What causes AADSTS20033?

The IssuerUri / EntityID in the IdP's federation metadata XML was changed and no longer matches the value stored in Entra ID for the federated domain. Federation was set up against the wrong Entra ID tenant (e.g. metadata points to a different customer tenant or a stale dev tenant). ADFS farm was rebuilt or migrated and a new issuer name was generated without updating the federated domain in Entra ID via Update-MgDomainFederationConfiguration / Set-MsolDomainFederationSettings. Third-party IdP (Okta, Ping, OneLogin) configuration drift: the SAML metadata endpoint now serves a different tenant identifier than when the domain was originally federated. The federated domain in Entra ID is mapped to the wrong IdP entry, so metadata from IdP-A is being validated against the tenant name expected from IdP-B

How do I fix AADSTS20033?

Fetch the current federation metadata from your IdP (e.g. https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml) and note the EntityID / IssuerUri value. In Entra ID, run Get-MgDomainFederationConfiguration -DomainId (or Get-MsolDomainFederationSettings) and compare IssuerUri with the value from your IdP metadata — they must match exactly. If they differ, update the federation settings with Update-MgDomainFederationConfiguration using the correct IssuerUri, PassiveLogOnUri, ActiveLogOnUri, LogOffUri and signing certificate from the current metadata. If the IdP itself has the wrong issuer (e.g. ADFS farm rebuild), correct the Federation Service Identifier on the IdP and re-export metadata before updating Entra ID. Test sign-in with a federated user via login.microsoftonline.com in an in-private session; if AADSTS20033 persists, verify the domain is federated against the intended Entra ID tenant (not a sibling/dev tenant)

Low severityauthentication

Power BI Error:
AADSTS20033, Federation Metadata Tenant Mismatch

What does this error mean?

The federation metadata returned by your external Identity Provider contains a tenant name that doesn't match the configured Entra ID (Azure AD) federated domain.

Common causes

1The IssuerUri / EntityID in the IdP's federation metadata XML was changed and no longer matches the value stored in Entra ID for the federated domain
2Federation was set up against the wrong Entra ID tenant (e.g. metadata points to a different customer tenant or a stale dev tenant)
3ADFS farm was rebuilt or migrated and a new issuer name was generated without updating the federated domain in Entra ID via Update-MgDomainFederationConfiguration / Set-MsolDomainFederationSettings
4Third-party IdP (Okta, Ping, OneLogin) configuration drift: the SAML metadata endpoint now serves a different tenant identifier than when the domain was originally federated
5The federated domain in Entra ID is mapped to the wrong IdP entry, so metadata from IdP-A is being validated against the tenant name expected from IdP-B

How to fix it

1Fetch the current federation metadata from your IdP (e.g. https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml) and note the EntityID / IssuerUri value
2In Entra ID, run Get-MgDomainFederationConfiguration -DomainId <federated-domain> (or Get-MsolDomainFederationSettings) and compare IssuerUri with the value from your IdP metadata — they must match exactly
3If they differ, update the federation settings with Update-MgDomainFederationConfiguration using the correct IssuerUri, PassiveLogOnUri, ActiveLogOnUri, LogOffUri and signing certificate from the current metadata
4If the IdP itself has the wrong issuer (e.g. ADFS farm rebuild), correct the Federation Service Identifier on the IdP and re-export metadata before updating Entra ID
5Test sign-in with a federated user via login.microsoftonline.com in an in-private session; if AADSTS20033 persists, verify the domain is federated against the intended Entra ID tenant (not a sibling/dev tenant)

Frequently asked questions

What does AADSTS20033 mean?

There's an issue with your federated Identity Provider. Contact your IDP to re

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes