Low severityauthentication
Power BI Error:
AADSTS50109
What does this error mean?
Microsoft Entra ID (Azure AD) cannot resolve a claim transformation referenced in the app's token configuration.
Common causes
- 1A custom claims-mapping policy references a TransformationID that doesn't exist in the policy's ClaimsTransformations array
- 2Mismatch between the claim's TransformationID and the actual transformation definition (typo, casing, or removed entry)
- 3Enterprise Application SSO 'Attributes & Claims' has a transformation referencing a source attribute that was deleted or renamed in the directory schema
- 4Stale claims-mapping policy still assigned to the service principal after a transformation was removed
- 5Multi-step transformation chain where an intermediate step outputs to an ID that a later step does not recognize
How to fix it
- 1Identify the affected app: in Microsoft Entra admin center → Enterprise Applications → open the app the user signed into when the error occurred (correlation ID from the login screen helps locate it in Sign-in logs)
- 2Open 'Single sign-on' → 'Attributes & Claims' and review every transformation; remove or correct any claim whose transformation references a missing source attribute or undefined ID
- 3If a custom claims-mapping policy is used, run Get-MgPolicyClaimsMappingPolicy (or Get-AzureADPolicy) and validate the JSON: each ClaimsSchema entry's TransformationID must match an ID defined in ClaimsTransformations
- 4Re-assign the corrected policy to the service principal (Add-MgServicePrincipalClaimsMappingPolicyByRef) and remove the broken one, then have the user retry sign-in in a fresh InPrivate session
- 5If the issue started after a directory schema change (custom security attribute or extension attribute removed), restore the attribute or update every claim referencing it