What causes AADSTS50059?

Authority URL uses `/common` or `/organizations` while the client credential flow (e.g. service principal) provides no user context to infer a tenant. Client credentials flow called without a tenant ID in the token endpoint — `/common/oauth2/v2.0/token` instead of `/{tenant-id}/oauth2/v2.0/token`. On-behalf-of or app-only token request from a daemon/Power BI Gateway where the connection string omits the tenant. SAML/WS-Federation request without `whr=` parameter or `login_hint`, so Entra ID can't perform home realm discovery. Custom embedded Power BI scenario where the MSAL config falls back to `common` for a confidential client app

How do I fix AADSTS50059?

Replace `/common` or `/organizations` in the authority URL with the explicit tenant ID or verified domain (e.g. `https://login.microsoftonline.com/{tenant-id}/v2.0`) — required for all client-credential and app-only flows. For Power BI service principal refresh: verify the dataset's data source credentials specify the tenant; in Fabric/Power BI admin portal check that the service principal is added to the workspace with the correct tenant binding. For interactive flows that must stay on `/common`: pass a `login_hint` (UPN) or `domain_hint` query parameter so Entra ID can resolve the home realm. In ADF/Synapse linked services using AAD auth, open the linked service JSON and confirm `tenant` is set on the credential — empty tenant falls back to `/common` and fails for app-only. If using MSAL.NET/MSAL.js, set `TenantId` (or `authority` with the tenant GUID) on the `ConfidentialClientApplication` builder rather than relying on the default

Low severityauthentication

Power BI Error:
AADSTS50059

What does this error mean?

The sign-in request lacks tenant context — no tenant ID/domain in the URL and no credentials that imply one.

Common causes

1Authority URL uses `/common` or `/organizations` while the client credential flow (e.g. service principal) provides no user context to infer a tenant
2Client credentials flow called without a tenant ID in the token endpoint — `/common/oauth2/v2.0/token` instead of `/{tenant-id}/oauth2/v2.0/token`
3On-behalf-of or app-only token request from a daemon/Power BI Gateway where the connection string omits the tenant
4SAML/WS-Federation request without `whr=` parameter or `login_hint`, so Entra ID can't perform home realm discovery
5Custom embedded Power BI scenario where the MSAL config falls back to `common` for a confidential client app

How to fix it

1Replace `/common` or `/organizations` in the authority URL with the explicit tenant ID or verified domain (e.g. `https://login.microsoftonline.com/{tenant-id}/v2.0`) — required for all client-credential and app-only flows
2For Power BI service principal refresh: verify the dataset's data source credentials specify the tenant; in Fabric/Power BI admin portal check that the service principal is added to the workspace with the correct tenant binding
3For interactive flows that must stay on `/common`: pass a `login_hint` (UPN) or `domain_hint` query parameter so Entra ID can resolve the home realm
4In ADF/Synapse linked services using AAD auth, open the linked service JSON and confirm `tenant` is set on the credential — empty tenant falls back to `/common` and fails for app-only
5If using MSAL.NET/MSAL.js, set `TenantId` (or `authority` with the tenant GUID) on the `ConfidentialClientApplication` builder rather than relying on the default

Frequently asked questions

What does AADSTS50059 mean?

Tenant-identifying information wasn't found in either the request or implied by any provided credentials. The user can contact the tenant admin to help resolve the issue.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes