What causes AADSTS50128?

Authority URL uses `/common` or `/organizations` while the app expects a single-tenant flow, and no `login_hint` or username is provided. Username/UPN is passed without a domain part (e.g. `wienik` instead of `wienik@contoso.com`), so no tenant can be derived. The domain in the UPN is not a verified domain on any Entra ID tenant (typo, unfederated vanity domain, or recently removed). Service principal / daemon flow (`client_credentials`) called against `/common` instead of `/{tenantId}` — `/common` is not valid for app-only tokens. On-premises Power BI Gateway or ADF linked service configured with a stale or empty tenant ID after a tenant rename or migration

How do I fix AADSTS50128?

Replace `/common` or `/organizations` in the authority URL with the explicit tenant ID or verified domain: `https://login.microsoftonline.com/{tenantId-or-domain}/oauth2/v2.0/token`. For app-only / service principal flows (Power BI embedded, ADF, Fabric pipelines), always target `/{tenantId}` — `/common` is unsupported for `client_credentials`. When using interactive or ROPC flows, ensure the `username` / `login_hint` is a full UPN (`user@domain.com`) and that the domain is listed as Verified under Entra ID → Custom domain names. In Power BI / ADF / Fabric linked services, re-enter the credential and confirm the Tenant ID field matches the tenant shown in Entra ID → Overview (especially after a tenant rename). If the domain was recently added, wait for verification to complete or fall back to the `*.onmicrosoft.com` initial domain to confirm the flow works end-to-end

Low severityauthentication

Power BI Error:
AADSTS50128

What does this error mean?

Azure AD / Entra ID could not resolve a tenant from the sign-in request because no tenant hint was supplied.

Common causes

1Authority URL uses `/common` or `/organizations` while the app expects a single-tenant flow, and no `login_hint` or username is provided
2Username/UPN is passed without a domain part (e.g. `wienik` instead of `wienik@contoso.com`), so no tenant can be derived
3The domain in the UPN is not a verified domain on any Entra ID tenant (typo, unfederated vanity domain, or recently removed)
4Service principal / daemon flow (`client_credentials`) called against `/common` instead of `/{tenantId}` — `/common` is not valid for app-only tokens
5On-premises Power BI Gateway or ADF linked service configured with a stale or empty tenant ID after a tenant rename or migration

How to fix it

1Replace `/common` or `/organizations` in the authority URL with the explicit tenant ID or verified domain: `https://login.microsoftonline.com/{tenantId-or-domain}/oauth2/v2.0/token`
2For app-only / service principal flows (Power BI embedded, ADF, Fabric pipelines), always target `/{tenantId}` — `/common` is unsupported for `client_credentials`
3When using interactive or ROPC flows, ensure the `username` / `login_hint` is a full UPN (`user@domain.com`) and that the domain is listed as Verified under Entra ID → Custom domain names
4In Power BI / ADF / Fabric linked services, re-enter the credential and confirm the Tenant ID field matches the tenant shown in Entra ID → Overview (especially after a tenant rename)
5If the domain was recently added, wait for verification to complete or fall back to the `*.onmicrosoft.com` initial domain to confirm the flow works end-to-end

Frequently asked questions

What does AADSTS50128 mean?

No tenant-identifying information found in either the request or implied by any provided c

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes