High severityauthentication
Power BI Error:
AADSTS500022
What does this error mean?
Sign-in blocked because the target Microsoft Entra ID (Azure AD) tenant is not in the allowed-tenants list enforced by tenant restrictions.
Common causes
- 1Tenant restrictions v1/v2 policy on the corporate proxy or firewall injects a Restrict-Access-To-Tenants header that excludes the target tenant
- 2User is signing in to a guest/partner tenant (e.g. a customer's Power BI workspace) that isn't on the allow-list
- 3Tenant Restriction policy in Microsoft Entra (External Identities → Cross-tenant access settings) blocks outbound access to the tenant
- 4Service principal or Power BI Gateway running on a network where tenant restrictions strip access to the home tenant
- 5Conditional Access / Global Secure Access tenant restriction profile applied to the user or device
How to fix it
- 1Identify the blocked tenant ID from the error (the {tenant} GUID) and confirm with the user whether sign-in should be allowed to that tenant
- 2Ask the network/security team to add the tenant ID to the Restrict-Access-To-Tenants header on the proxy, or to the allow-list in Entra ID → Cross-tenant access settings → Tenant restrictions
- 3For Power BI / Fabric / ADF: verify the gateway or runtime VM is not behind a proxy that injects tenant restriction headers; if it is, exempt *.login.microsoftonline.com or whitelist the tenant
- 4If the user is a guest, ensure the home tenant's outbound and the resource tenant's inbound cross-tenant access settings both allow the collaboration
- 5Test sign-in from a network without tenant restrictions (e.g. mobile hotspot) to confirm the policy is the cause before requesting a permanent allow-list change