What causes AADSTS501241?

The Unique User Identifier (Name ID) claim is missing or empty in the Enterprise App's SSO configuration. The source attribute mapped to NameID (e.g. user.userprincipalname or user.mail) is null on the signing-in user. A custom claim transformation references an input attribute that doesn't exist on the user object. The Enterprise App was provisioned from the gallery but SSO claims were never completed. Directory sync issue causing the mapped attribute (mail, employeeid, extensionAttributeX) to be unpopulated

How do I fix AADSTS501241?

Sign in to the Microsoft Entra admin center as at least Cloud Application Administrator and open Entra ID > Enterprise apps, then select the failing application. Go to Single sign-on > User Attributes & Claims and confirm the Unique User Identifier (Name ID) is set — if missing, add it and pick a populated source attribute (typically user.userprincipalname). If a custom claim transformation is used, verify every Mandatory Input referenced in the transformation exists and is populated on the test user. Run the affected user through Entra ID > Users > select user > check that the source attribute (mail, UPN, employeeID, etc.) actually has a value; backfill via AD Connect or manually if empty. Use the Test single sign-on button on the SSO blade to validate the SAML response before sending users back to the app

Medium severityauthentication

Power BI Error:
AADSTS501241

What does this error mean?

Microsoft Entra ID (Azure AD) cannot build the SAML response because the NameID claim has no source attribute mapped.

Common causes

1The Unique User Identifier (Name ID) claim is missing or empty in the Enterprise App's SSO configuration
2The source attribute mapped to NameID (e.g. user.userprincipalname or user.mail) is null on the signing-in user
3A custom claim transformation references an input attribute that doesn't exist on the user object
4The Enterprise App was provisioned from the gallery but SSO claims were never completed
5Directory sync issue causing the mapped attribute (mail, employeeid, extensionAttributeX) to be unpopulated

How to fix it

1Sign in to the Microsoft Entra admin center as at least Cloud Application Administrator and open Entra ID > Enterprise apps, then select the failing application
2Go to Single sign-on > User Attributes & Claims and confirm the Unique User Identifier (Name ID) is set — if missing, add it and pick a populated source attribute (typically user.userprincipalname)
3If a custom claim transformation is used, verify every Mandatory Input referenced in the transformation exists and is populated on the test user
4Run the affected user through Entra ID > Users > select user > check that the source attribute (mail, UPN, employeeID, etc.) actually has a value; backfill via AD Connect or manually if empty
5Use the Test single sign-on button on the SSO blade to validate the SAML response before sending users back to the app

Frequently asked questions

What does AADSTS501241 mean?

Mandatory Input '{paramName}' missing from t

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes