What causes AADSTS500208?

App registration's 'Supported account types' is set to 'Accounts in this organizational directory only' (single-tenant), but a personal or guest account is signing in. User signs in with a personal Microsoft account (outlook.com, hotmail.com, live.com) against an app that only allows work or school accounts. Authority URL is set to a specific tenant ID or /organizations endpoint while the user belongs to a different account type (e.g. /consumers). Guest (B2B) user from another tenant signing in before being invited to the resource tenant. Custom domain is not yet verified in the target Entra ID tenant, so the domain is not recognized as a valid login domain

How do I fix AADSTS500208?

In Entra ID > App registrations > your app > Authentication, verify 'Supported account types' matches the audience you actually need (single-tenant, multi-tenant, or multi-tenant + personal accounts). Change the authority in your auth code from `/ ` or `/organizations` to `/common` if you must accept both work/school and personal accounts — and vice versa to restrict. Have the user sign in with the correct account: a work/school account from the tenant, not a personal @outlook.com / @hotmail.com identity. If it concerns a guest user, invite them via Entra ID > External Identities > Users before they attempt sign-in, and confirm the custom domain is verified under Entra ID > Custom domain names. For Power BI / Fabric embedded scenarios, confirm the service principal or master user is a member of the target tenant — cross-tenant sign-in needs explicit B2B onboarding

Low severityauthentication

Power BI Error:
AADSTS500208

What does this error mean?

The signed-in account type (personal vs work/school) does not match what the Entra ID tenant accepts.

Common causes

1App registration's 'Supported account types' is set to 'Accounts in this organizational directory only' (single-tenant), but a personal or guest account is signing in
2User signs in with a personal Microsoft account (outlook.com, hotmail.com, live.com) against an app that only allows work or school accounts
3Authority URL is set to a specific tenant ID or /organizations endpoint while the user belongs to a different account type (e.g. /consumers)
4Guest (B2B) user from another tenant signing in before being invited to the resource tenant
5Custom domain is not yet verified in the target Entra ID tenant, so the domain is not recognized as a valid login domain

How to fix it

1In Entra ID > App registrations > your app > Authentication, verify 'Supported account types' matches the audience you actually need (single-tenant, multi-tenant, or multi-tenant + personal accounts)
2Change the authority in your auth code from `/<tenant-id>` or `/organizations` to `/common` if you must accept both work/school and personal accounts — and vice versa to restrict
3Have the user sign in with the correct account: a work/school account from the tenant, not a personal @outlook.com / @hotmail.com identity
4If it concerns a guest user, invite them via Entra ID > External Identities > Users before they attempt sign-in, and confirm the custom domain is verified under Entra ID > Custom domain names
5For Power BI / Fabric embedded scenarios, confirm the service principal or master user is a member of the target tenant — cross-tenant sign-in needs explicit B2B onboarding

Frequently asked questions

What does AADSTS500208 mean?

This situation occurs when the user's account does not match the expected account type for the given tenant. For instance, if the tenant is configured to allow only work or school accounts, and the us

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes