What causes AADSTS50108?

The claims-mapping policy assigned to the service principal has been deleted or is no longer accessible in the tenant. Malformed or invalid JSON in the claims-mapping policy definition (syntax error, unknown SourceClaim, unsupported transformation). The application's service principal lost its policy assignment after a tenant migration, app re-registration, or policy rotation. acceptMappedClaims is not enabled in the app manifest while custom claims mapping is in use, or the app is missing a custom signing key. Replication delay in Entra ID directly after creating or updating the claims-mapping policy

How do I fix AADSTS50108?

List the claims-mapping policies on the service principal: `Get-AzureADServicePrincipalPolicy -Id ` (or `Get-MgServicePrincipalClaimsMappingPolicy`) — confirm a policy is actually assigned and that its ObjectId still exists with `Get-AzureADPolicy`. If the assigned policy is missing or returns null, re-create it with valid JSON and re-assign it to the service principal using `Add-AzureADServicePrincipalPolicy`. Validate the policy JSON: every ClaimsSchema entry needs a valid Source/ID, and ClaimsTransformations must reference existing input claims — paste the Definition into a JSON validator before re-uploading. In the app manifest, set `acceptMappedClaims` to true OR configure a custom signing key for the application, otherwise Entra ID rejects the mapped token. Wait 5–10 minutes after policy changes for directory replication, then retry the sign-in; if it still fails, capture the full correlation ID from the sign-in logs in Entra admin center → Monitoring → Sign-in logs

Low severityauthentication

Power BI Error:
AADSTS50108

What does this error mean?

Entra ID (Azure AD) couldn't load the custom claims transformation policy attached to the application during sign-in.

Common causes

1The claims-mapping policy assigned to the service principal has been deleted or is no longer accessible in the tenant
2Malformed or invalid JSON in the claims-mapping policy definition (syntax error, unknown SourceClaim, unsupported transformation)
3The application's service principal lost its policy assignment after a tenant migration, app re-registration, or policy rotation
4acceptMappedClaims is not enabled in the app manifest while custom claims mapping is in use, or the app is missing a custom signing key
5Replication delay in Entra ID directly after creating or updating the claims-mapping policy

How to fix it

1List the claims-mapping policies on the service principal: `Get-AzureADServicePrincipalPolicy -Id <servicePrincipalObjectId>` (or `Get-MgServicePrincipalClaimsMappingPolicy`) — confirm a policy is actually assigned and that its ObjectId still exists with `Get-AzureADPolicy`
2If the assigned policy is missing or returns null, re-create it with valid JSON and re-assign it to the service principal using `Add-AzureADServicePrincipalPolicy`
3Validate the policy JSON: every ClaimsSchema entry needs a valid Source/ID, and ClaimsTransformations must reference existing input claims — paste the Definition into a JSON validator before re-uploading
4In the app manifest, set `acceptMappedClaims` to true OR configure a custom signing key for the application, otherwise Entra ID rejects the mapped token
5Wait 5–10 minutes after policy changes for directory replication, then retry the sign-in; if it still fails, capture the full correlation ID from the sign-in logs in Entra admin center → Monitoring → Sign-in logs

Frequently asked questions

What does AADSTS50108 mean?

Claims transformation configuration could not be retrieved.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes