Low severityauthentication
Power BI Error:
AADSTS50042
What does this error mean?
Entra ID (Azure AD) cannot issue a token because the tenant-level salt for pairwise (PPID) subject identifiers is missing.
Common causes
- 1Tenant salt for PPID generation was never provisioned or is missing in the directory
- 2App registration is configured to use pairwise (PPID) subject identifier instead of public 'sub'
- 3Recently migrated or restored tenant where identity provisioning state is incomplete
- 4Federated/B2B scenario where the home tenant did not issue the salt for the resource app
- 5Custom token configuration or claims policy that forces PPID without the underlying salt
How to fix it
- 1Sign in as a Global Administrator and reproduce the error to capture the correlation ID and timestamp from the sign-in logs (Entra ID > Sign-in logs)
- 2In the affected app registration (Entra ID > App registrations > Manifest), check the subject identifier / 'sub' claim configuration and switch from pairwise (PPID) to public if PPID is not strictly required
- 3If PPID must remain, open a Microsoft support case referencing AADSTS50042 so Microsoft can re-provision the tenant salt — this cannot be fixed from the portal by the customer
- 4For B2B/federated logins, ask the user's home tenant admin to validate their directory state, since the salt lives in the home tenant
- 5After the change, clear browser cookies / token cache and retest; verify a new sign-in succeeds in the Entra ID sign-in logs