What causes AADSTS50002?

Tenant Restrictions v1/v2 policy on the network or proxy blocks authentication to non-allowed tenants. Cross-tenant access settings (External Identities) deny inbound or outbound access to the user's home tenant. Conditional Access or a location-based policy restricts sign-ins from the current network. B2B guest user's home tenant is not in the resource tenant's allowed partner list. Corporate proxy injects Restrict-Access-To-Tenants header that excludes the target tenant

How do I fix AADSTS50002?

Identify the user's home tenant ID and the resource tenant ID from the sign-in log in Entra ID > Sign-in logs (filter on Correlation ID). In Entra ID > External Identities > Cross-tenant access settings, add the user's home tenant to Organizational settings and allow inbound B2B collaboration. If a proxy enforces Tenant Restrictions, update the Restrict-Access-To-Tenants HTTP header (or TRv2 policy) to include the required tenant ID. Review Conditional Access policies for location/network conditions that exclude the sign-in's IP and grant an exception or trusted-location entry. For Power BI / Fabric scheduled refresh or ADF linked services, ensure the service principal or gateway account belongs to a tenant that is allowed by both sides

Low severityauthentication

Power BI Error:
AADSTS50002, Restricted Tenant Policy Blocks Sign-In

What does this error mean?

Sign-in is blocked because the user's tenant is not on the resource tenant's allowed (cross-tenant access) list.

Common causes

1Tenant Restrictions v1/v2 policy on the network or proxy blocks authentication to non-allowed tenants
2Cross-tenant access settings (External Identities) deny inbound or outbound access to the user's home tenant
3Conditional Access or a location-based policy restricts sign-ins from the current network
4B2B guest user's home tenant is not in the resource tenant's allowed partner list
5Corporate proxy injects Restrict-Access-To-Tenants header that excludes the target tenant

How to fix it

1Identify the user's home tenant ID and the resource tenant ID from the sign-in log in Entra ID > Sign-in logs (filter on Correlation ID)
2In Entra ID > External Identities > Cross-tenant access settings, add the user's home tenant to Organizational settings and allow inbound B2B collaboration
3If a proxy enforces Tenant Restrictions, update the Restrict-Access-To-Tenants HTTP header (or TRv2 policy) to include the required tenant ID
4Review Conditional Access policies for location/network conditions that exclude the sign-in's IP and grant an exception or trusted-location entry
5For Power BI / Fabric scheduled refresh or ADF linked services, ensure the service principal or gateway account belongs to a tenant that is allowed by both sides

Frequently asked questions

What does AADSTS50002 mean?

Sign-in failed because of a restricted proxy access on the tenant. If it's your own tenant policy, you can chan

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes