What causes AADSTS50100?

Claims-mapping policy on the service principal references a source attribute (e.g. extensionAttribute, employeeId) that is null or missing on the signing-in user. Invalid transformation expression (RegexReplace, Join, ToLowercase) in the policy producing an empty or malformed claim. Custom claim configured as required but no fallback value defined when the source is empty. acceptMappedClaims=false on the application while a claims-mapping policy is assigned without a verified custom signing key. Optional claims configured in the app manifest reference a directory schema extension that has been deleted

How do I fix AADSTS50100?

Identify the affected app: in Entra ID > Enterprise applications > > Sign-in logs, open the failed sign-in and capture the Application ID and Correlation ID. Inspect claims-mapping policies bound to the service principal with Graph PowerShell: `Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId ` and review the JSON Definition for transformations that could fail on null input. Test sign-in with a user that has all referenced source attributes populated; if it succeeds, backfill the missing attributes (e.g. employeeId, extensionAttributes) on affected users or add a default value in the policy. If the app uses optional/custom claims, set `acceptMappedClaims: true` in the app manifest OR configure a custom signing key on the application as required by Entra ID. Temporarily detach the claims-mapping policy (`Remove-MgServicePrincipalClaimMappingPolicyByRef`) to confirm the policy is the cause, then re-add a corrected version

Low severityauthentication

Power BI Error:
AADSTS50100

What does this error mean?

Microsoft Entra ID (Azure AD) failed to transform a claim while issuing the token, usually due to a broken claims-mapping policy or unresolved source attribute.

Common causes

1Claims-mapping policy on the service principal references a source attribute (e.g. extensionAttribute, employeeId) that is null or missing on the signing-in user
2Invalid transformation expression (RegexReplace, Join, ToLowercase) in the policy producing an empty or malformed claim
3Custom claim configured as required but no fallback value defined when the source is empty
4acceptMappedClaims=false on the application while a claims-mapping policy is assigned without a verified custom signing key
5Optional claims configured in the app manifest reference a directory schema extension that has been deleted

How to fix it

1Identify the affected app: in Entra ID > Enterprise applications > <app> > Sign-in logs, open the failed sign-in and capture the Application ID and Correlation ID
2Inspect claims-mapping policies bound to the service principal with Graph PowerShell: `Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId <id>` and review the JSON Definition for transformations that could fail on null input
3Test sign-in with a user that has all referenced source attributes populated; if it succeeds, backfill the missing attributes (e.g. employeeId, extensionAttributes) on affected users or add a default value in the policy
4If the app uses optional/custom claims, set `acceptMappedClaims: true` in the app manifest OR configure a custom signing key on the application as required by Entra ID
5Temporarily detach the claims-mapping policy (`Remove-MgServicePrincipalClaimMappingPolicyByRef`) to confirm the policy is the cause, then re-add a corrected version

Frequently asked questions

What does AADSTS50100 mean?

There was an error transforming the claims for the token.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes