What causes AADSTS50020?

Service principal used for Power BI dataset refresh was registered in Tenant A but the dataset's data source lives in Tenant B — cross-tenant SPN authentication is not supported for dataset refresh. User signs in with a personal Microsoft Account (outlook.com, hotmail.com, live.com) on an app registration whose signInAudience is set to AzureADMyOrg (single-tenant). A colleague from a partner organization accesses your Power BI workspace but was never invited as a B2B guest in your Entra ID tenant, or the invitation was sent but never redeemed. The MSAL authority URL in the app or script points to a specific /{tenantId} or /organizations endpoint, but the authenticating account is a personal MSA that requires /consumers or /common. An on-premises data gateway was configured with credentials from a different Azure AD tenant than the one owning the Power BI workspace, causing token issuance to fail. The guest user object existed but was soft-deleted (e.g., via a cleanup script or lifecycle policy) and has not been re-invited — Entra ID returns AADSTS50020 instead of a 'deleted user' error. ADF self-hosted integration runtime uses a service account whose UPN suffix was changed during a domain migration, making it unrecognizable in the resource tenant

High severityauthentication

Power BI Error:
AADSTS50020

What does this error mean?

Entra ID rejects an OAuth token request because the identity (user account, service principal, or managed identity) authenticating belongs to a different tenant or is a personal Microsoft account (MSA) that has not been invited as a B2B guest in the resource tenant. In a data-pipeline context this typically surfaces during Power BI dataset refresh, ADF linked-service authentication, or Fabric notebook execution — anywhere a credential is exchanged for an access token against login.microsoftonline.com. The symptom is an immediate 401 with error code AADSTS50020 in the refresh history or activity-run output; no retry will help because the identity simply does not exist in the target directory.

Common causes

1Service principal used for Power BI dataset refresh was registered in Tenant A but the dataset's data source lives in Tenant B — cross-tenant SPN authentication is not supported for dataset refresh
2User signs in with a personal Microsoft Account (outlook.com, hotmail.com, live.com) on an app registration whose signInAudience is set to AzureADMyOrg (single-tenant)
3A colleague from a partner organization accesses your Power BI workspace but was never invited as a B2B guest in your Entra ID tenant, or the invitation was sent but never redeemed
4The MSAL authority URL in the app or script points to a specific /{tenantId} or /organizations endpoint, but the authenticating account is a personal MSA that requires /consumers or /common
5An on-premises data gateway was configured with credentials from a different Azure AD tenant than the one owning the Power BI workspace, causing token issuance to fail
6The guest user object existed but was soft-deleted (e.g., via a cleanup script or lifecycle policy) and has not been re-invited — Entra ID returns AADSTS50020 instead of a 'deleted user' error
7ADF self-hosted integration runtime uses a service account whose UPN suffix was changed during a domain migration, making it unrecognizable in the resource tenant

How to fix it

1Identify the failing identity: in Power BI Service go to Settings → Datasets → your dataset → Scheduled refresh → Refresh history, expand the failed entry and look for the 'User account …from identity provider…' line — note the exact UPN and identity provider URL
2Verify the account exists in the resource tenant: open Entra ID portal → Users → search for the UPN. If not found, the account needs to be invited. For service principals: Entra ID → Enterprise applications → search by Application ID from the error message
3Invite the external user as a B2B guest: Entra ID → Users → New user → Invite external user, enter their email, click Invite. The user must open the invitation email and accept before retrying. Verify with: Get-MgUser -Filter "mail eq 'user@partner.com'" -ConsistencyLevel eventual
4For service principal cross-tenant issues: create a new app registration in the resource tenant, grant it the required API permissions (Power BI Service: Dataset.ReadWrite.All), add it to the workspace as Admin or Member via Power BI Admin portal → Workspaces → Access, and update the dataset credentials to use this SPN
5Fix the MSAL authority endpoint: for multi-tenant work accounts use https://login.microsoftonline.com/organizations, for personal accounts use /consumers, for mixed use /common. In Python MSAL: authority='https://login.microsoftonline.com/common'
6If the app registration must support multiple tenants, update it: az ad app update --id <app-id> --sign-in-audience AzureADMultipleOrgs. Note: widening from single-tenant to include personal accounts requires re-creating the app registration — the manifest update alone is blocked by Entra ID
7After fixing, force a manual refresh in Power BI Service (dataset → Refresh now) or trigger the ADF pipeline and confirm the refresh history shows 'Completed' without AADSTS errors

Example log output

AADSTS50020: User account 'svc-powerbi@partner.onmicrosoft.com' from identity provider 'https://sts.windows.net/a1b2c3d4-e5f6-7890-abcd-ef1234567890/' does not exist in tenant 'Contoso-Prod' and cannot access the application '00000009-0000-0000-c000-000000000000'(Power BI Service) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Correlation ID: 8f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
Timestamp: 2026-05-11 08:15:32Z

Frequently asked questions

What does AADSTS50020 mean?

Entra ID could not find the authenticating account in the target tenant's directory. The full error reads: 'User account {email} from identity provider {idp} does not exist in tenant {tenant} and cannot access the application {appId}({appName}) in that tenant.' It means the identity exists somewhere, but not in the tenant that owns the resource you are trying to reach.

How do I fix AADSTS50020 for Power BI dataset refresh?

Go to Power BI Service → Settings → Datasets → your dataset → Data source credentials. Check which account or service principal is configured. If it belongs to a different tenant, either invite it as a B2B guest in the resource tenant (Entra ID → Users → Invite external user) or replace it with a service principal registered in the resource tenant. After updating credentials, trigger a manual refresh to verify.

Will retrying fix AADSTS50020?

No. AADSTS50020 is a hard authentication rejection, not a transient failure. The identity does not exist in the target tenant, so every retry returns the same error. You must fix the underlying identity mismatch — invite the user, create the SPN in the correct tenant, or update the authority URL — before the next attempt will succeed.

What is the difference between AADSTS50020 and AADSTS90072?

Both involve cross-tenant or external identity issues. AADSTS50020 fires when the account is recognized but not authorized for the resource tenant — the identity provider is known but the account is not a member or guest. AADSTS90072 fires when the external tenant itself is not recognized or MFA requirements cannot be satisfied across the tenant boundary. In practice, 50020 is an 'account not found in this tenant' problem; 90072 is a 'tenant relationship or MFA policy' problem.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist