Low severityauthentication
Power BI Error:
AADSTS500213, Cross-tenant access blocked
What does this error mean?
The resource tenant's inbound cross-tenant access policy blocks this user from the home tenant.
Common causes
- 1Inbound Cross-Tenant Access Settings on the resource tenant block all external users by default and no allow-rule exists for the user's home tenant
- 2The home tenant is listed under Organizational settings with B2B collaboration set to 'Block access' for the targeted users or applications
- 3The user is not in the allowed users/groups scope of the inbound B2B collaboration policy (e.g. only specific groups are allowed)
- 4The application (e.g. Power BI Service, Fabric, Azure Data Factory) is excluded from the inbound applications scope of the cross-tenant policy
- 5Microsoft Entra External ID / Cross-tenant synchronization is configured to deny inbound from this partner tenant
How to fix it
- 1Identify the resource tenant ID from the failing sign-in (Entra ID → Sign-in logs → failed entry → Resource tenant) and the user's home tenant ID
- 2In the resource tenant: open Microsoft Entra admin center → External Identities → Cross-tenant access settings → Organizational settings, then add (or edit) the home tenant
- 3Under Inbound access → B2B collaboration, set Users and groups and Applications to Allow access for the required scope (e.g. all users + Power BI Service / Fabric)
- 4If using Cross-tenant synchronization or Direct Connect (Teams Shared Channels / Fabric trusted workspaces), enable the matching inbound tab as well
- 5Have the user sign out completely and retry; if it still fails, check Entra Sign-in logs → Additional Details on the new attempt to confirm the policy now evaluates as Allowed