What causes AADSTS50161?

The federated domain or external claims provider in Microsoft Entra ID points to an authorization URL that is malformed, has a typo, or uses an incorrect protocol (http vs https). The external IdP (AD FS, third-party SAML/OIDC provider) is offline, its certificate is expired, or its metadata endpoint is no longer reachable from Entra ID. The federation metadata in Entra ID is stale: the IdP's authorization endpoint changed but `Set-MsolDomainFederationSettings` / `Update-MgDomainFederationConfiguration` was never re-run. A custom claims provider or External Identities (B2B/B2C) federation is registered with an authorization URL that doesn't match the issuer/discovery document of the IdP. DNS or network egress from Entra ID to the IdP's authorization endpoint is failing (firewall, expired domain, broken load balancer in front of AD FS)

How do I fix AADSTS50161?

Identify which federated domain or external claims provider was used in the failing sign-in (check the UPN suffix of the user and cross-reference with `Get-MgDomainFederationConfiguration` or the External Identities blade in the Entra admin center). Open the IdP's federation/discovery metadata in a browser from outside your network (e.g. `https:// /adfs/ls/` or the OIDC `.well-known/openid-configuration`) and confirm the authorization endpoint actually loads with a valid TLS certificate. Compare the `PassiveLogOnUri` / authorization URL stored in Entra ID against the live metadata from the IdP — if they differ, refresh the federation settings with `Update-MgDomainFederationConfiguration` (or re-run AAD Connect federation setup for AD FS). If this is a custom external claims provider or B2C/B2B federation, re-register the IdP in the Entra admin center with the correct authorization URL from its current OIDC/SAML metadata. If everything looks correct, validate network reachability from Microsoft's IP ranges to the IdP (firewall, WAF, DNS) — AADSTS50161 also fires when Entra ID can reach the URL syntactically but the TLS handshake or HTTP response is invalid

Low severityauthentication

Power BI Error:
AADSTS50161

What does this error mean?

Microsoft Entra ID (Azure AD) could not validate the authorization endpoint URL configured for an external/federated claims provider.

Common causes

1The federated domain or external claims provider in Microsoft Entra ID points to an authorization URL that is malformed, has a typo, or uses an incorrect protocol (http vs https)
2The external IdP (AD FS, third-party SAML/OIDC provider) is offline, its certificate is expired, or its metadata endpoint is no longer reachable from Entra ID
3The federation metadata in Entra ID is stale: the IdP's authorization endpoint changed but `Set-MsolDomainFederationSettings` / `Update-MgDomainFederationConfiguration` was never re-run
4A custom claims provider or External Identities (B2B/B2C) federation is registered with an authorization URL that doesn't match the issuer/discovery document of the IdP
5DNS or network egress from Entra ID to the IdP's authorization endpoint is failing (firewall, expired domain, broken load balancer in front of AD FS)

How to fix it

1Identify which federated domain or external claims provider was used in the failing sign-in (check the UPN suffix of the user and cross-reference with `Get-MgDomainFederationConfiguration` or the External Identities blade in the Entra admin center)
2Open the IdP's federation/discovery metadata in a browser from outside your network (e.g. `https://<idp>/adfs/ls/` or the OIDC `.well-known/openid-configuration`) and confirm the authorization endpoint actually loads with a valid TLS certificate
3Compare the `PassiveLogOnUri` / authorization URL stored in Entra ID against the live metadata from the IdP — if they differ, refresh the federation settings with `Update-MgDomainFederationConfiguration` (or re-run AAD Connect federation setup for AD FS)
4If this is a custom external claims provider or B2C/B2B federation, re-register the IdP in the Entra admin center with the correct authorization URL from its current OIDC/SAML metadata
5If everything looks correct, validate network reachability from Microsoft's IP ranges to the IdP (firewall, WAF, DNS) — AADSTS50161 also fires when Entra ID can reach the URL syntactically but the TLS handshake or HTTP response is invalid

Frequently asked questions

What does AADSTS50161 mean?

Failed to validate authorization url of external claims provider.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes