What causes AADSTS50157?

User signs in with a federated domain (AD FS or third-party IdP) and the app/library suppresses the redirect. B2B guest user authenticating against the resource tenant instead of their home tenant. Home Realm Discovery (HRD) policy or domain hint forcing routing to a different authority. Conditional Access or cross-tenant access settings rerouting the sign-in mid-flow. Non-interactive / embedded auth flow (ROPC, device code in headless context) that cannot follow an interactive redirect

How do I fix AADSTS50157?

Use an interactive sign-in flow (MSAL `AcquireTokenInteractive` or browser-based auth) so the client can follow the routing redirect — non-interactive flows will keep failing on this error. Verify the user's UPN domain in Entra admin center → Domains: confirm whether it's federated (AD FS / external IdP) and that the federation endpoint is reachable. For B2B guests: pass the correct `tenant` / authority (the resource tenant) and ensure the guest user has been invited and accepted in that tenant. Check Cross-tenant access settings (Entra ID → External Identities) and Conditional Access policies for routing rules that may be rejecting the current client. If using a domain_hint or login_hint, remove it temporarily to let Entra ID perform standard Home Realm Discovery and confirm routing works

Medium severityauthentication

Power BI Error:
AADSTS50157

What does this error mean?

Microsoft Entra ID (Azure AD) needs to redirect the sign-in to another identity provider or tenant to complete authentication.

Common causes

1User signs in with a federated domain (AD FS or third-party IdP) and the app/library suppresses the redirect
2B2B guest user authenticating against the resource tenant instead of their home tenant
3Home Realm Discovery (HRD) policy or domain hint forcing routing to a different authority
4Conditional Access or cross-tenant access settings rerouting the sign-in mid-flow
5Non-interactive / embedded auth flow (ROPC, device code in headless context) that cannot follow an interactive redirect

How to fix it

1Use an interactive sign-in flow (MSAL `AcquireTokenInteractive` or browser-based auth) so the client can follow the routing redirect — non-interactive flows will keep failing on this error
2Verify the user's UPN domain in Entra admin center → Domains: confirm whether it's federated (AD FS / external IdP) and that the federation endpoint is reachable
3For B2B guests: pass the correct `tenant` / authority (the resource tenant) and ensure the guest user has been invited and accepted in that tenant
4Check Cross-tenant access settings (Entra ID → External Identities) and Conditional Access policies for routing rules that may be rejecting the current client
5If using a domain_hint or login_hint, remove it temporarily to let Entra ID perform standard Home Realm Discovery and confirm routing works

Frequently asked questions

What does AADSTS50157 mean?

User redirection required for routing.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes