Low severityauthentication
Power BI Error:
AADSTS501461
What does this error mean?
Token audience does not match the application GUID or a verified tenant domain, so acceptMappedClaims cannot be honored.
Common causes
- 1App manifest has acceptMappedClaims=true but the Application ID URI uses an unverified domain (e.g. api://contoso.com while contoso.com is not verified on the tenant)
- 2Resource/audience requested in the token is a third-party or non-verified URI rather than the app GUID (api://{appId}) or a verified-domain URI
- 3Claims-mapping policy is assigned to the service principal without an application-specific signing key (custom signing key)
- 4Multi-tenant app relying on acceptMappedClaims, which Entra ID does not allow without a custom signing key
- 5Custom domain was added but never verified in Entra ID, so audiences under that domain are rejected for mapped claims
How to fix it
- 1Open the app registration in the Entra admin center → Expose an API and set the Application ID URI to api://{appId-GUID} or to a URI under a domain that is verified on the tenant (Custom domain names → Verified)
- 2If you need a custom audience on an unverified domain, configure a custom signing key: upload a certificate to the app registration and assign a claims-mapping policy with AcceptMappedClaims via PowerShell (New-AzureADPolicy / Add-AzureADServicePrincipalPolicy) instead of relying on the manifest flag
- 3Verify the requested resource/scope in your client matches the audience configured on the app — request tokens for api://{appId} or the verified-domain URI, not an arbitrary identifier
- 4If the manifest flag is no longer needed (claims mapping handled elsewhere), set acceptMappedClaims back to null/false in the manifest to remove the constraint
- 5Verify the custom domain under Entra ID → Custom domain names; an unverified domain will keep failing even with the signing key configured