific endpoint (e.g. login.microsoftonline.com/<resource-tenant-id>) with a home-tenant account that was never added there
- 5Guest invitation was created but the user never redeemed it, or the guest object was deleted/soft-deleted from the resource tenant
How to fix it
- 1Confirm in which tenant the resource lives (Power BI workspace, Fabric capacity, ADF, Databricks workspace) and which account the user is signing in with — the mismatch is the root cause
- 2In the resource tenant, open Microsoft Entra ID → Users → New user → Invite external user, and invite the user's UPN as a B2B guest; have them redeem the invitation email
- 3Verify Microsoft Entra ID → External Identities → Cross-tenant access settings allows inbound B2B collaboration from the user's home tenant (and that the user/group isn't blocked)
- 4If using a multi-tenant app, ensure the app is consented in the resource tenant (admin consent URL with the resource tenant ID) so the user object can be created on first sign-in
- 5For Power BI / Fabric specifically: re-share the workspace or item to the guest's UPN after the invitation is redeemed, since sharing before redemption can leave a stale principal