Low severityauthentication
Power BI Error:
AADSTS50159
What does this error mean?
Microsoft Entra ID (Azure AD) rejected the federated sign-in because the external IdP returned an incomplete claim set.
Common causes
- 1Federated SAML/WS-Fed IdP (ADFS, Okta, Ping, third-party) is not emitting the required NameID / ImmutableID (objectGUID or sourceAnchor) claim
- 2Issuer URI in the external IdP's response does not match the IssuerUri configured on the federated domain in Entra ID
- 3Claim transformation rules on the IdP were changed, broken or removed (e.g. after an ADFS upgrade or relying-party trust rebuild)
- 4Token signing certificate rolled over but the new public key / metadata was never updated in Entra ID (federation trust out of sync)
- 5User account is missing the source attribute on-prem (empty objectGUID / mS-DS-ConsistencyGuid) so Azure AD Connect emits no ImmutableID
How to fix it
- 1Capture the failing sign-in: open Entra admin center → Sign-in logs, find the AADSTS50159 entry and inspect the federated IdP and the claims that were (and were not) sent
- 2On the external IdP (ADFS Management → Relying Party Trust for Microsoft Office 365 / urn:federation:MicrosoftOnline, or Okta/Ping equivalent) verify the claim rules emit NameID (persistent, ImmutableID-based) and the IDPEmail / UPN claim
- 3Compare the IssuerUri and token-signing certificate on the IdP with what Entra ID has: run Get-MgDomainFederationConfiguration -DomainId <domain> (or Get-MsolDomainFederationSettings) and re-run Update-MgDomainFederationConfiguration / Convert-MsolDomainToFederated if they drift
- 4If you use Azure AD Connect, run a full sync and confirm the affected user has a populated ImmutableId / sourceAnchor; fix the on-prem objectGUID or mS-DS-ConsistencyGuid if it's empty
- 5Test with a known-good account against https://login.microsoftonline.com/<tenant>/wsfed and use the SAML tracer / Fiddler to confirm the corrected claim set is now in the response