What causes AADSTS50107?

The federated domain was removed or converted back to managed authentication, but the application or data source still issues sign-in requests against the old realm. Misconfigured wreply, whr, or domain_hint parameter in the sign-in URL pointing to a non-existent federation realm. Federation trust between Microsoft Entra ID and an on-premises ADFS / third-party IdP (Okta, Ping) is broken or never finished provisioning. Power BI / Fabric data source uses a connection string with a UPN suffix whose domain isn't verified or federated in the target tenant. Cross-tenant or B2B guest sign-in where the home realm discovery resolves to a realm that doesn't exist in the resource tenant

How do I fix AADSTS50107?

In the Microsoft Entra admin center, open Settings → Domain names and verify the domain in the failing UPN is listed and shows the expected authentication type (Federated vs Managed). If the domain should be federated, run Get-MsolDomainFederationSettings (or Get-EntraDomainFederationSettings) and confirm the IssuerUri, PassiveLogOnUri, and federation metadata match the IdP — re-run Update-MsolFederatedDomain if they drifted. Inspect the failing sign-in URL or Power BI / ADF connection and remove stale whr=, domain_hint=, or wtrealm= parameters that point to a decommissioned realm. For Power BI gateway / scheduled refresh failures, re-authenticate the data source with an account whose UPN suffix is a verified, currently-federated domain in the tenant. Check the Microsoft Entra ID sign-in logs for the failing CorrelationId to see the exact realm string that was requested, then reconcile that value with Get-MsolDomain output

Low severityauthentication

Power BI Error:
AADSTS50107

What does this error mean?

The sign-in request references a federated domain or realm that isn't configured in the Microsoft Entra ID (Azure AD) tenant.

Common causes

1The federated domain was removed or converted back to managed authentication, but the application or data source still issues sign-in requests against the old realm
2Misconfigured wreply, whr, or domain_hint parameter in the sign-in URL pointing to a non-existent federation realm
3Federation trust between Microsoft Entra ID and an on-premises ADFS / third-party IdP (Okta, Ping) is broken or never finished provisioning
4Power BI / Fabric data source uses a connection string with a UPN suffix whose domain isn't verified or federated in the target tenant
5Cross-tenant or B2B guest sign-in where the home realm discovery resolves to a realm that doesn't exist in the resource tenant

How to fix it

1In the Microsoft Entra admin center, open Settings → Domain names and verify the domain in the failing UPN is listed and shows the expected authentication type (Federated vs Managed)
2If the domain should be federated, run Get-MsolDomainFederationSettings (or Get-EntraDomainFederationSettings) and confirm the IssuerUri, PassiveLogOnUri, and federation metadata match the IdP — re-run Update-MsolFederatedDomain if they drifted
3Inspect the failing sign-in URL or Power BI / ADF connection and remove stale whr=, domain_hint=, or wtrealm= parameters that point to a decommissioned realm
4For Power BI gateway / scheduled refresh failures, re-authenticate the data source with an account whose UPN suffix is a verified, currently-federated domain in the tenant
5Check the Microsoft Entra ID sign-in logs for the failing CorrelationId to see the exact realm string that was requested, then reconcile that value with Get-MsolDomain output

Frequently asked questions

What does AADSTS50107 mean?

The requested federation realm

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes