What causes AADSTS50111?

Custom claim mapping policy in Entra ID references a transformation function name that does not exist or is misspelled (e.g. 'ToLowercase' instead of 'ToLowercase()'). Deprecated or preview-only claim transformation still referenced after Microsoft removed support. Invalid parameter or argument passed to a valid transformation (RegexReplace, Join, Substring) in the SAML token configuration. Manually edited claim mapping policy JSON via Microsoft Graph / PowerShell with a malformed TransformationMethod value. Third-party SaaS gallery app template was modified and a built-in transformation was overwritten with an unsupported one

How do I fix AADSTS50111?

Open Entra admin center → Enterprise applications → select the failing app → Single sign-on → Attributes & Claims, and review every custom claim that uses a Transformation. For each transformation, verify the function name against Microsoft's supported list (ToLowercase, ToUppercase, RegexReplace, Join, ExtractMailPrefix, Substring, etc.) — remove or replace any unknown function. If the policy was set via Graph/PowerShell, run `Get-MgPolicyClaimMappingPolicy` (or `Get-AzureADPolicy`) and inspect the Definition JSON for invalid TransformationMethod values; re-apply a corrected policy. Test the sign-in flow with the Entra 'Test single sign-on' button on the SSO page — it surfaces the bad transformation before a real user hits AADSTS50111. If the app comes from the gallery, delete the customized claim and re-add it using the default template, then layer transformations back on one at a time

Low severityauthentication

Power BI Error:
AADSTS50111

What does this error mean?

Entra ID (Azure AD) encountered an unrecognized claim transformation in the SAML/OIDC token configuration of an Enterprise Application.

Common causes

1Custom claim mapping policy in Entra ID references a transformation function name that does not exist or is misspelled (e.g. 'ToLowercase' instead of 'ToLowercase()')
2Deprecated or preview-only claim transformation still referenced after Microsoft removed support
3Invalid parameter or argument passed to a valid transformation (RegexReplace, Join, Substring) in the SAML token configuration
4Manually edited claim mapping policy JSON via Microsoft Graph / PowerShell with a malformed TransformationMethod value
5Third-party SaaS gallery app template was modified and a built-in transformation was overwritten with an unsupported one

How to fix it

1Open Entra admin center → Enterprise applications → select the failing app → Single sign-on → Attributes & Claims, and review every custom claim that uses a Transformation
2For each transformation, verify the function name against Microsoft's supported list (ToLowercase, ToUppercase, RegexReplace, Join, ExtractMailPrefix, Substring, etc.) — remove or replace any unknown function
3If the policy was set via Graph/PowerShell, run `Get-MgPolicyClaimMappingPolicy` (or `Get-AzureADPolicy`) and inspect the Definition JSON for invalid TransformationMethod values; re-apply a corrected policy
4Test the sign-in flow with the Entra 'Test single sign-on' button on the SSO page — it surfaces the bad transformation before a real user hits AADSTS50111
5If the app comes from the gallery, delete the customized claim and re-add it using the default template, then layer transformations back on one at a time

Frequently asked questions

What does AADSTS50111 mean?

Unknown claim transformation was asked to be

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes