What causes AADSTS501621?

A claims transformation policy on the Enterprise Application uses a regex with catastrophic backtracking (nested quantifiers, ambiguous alternations like (a+)+ or (.*)*). The input claim value (e.g. UPN, email, group name) is unusually long, pushing an otherwise-acceptable regex over the timeout. A custom claims mapping policy or SAML claims transformation rule was recently changed and not tested against real-world claim values. Multiple chained regex transformations on the same claim compound the evaluation time. Transient load on the Entra ID token issuance service causing borderline-complex regex evaluations to exceed the budget

How do I fix AADSTS501621?

Retry the sign-in once — if the regex is borderline rather than broken, the request may succeed and confirm a transient timeout vs. a hard configuration bug. In the Microsoft Entra admin center, open Enterprise Applications → the affected app → Single sign-on → Attributes & Claims, and review every claim with a Transformation (especially RegexReplace) rule. Test each regex against representative claim values using a regex tester with a backtracking analyzer (e.g. regex101 with the .NET flavor) — look for nested quantifiers like (.+)+, (a|a)*, or unbounded lookarounds. Rewrite problematic patterns to be linear: anchor with ^ and $, replace .* with more specific character classes, and avoid overlapping alternations. If the app uses a custom claims mapping policy via Microsoft Graph / PowerShell, export the policy (Get-MgPolicyClaimsMappingPolicy) and audit the ClaimsTransformation entries the same way

Low severityauthentication

Power BI Error:
AADSTS501621

What does this error mean?

A regular expression used in the app's claims transformation rule took too long to evaluate and timed out during sign-in.

Common causes

1A claims transformation policy on the Enterprise Application uses a regex with catastrophic backtracking (nested quantifiers, ambiguous alternations like (a+)+ or (.*)*)
2The input claim value (e.g. UPN, email, group name) is unusually long, pushing an otherwise-acceptable regex over the timeout
3A custom claims mapping policy or SAML claims transformation rule was recently changed and not tested against real-world claim values
4Multiple chained regex transformations on the same claim compound the evaluation time
5Transient load on the Entra ID token issuance service causing borderline-complex regex evaluations to exceed the budget

How to fix it

1Retry the sign-in once — if the regex is borderline rather than broken, the request may succeed and confirm a transient timeout vs. a hard configuration bug
2In the Microsoft Entra admin center, open Enterprise Applications → the affected app → Single sign-on → Attributes & Claims, and review every claim with a Transformation (especially RegexReplace) rule
3Test each regex against representative claim values using a regex tester with a backtracking analyzer (e.g. regex101 with the .NET flavor) — look for nested quantifiers like (.+)+, (a|a)*, or unbounded lookarounds
4Rewrite problematic patterns to be linear: anchor with ^ and $, replace .* with more specific character classes, and avoid overlapping alternations
5If the app uses a custom claims mapping policy via Microsoft Graph / PowerShell, export the policy (Get-MgPolicyClaimsMappingPolicy) and audit the ClaimsTransformation entries the same way

Frequently asked questions

What does AADSTS501621 mean?

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes