What causes AADSTS500207?

App registration's 'Supported account types' is set to single-tenant, but the user belongs to a different tenant or is a personal MSA. Resource requires a work/school account but the user signed in with a personal Microsoft account (outlook.com, hotmail.com, live.com). Guest (B2B) user trying to access a resource that excludes guest accounts via Conditional Access or app configuration. Power BI/Fabric tenant settings restrict external users from accessing the workspace or dataset. Authority endpoint mismatch — app uses /organizations or /consumers while the user belongs to the other category

How do I fix AADSTS500207?

Confirm which account the user signed in with (personal MSA vs work/school vs guest) — this determines whether it's an app config issue or a wrong-account issue. In Entra ID (Azure AD) → App registrations → your app → Authentication, check 'Supported account types' and widen it if legitimate users are being blocked (e.g. from single-tenant to multi-tenant + personal accounts). Verify the authority URL in your auth code: use /common for any account, /organizations for work/school only, /consumers for personal only, or /{tenant-id} for single tenant. For Power BI/Fabric: check Admin portal → Tenant settings → 'Allow Azure Active Directory guest users to access Power BI' and workspace-level access for B2B guests. If the user has the wrong account type, have them sign out completely (login.microsoftonline.com/logout) and sign in with an account that matches the resource's allowed types

Low severityauthentication

Power BI Error:
AADSTS500207

What does this error mean?

Sign-in blocked because the account type (personal, guest, or external tenant) isn't permitted for the target resource.

Common causes

1App registration's 'Supported account types' is set to single-tenant, but the user belongs to a different tenant or is a personal MSA
2Resource requires a work/school account but the user signed in with a personal Microsoft account (outlook.com, hotmail.com, live.com)
3Guest (B2B) user trying to access a resource that excludes guest accounts via Conditional Access or app configuration
4Power BI/Fabric tenant settings restrict external users from accessing the workspace or dataset
5Authority endpoint mismatch — app uses /organizations or /consumers while the user belongs to the other category

How to fix it

1Confirm which account the user signed in with (personal MSA vs work/school vs guest) — this determines whether it's an app config issue or a wrong-account issue
2In Entra ID (Azure AD) → App registrations → your app → Authentication, check 'Supported account types' and widen it if legitimate users are being blocked (e.g. from single-tenant to multi-tenant + personal accounts)
3Verify the authority URL in your auth code: use /common for any account, /organizations for work/school only, /consumers for personal only, or /{tenant-id} for single tenant
4For Power BI/Fabric: check Admin portal → Tenant settings → 'Allow Azure Active Directory guest users to access Power BI' and workspace-level access for B2B guests
5If the user has the wrong account type, have them sign out completely (login.microsoftonline.com/logout) and sign in with an account that matches the resource's allowed types

Frequently asked questions

What does AADSTS500207 mean?

The account type can't be used for the resource you're trying to access.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes