What causes AADSTS50124?

Invalid or unescaped regex pattern in a RegexReplacement claims transformation (e.g. unclosed group, bad character class). Regex syntax that exceeds Entra ID's supported subset — backreferences, lookaheads/lookbehinds, or named groups are not allowed. Source claim is empty or null, causing the regex to fail at evaluation time. Claims mapping policy assigned to the service principal references a non-existent or wrong input claim. Pattern exceeds the documented length limit (regex max 1024 chars, input max 1024 chars)

How do I fix AADSTS50124?

Identify the affected app's claims mapping policy: `Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId ` in Microsoft Graph PowerShell. Inspect the policy definition and locate every `RegexReplacement` transformation — validate each `Regex` value against .NET regex syntax (regex101.com with .NET flavor). Remove unsupported constructs (lookarounds, backreferences, named captures) and re-escape special characters; keep the pattern under 1024 chars. Update the policy with `Update-MgPolicyClaimMappingPolicy` and re-test sign-in; if the policy is shared, check whether other apps depend on it before changing. If you don't own the app registration, send the app's Application (client) ID and the failing user's UPN to your Entra ID tenant admin so they can correct the claims mapping policy

High severityauthentication

Power BI Error:
AADSTS50124

What does this error mean?

A claims mapping policy on the app contains an invalid regex pattern, blocking SAML token issuance.

Common causes

1Invalid or unescaped regex pattern in a RegexReplacement claims transformation (e.g. unclosed group, bad character class)
2Regex syntax that exceeds Entra ID's supported subset — backreferences, lookaheads/lookbehinds, or named groups are not allowed
3Source claim is empty or null, causing the regex to fail at evaluation time
4Claims mapping policy assigned to the service principal references a non-existent or wrong input claim
5Pattern exceeds the documented length limit (regex max 1024 chars, input max 1024 chars)

How to fix it

1Identify the affected app's claims mapping policy: `Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId <appSpId>` in Microsoft Graph PowerShell
2Inspect the policy definition and locate every `RegexReplacement` transformation — validate each `Regex` value against .NET regex syntax (regex101.com with .NET flavor)
3Remove unsupported constructs (lookarounds, backreferences, named captures) and re-escape special characters; keep the pattern under 1024 chars
4Update the policy with `Update-MgPolicyClaimMappingPolicy` and re-test sign-in; if the policy is shared, check whether other apps depend on it before changing
5If you don't own the app registration, send the app's Application (client) ID and the failing user's UPN to your Entra ID tenant admin so they can correct the claims mapping policy

Frequently asked questions

What does AADSTS50124 mean?

Invalid regular expression configured for claims transformation for this application. Contact your tenan

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes