What causes AADSTS50123?

Typo in the `TransformationMethod` value inside a custom claims-mapping policy (e.g. 'ExtractMailPrefix' misspelled). Policy references a transformation method that was deprecated or never existed in Entra ID's supported set (Join, ExtractMailPrefix, RegexReplace, etc.). Claims-mapping policy was copy-pasted from a third-party example with non-Microsoft method names. Policy applied to the wrong service principal where the referenced source claim/method combination is invalid. PowerShell/Graph script generated the policy with a variable that wasn't substituted, leaving a literal placeholder in the method field

How do I fix AADSTS50123?

Identify the affected service principal — the `{principalId}` in the error matches an objectId in Entra ID > Enterprise applications. Run `Get-AzureADServicePrincipal -ObjectId ` to confirm the app. List the claims-mapping policies bound to that principal: `Get-AzureADServicePrincipalPolicy -Id ` and inspect the `Definition` JSON. In the policy JSON, find every `TransformationMethod` entry and verify each value matches Microsoft's supported list: Constant, Join, ExtractMailPrefix, RegexReplace (case-sensitive). Update the policy with the correct method via `Set-AzureADPolicy -Id -Definition `, or detach and recreate it. Have the user retry sign-in; if the app uses token caching, clear the user's session or wait for cache expiry (typically up to 1 hour)

Low severityauthentication

Power BI Error:
AADSTS50123

What does this error mean?

Azure AD/Entra ID rejected the sign-in because the app manifest references a claims transformation method that doesn't exist.

Common causes

1Typo in the `TransformationMethod` value inside a custom claims-mapping policy (e.g. 'ExtractMailPrefix' misspelled)
2Policy references a transformation method that was deprecated or never existed in Entra ID's supported set (Join, ExtractMailPrefix, RegexReplace, etc.)
3Claims-mapping policy was copy-pasted from a third-party example with non-Microsoft method names
4Policy applied to the wrong service principal where the referenced source claim/method combination is invalid
5PowerShell/Graph script generated the policy with a variable that wasn't substituted, leaving a literal placeholder in the method field

How to fix it

1Identify the affected service principal — the `{principalId}` in the error matches an objectId in Entra ID > Enterprise applications. Run `Get-AzureADServicePrincipal -ObjectId <principalId>` to confirm the app
2List the claims-mapping policies bound to that principal: `Get-AzureADServicePrincipalPolicy -Id <principalId>` and inspect the `Definition` JSON
3In the policy JSON, find every `TransformationMethod` entry and verify each value matches Microsoft's supported list: Constant, Join, ExtractMailPrefix, RegexReplace (case-sensitive)
4Update the policy with the correct method via `Set-AzureADPolicy -Id <policyId> -Definition <fixedJson>`, or detach and recreate it
5Have the user retry sign-in; if the app uses token caching, clear the user's session or wait for cache expiry (typically up to 1 hour)

Frequently asked questions

What does AADSTS50123 mean?

Unknown claims transformation method '{method}' was specified for principal '{principalId}'.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes