What causes AADSTS50102?

A claims-mapping policy assigned to the service principal references a CustomClaimsTransformer type that no longer exists or was renamed. The claims-mapping policy JSON contains a typo in the transformer's fully-qualified type name (namespace.class, assembly version). The custom transformer assembly was never (re)deployed to the tenant after a rebuild or migration. AcceptMappedClaims / custom signing key requirements aren't met, so Entra ID refuses to load the transformer. The policy is still attached to the service principal but the transformer was deprecated as part of an Entra ID schema cleanup

How do I fix AADSTS50102?

Run `Get-AzureADServicePrincipalPolicy -Id ` (or Graph `servicePrincipals/{id}/claimsMappingPolicies`) to find which claims-mapping policy is attached and producing the error. Inspect the policy's `ClaimsTransformation` definition and verify the `TransformationId` / type name matches an actually deployed CustomClaimsTransformer in the tenant. If the transformer is obsolete, detach the policy with `Remove-AzureADServicePrincipalPolicy` or update the JSON to remove the broken `ClaimsTransformation` entry. If the transformer should exist, redeploy the assembly and re-create the policy with `New-AzureADPolicy -Definition ... -Type ClaimsMappingPolicy`, then reassign it to the service principal. Confirm the app manifest has `acceptMappedClaims: true` (or a custom signing key configured) — without this, Entra ID blocks the transformer from loading. Test sign-in again and capture the correlation ID; if it still fails, open a Microsoft support case with that correlation ID — broken transformer assemblies often need backend assistance

Low severityauthentication

Power BI Error:
AADSTS50102

What does this error mean?

Microsoft Entra ID (Azure AD) cannot load the CustomClaimsTransformer assembly configured for the application's claims-mapping policy.

Common causes

1A claims-mapping policy assigned to the service principal references a CustomClaimsTransformer type that no longer exists or was renamed
2The claims-mapping policy JSON contains a typo in the transformer's fully-qualified type name (namespace.class, assembly version)
3The custom transformer assembly was never (re)deployed to the tenant after a rebuild or migration
4AcceptMappedClaims / custom signing key requirements aren't met, so Entra ID refuses to load the transformer
5The policy is still attached to the service principal but the transformer was deprecated as part of an Entra ID schema cleanup

How to fix it

1Run `Get-AzureADServicePrincipalPolicy -Id <servicePrincipalId>` (or Graph `servicePrincipals/{id}/claimsMappingPolicies`) to find which claims-mapping policy is attached and producing the error
2Inspect the policy's `ClaimsTransformation` definition and verify the `TransformationId` / type name matches an actually deployed CustomClaimsTransformer in the tenant
3If the transformer is obsolete, detach the policy with `Remove-AzureADServicePrincipalPolicy` or update the JSON to remove the broken `ClaimsTransformation` entry
4If the transformer should exist, redeploy the assembly and re-create the policy with `New-AzureADPolicy -Definition ... -Type ClaimsMappingPolicy`, then reassign it to the service principal
5Confirm the app manifest has `acceptMappedClaims: true` (or a custom signing key configured) — without this, Entra ID blocks the transformer from loading
6Test sign-in again and capture the correlation ID; if it still fails, open a Microsoft support case with that correlation ID — broken transformer assemblies often need backend assistance

Frequently asked questions

What does AADSTS50102 mean?

Unable to load CustomClaimsTransformer '{type}' was specified for principal '{principalId}'.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes