What causes AADSTS50136?

The user signed in with a personal Microsoft Account (MSA: outlook.com, hotmail.com, live.com) while the app registration is set to 'Accounts in this organizational directory only' (single-tenant). App registration's supported account types excludes personal Microsoft Accounts, but the authority used is /common or /consumers which routes MSA sessions. Power BI / Fabric tenant requires a work account but the browser has an active MSA session that gets picked up via SSO. Guest user signed in with their MSA identity instead of the invited work/school account in the host tenant. Stale MSA cookies in the browser causing Entra ID to short-circuit the work-account login flow

How do I fix AADSTS50136?

Sign out fully at https://login.microsoftonline.com and https://login.live.com, clear cookies for both domains, then retry with the correct work/school account (e.g. user@yourcompany.com). In the Entra ID portal → App registrations → your app → Authentication, change 'Supported account types' to 'Accounts in any organizational directory and personal Microsoft accounts' if MSA support is intended. If MSA is NOT intended, switch the OAuth authority from /common or /consumers to /organizations or your specific tenant ID (/{tenantId}) so personal sessions are rejected upfront. For Power BI Desktop / Gateway: sign out via File → Account → Sign out, restart the client, and sign in with the work account tied to the Power BI tenant. For embedded scenarios (Power BI Embedded, Fabric APIs), set `prompt=select_account` on the auth request so users are forced to pick the work account instead of inheriting the MSA session

Low severityauthentication

Power BI Error:
AADSTS50136, MSA session redirect required

What does this error mean?

Sign-in detected an active Microsoft Account (MSA) session that must be redirected to the app's MSA endpoint instead of the Entra ID (Azure AD) endpoint.

Common causes

1The user signed in with a personal Microsoft Account (MSA: outlook.com, hotmail.com, live.com) while the app registration is set to 'Accounts in this organizational directory only' (single-tenant)
2App registration's supported account types excludes personal Microsoft Accounts, but the authority used is /common or /consumers which routes MSA sessions
3Power BI / Fabric tenant requires a work account but the browser has an active MSA session that gets picked up via SSO
4Guest user signed in with their MSA identity instead of the invited work/school account in the host tenant
5Stale MSA cookies in the browser causing Entra ID to short-circuit the work-account login flow

How to fix it

1Sign out fully at https://login.microsoftonline.com and https://login.live.com, clear cookies for both domains, then retry with the correct work/school account (e.g. user@yourcompany.com)
2In the Entra ID portal → App registrations → your app → Authentication, change 'Supported account types' to 'Accounts in any organizational directory and personal Microsoft accounts' if MSA support is intended
3If MSA is NOT intended, switch the OAuth authority from /common or /consumers to /organizations or your specific tenant ID (/{tenantId}) so personal sessions are rejected upfront
4For Power BI Desktop / Gateway: sign out via File → Account → Sign out, restart the client, and sign in with the work account tied to the Power BI tenant
5For embedded scenarios (Power BI Embedded, Fabric APIs), set `prompt=select_account` on the auth request so users are forced to pick the work account instead of inheriting the MSA session

Frequently asked questions

What does AADSTS50136 mean?

RedirectMsaSessionToAp

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes