What causes AADSTS50130?

Custom claims-mapping policy on the service principal emitting an unsupported value for the auth method claim. Federated identity provider (ADFS, Okta, PingFederate) returning a non-standard `authnmethodsreferences` / `amr` value that Entra ID cannot translate. Conditional Access authentication context or authentication strength policy referencing a deprecated or renamed auth method. Incorrect MFA claim format passed by an upstream broker (e.g. Azure B2B/B2C trust) when chaining tokens. Application sending a custom `amr_values` / `acr_values` parameter with a value that is not in the allowed set

How do I fix AADSTS50130?

Open Entra ID → Sign-in logs, filter on error 50130, and inspect the 'Authentication Details' tab to see exactly which claim value was rejected. If the user signs in via a federated IdP, validate the SAML/JWT token (e.g. with SAML-tracer or jwt.ms) and confirm the `authnmethodsreferences` or `amr` claim contains only standard values like `pwd`, `mfa`, `otp`, `fido`, `wia`. Review any custom claims-mapping policy on the application's service principal (`Get-AzureADPolicy` / Graph `policies/claimsMappingPolicies`) and remove or correct entries that emit non-standard auth method values. Check Conditional Access → Authentication contexts and Authentication strengths for recently renamed or deprecated methods, and re-bind the policy to current method names. If the application sends `acr_values` or `amr_values` in the auth request, align them with Microsoft's documented set or remove them and let Entra ID negotiate

Low severityauthentication

Power BI Error:
AADSTS50130

What does this error mean?

Entra ID (Azure AD) cannot map the supplied authentication method claim to a recognized MFA/auth method.

Common causes

1Custom claims-mapping policy on the service principal emitting an unsupported value for the auth method claim
2Federated identity provider (ADFS, Okta, PingFederate) returning a non-standard `authnmethodsreferences` / `amr` value that Entra ID cannot translate
3Conditional Access authentication context or authentication strength policy referencing a deprecated or renamed auth method
4Incorrect MFA claim format passed by an upstream broker (e.g. Azure B2B/B2C trust) when chaining tokens
5Application sending a custom `amr_values` / `acr_values` parameter with a value that is not in the allowed set

How to fix it

1Open Entra ID → Sign-in logs, filter on error 50130, and inspect the 'Authentication Details' tab to see exactly which claim value was rejected
2If the user signs in via a federated IdP, validate the SAML/JWT token (e.g. with SAML-tracer or jwt.ms) and confirm the `authnmethodsreferences` or `amr` claim contains only standard values like `pwd`, `mfa`, `otp`, `fido`, `wia`
3Review any custom claims-mapping policy on the application's service principal (`Get-AzureADPolicy` / Graph `policies/claimsMappingPolicies`) and remove or correct entries that emit non-standard auth method values
4Check Conditional Access → Authentication contexts and Authentication strengths for recently renamed or deprecated methods, and re-bind the policy to current method names
5If the application sends `acr_values` or `amr_values` in the auth request, align them with Microsoft's documented set or remove them and let Entra ID negotiate

Frequently asked questions

What does AADSTS50130 mean?

The claim value(s) '{va

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes