What causes AADSTS50103?

A custom claims-mapping policy attached to the service principal references a source attribute that is null, missing, or of the wrong type for the target user. Optional claims or SAML claim mappings reference a directory extension or schema attribute that doesn't exist on the user object. A transformation rule (Join, RegexReplace, ToLowercase, etc.) fails because the input value is empty or doesn't match the expected pattern. The app registration uses a claims-mapping policy without 'acceptMappedClaims' enabled or without a custom signing key. Conflicting claim definitions between the app manifest (optionalClaims) and an assigned claims-mapping policy

How do I fix AADSTS50103?

Open the app registration in Entra ID → Token configuration and review every optional claim and SAML claim mapping; remove or correct any that point to attributes the signing-in user doesn't have populated. Run `Get-AzureADPolicy` (or Graph `policies/claimsMappingPolicies`) for the service principal and inspect each ClaimsMappingPolicy definition — validate that source attributes exist and transformations handle empty inputs. For SAML/WS-Fed apps, test sign-in for an affected user and confirm the user object actually has values for every mapped attribute (givenName, surname, employeeId, extension_*, etc.). If using a custom claims-mapping policy, ensure the app manifest has `acceptMappedClaims: true` or a custom signing key is configured — otherwise transformations are rejected. Capture the correlation ID from the error and check Entra ID → Sign-in logs → the failed entry's 'Additional Details' for the exact {errorMessage} substring identifying which claim failed

Low severityauthentication

Power BI Error:
AADSTS50103

What does this error mean?

Microsoft Entra ID (Azure AD) failed to transform a claim while issuing the token, blocking sign-in or token acquisition.

Common causes

1A custom claims-mapping policy attached to the service principal references a source attribute that is null, missing, or of the wrong type for the target user
2Optional claims or SAML claim mappings reference a directory extension or schema attribute that doesn't exist on the user object
3A transformation rule (Join, RegexReplace, ToLowercase, etc.) fails because the input value is empty or doesn't match the expected pattern
4The app registration uses a claims-mapping policy without 'acceptMappedClaims' enabled or without a custom signing key
5Conflicting claim definitions between the app manifest (optionalClaims) and an assigned claims-mapping policy

How to fix it

1Open the app registration in Entra ID → Token configuration and review every optional claim and SAML claim mapping; remove or correct any that point to attributes the signing-in user doesn't have populated
2Run `Get-AzureADPolicy` (or Graph `policies/claimsMappingPolicies`) for the service principal and inspect each ClaimsMappingPolicy definition — validate that source attributes exist and transformations handle empty inputs
3For SAML/WS-Fed apps, test sign-in for an affected user and confirm the user object actually has values for every mapped attribute (givenName, surname, employeeId, extension_*, etc.)
4If using a custom claims-mapping policy, ensure the app manifest has `acceptMappedClaims: true` or a custom signing key is configured — otherwise transformations are rejected
5Capture the correlation ID from the error and check Entra ID → Sign-in logs → the failed entry's 'Additional Details' for the exact {errorMessage} substring identifying which claim failed

Frequently asked questions

What does AADSTS50103 mean?

There was an error transforming the claims for the token: {errorMessage}

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes