Low severityauthentication
Power BI Error:
AADSTS500141
What does this error mean?
B2B guest redemption succeeded, but the sign-in request didn't originate from the resource application that owns the invitation.
Common causes
- 1Sign-in initiated against the /common or /consumers endpoint instead of the resource tenant ID (/{tenantId}) where the guest was invited
- 2User clicked an old invitation/redemption link after redemption was already completed, instead of accessing the application directly
- 3App registration's signInAudience is misconfigured (single-tenant) for a multi-tenant or B2B guest scenario
- 4Cross-tenant access settings or external collaboration policy in Entra ID (Azure AD) blocks the inbound request from the home tenant
- 5Power BI / Fabric workspace shared with a guest, but the guest opens the link via the wrong tenant switcher (wrong ?ctid= parameter)
How to fix it
- 1Sign in directly via the resource tenant URL — e.g. https://app.powerbi.com/?ctid={resourceTenantId} or https://login.microsoftonline.com/{tenantId} — instead of /common or a stale invite link
- 2In Entra ID admin center → External Identities → Cross-tenant access settings, verify the home tenant is allowed for inbound B2B collaboration to the resource tenant
- 3Open the app registration manifest and confirm signInAudience is AzureADMultipleOrgs (or AzureADandPersonalMicrosoftAccount) for B2B/multi-tenant scenarios; recreate the registration if it's single-tenant
- 4Have the resource-tenant admin re-issue a fresh invitation via Users → New guest user, and have the guest open the new redemption link in a clean browser session
- 5If using Power BI embedded or a custom app, ensure the authority URL passed to MSAL is https://login.microsoftonline.com/{resourceTenantId}, not /common