What causes AADSTS50010?

App registration in Microsoft Entra ID (Azure AD) has no Application ID URI / identifierUris set. The audience (resource) requested by the client does not match any configured App ID URI on the target app. SAML app's Identifier (Entity ID) is empty or differs from the Audience URI sent in the SAML request. Multi-tenant app accessed from a tenant where the service principal lacks identifierUris consent. Recently renamed App ID URI while clients/connections still request the old audience value

How do I fix AADSTS50010?

Open Microsoft Entra admin center → App registrations → your app → Expose an API, and confirm an Application ID URI is set (e.g. `api:// ` or `https:// / `). For SAML SSO apps, go to Enterprise applications → your app → Single sign-on, and verify the Identifier (Entity ID) matches the Audience URI the relying party sends. Compare the `aud` / `resource` value the client requests with the configured identifierUris — they must match exactly, including scheme and trailing slash. If you just changed the App ID URI, update every client (Power BI data source credentials, ADF linked service, Databricks secret, dbt profile) to request the new audience and re-authenticate. Decode the failing token at jwt.ms and confirm the `aud` claim resolves to one of the app's identifierUris; if not, correct the resource parameter in the auth request

Low severityauthentication

Power BI Error:
AADSTS50010, Token audience not configured

What does this error mean?

The application's token audience (App ID URI) is missing or doesn't match the audience claim in the issued token.

Common causes

1App registration in Microsoft Entra ID (Azure AD) has no Application ID URI / identifierUris set
2The audience (resource) requested by the client does not match any configured App ID URI on the target app
3SAML app's Identifier (Entity ID) is empty or differs from the Audience URI sent in the SAML request
4Multi-tenant app accessed from a tenant where the service principal lacks identifierUris consent
5Recently renamed App ID URI while clients/connections still request the old audience value

How to fix it

1Open Microsoft Entra admin center → App registrations → your app → Expose an API, and confirm an Application ID URI is set (e.g. `api://<client-id>` or `https://<tenant>/<app>`)
2For SAML SSO apps, go to Enterprise applications → your app → Single sign-on, and verify the Identifier (Entity ID) matches the Audience URI the relying party sends
3Compare the `aud` / `resource` value the client requests with the configured identifierUris — they must match exactly, including scheme and trailing slash
4If you just changed the App ID URI, update every client (Power BI data source credentials, ADF linked service, Databricks secret, dbt profile) to request the new audience and re-authenticate
5Decode the failing token at jwt.ms and confirm the `aud` claim resolves to one of the app's identifierUris; if not, correct the resource parameter in the auth request

Frequently asked questions

What does AADSTS50010 mean?

Audience URI validation for the app failed since no token audiences were configured.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes