What causes AADSTS50143?

User is signed into tenant A in the browser, but the application requests a token for tenant B via a domain_hint or tenant-specific authority. Multi-tenant app passes a hard-coded domain_hint that doesn't match the user's home tenant or the resource tenant. Cross-tenant scenario (B2B guest, multi-org Power BI) where the cached session is from a different home realm than the targeted resource. Stale SSO cookie from a previous tenant after switching accounts in the same browser profile. Power BI / Fabric embed token or on-behalf-of flow targets a resource in a tenant the current session isn't authorized for

How do I fix AADSTS50143?

Sign out completely at https://login.microsoftonline.com/common/oauth2/logout and clear cookies for login.microsoftonline.com, then sign in fresh with the account that belongs to the resource's tenant. If you control the app: remove the hard-coded domain_hint, or set it dynamically to the user's actual tenant; use the /common or /organizations authority instead of a tenant-specific one for multi-tenant apps. For Power BI / Fabric: open the workspace in an incognito/private window to bypass a cached session from the wrong tenant, or use a separate browser profile per tenant. For B2B guest users: ensure the user accesses the resource via the resource tenant's URL (e.g. app.powerbi.com/?ctid= ) so the domain_hint matches. Capture the Correlation ID and Request ID from the error page and check Microsoft Entra ID → Sign-in logs in the resource tenant to confirm which tenant/domain_hint mismatch occurred

High severityauthentication

Power BI Error:
AADSTS50143, tenant doesn't match domain hint

What does this error mean?

The signed-in session belongs to a different tenant than the domain_hint passed in the authorization request.

Common causes

1User is signed into tenant A in the browser, but the application requests a token for tenant B via a domain_hint or tenant-specific authority
2Multi-tenant app passes a hard-coded domain_hint that doesn't match the user's home tenant or the resource tenant
3Cross-tenant scenario (B2B guest, multi-org Power BI) where the cached session is from a different home realm than the targeted resource
4Stale SSO cookie from a previous tenant after switching accounts in the same browser profile
5Power BI / Fabric embed token or on-behalf-of flow targets a resource in a tenant the current session isn't authorized for

How to fix it

1Sign out completely at https://login.microsoftonline.com/common/oauth2/logout and clear cookies for login.microsoftonline.com, then sign in fresh with the account that belongs to the resource's tenant
2If you control the app: remove the hard-coded domain_hint, or set it dynamically to the user's actual tenant; use the /common or /organizations authority instead of a tenant-specific one for multi-tenant apps
3For Power BI / Fabric: open the workspace in an incognito/private window to bypass a cached session from the wrong tenant, or use a separate browser profile per tenant
4For B2B guest users: ensure the user accesses the resource via the resource tenant's URL (e.g. app.powerbi.com/?ctid=<resourceTenantId>) so the domain_hint matches
5Capture the Correlation ID and Request ID from the error page and check Microsoft Entra ID → Sign-in logs in the resource tenant to confirm which tenant/domain_hint mismatch occurred

Frequently asked questions

What does AADSTS50143 mean?

Session is invalid because user tenant doesn't match the domain hint due to different resource. Open a support ticket with Correlation ID, Request ID, and Error code to get more details.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes