What causes AADSTS50003?

The application object in Microsoft Entra ID (Azure AD) is corrupted and the configured certificate is no longer recognized. No active SAML signing certificate is configured under the Enterprise Application's SAML-based SSO settings. The previously active signing certificate has expired or was deleted without a valid replacement. Recent changes to the SAML SSO configuration left the app without a usable signing key. Token signing certificate in the App Registration manifest is missing or malformed (keyCredentials empty)

How do I fix AADSTS50003?

Open the affected app in Microsoft Entra admin center → Enterprise Applications → [App] → Single sign-on, and locate the 'SAML Signing Certificate' section. Click 'Create new certificate', set an expiration date, and Save the new certificate. Check 'Make new certificate active' to override the existing active certificate, Save, and confirm the rollover when prompted. Under 'SAML Signing Certificate', click Remove next to the old/unused certificate so only the freshly issued one remains. If the app uses an App Registration, verify under Manage → Certificates & secrets that a valid signing certificate exists, then have the user retry sign-in (clear browser SSO cache if needed)

Medium severityauthentication

Power BI Error:
AADSTS50003, No signing key configured

What does this error mean?

SAML SSO sign-in fails because the application object in Microsoft Entra ID (Azure AD) has a corrupted or unrecognized signing certificate.

Common causes

1The application object in Microsoft Entra ID (Azure AD) is corrupted and the configured certificate is no longer recognized
2No active SAML signing certificate is configured under the Enterprise Application's SAML-based SSO settings
3The previously active signing certificate has expired or was deleted without a valid replacement
4Recent changes to the SAML SSO configuration left the app without a usable signing key
5Token signing certificate in the App Registration manifest is missing or malformed (keyCredentials empty)

How to fix it

1Open the affected app in Microsoft Entra admin center → Enterprise Applications → [App] → Single sign-on, and locate the 'SAML Signing Certificate' section
2Click 'Create new certificate', set an expiration date, and Save the new certificate
3Check 'Make new certificate active' to override the existing active certificate, Save, and confirm the rollover when prompted
4Under 'SAML Signing Certificate', click Remove next to the old/unused certificate so only the freshly issued one remains
5If the app uses an App Registration, verify under Manage → Certificates & secrets that a valid signing certificate exists, then have the user retry sign-in (clear browser SSO cache if needed)

Frequently asked questions

What does AADSTS50003 mean?

Sign-in failed because of a missing signing key or certificate. This might be because there was no signing key configured in the app. To learn more, see the troubleshooting article for error AADSTS500

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50003-cert-or-key-not-configured