High severityauthentication
Power BI Error:
AADSTS500021
What does this error mean?
Tenant restrictions or cross-tenant access policy blocks sign-in to the target Microsoft Entra ID (Azure AD) tenant.
Common causes
- 1Tenant Restrictions v1/v2 on a corporate proxy or firewall sets a Restrict-Access-To-Tenants header that excludes the target tenant
- 2Microsoft Entra ID (Azure AD) Cross-tenant access settings deny inbound or outbound access for the user's home tenant
- 3A Power BI / Fabric gateway or ADF integration runtime authenticates against a guest or partner tenant that is not on the allow-list
- 4Global Secure Access (Entra Internet Access) or Conditional Access enforces a tenant allow-list that blocks the tenant
- 5The user account belongs to a tenant that the resource tenant has not invited as a B2B guest
How to fix it
- 1Copy the {tenant} GUID from the error and identify whether it is your home tenant, a customer tenant, or a partner tenant the user legitimately needs to reach
- 2On the corporate proxy/firewall, add that tenant ID to the Restrict-Access-To-Tenants header (Tenant Restrictions v1) or to the Tenant Restrictions v2 policy in Entra ID > External Identities > Cross-tenant access settings > Tenant restrictions
- 3In Entra ID > External Identities > Cross-tenant access settings, open the Organizational settings for that tenant and allow inbound (or outbound) access for the required users and applications
- 4For Power BI / ADF / Fabric service principals, verify the SPN's home tenant is allowed in the resource tenant and that admin consent has been granted for the required Graph / Power BI scopes
- 5If the failure is network-bound, retry the sign-in from a network without the tenant-restrictions proxy (e.g. mobile hotspot) to confirm the proxy is the enforcer before changing identity policy
- 6If guest access is intended, (re)invite the user as a B2B guest in the target tenant via External Identities > All users > New guest user and have them redeem the invitation before retrying