Low severityauthentication
Power BI Error:
AADSTS50163
What does this error mean?
A regex-based claims transformation in the Microsoft Entra ID (Azure AD) app produces a claim value that exceeds the allowed size.
Common causes
- 1A RegexReplace claims transformation in the claims-mapping policy produces an output value larger than the per-claim size limit
- 2The source attribute (e.g. groups, extensionAttribute, onPremisesSamAccountName) used in the regex contains far more data than expected for some users
- 3The regex pattern is too greedy or the replacement string concatenates multiple captured groups, inflating the claim
- 4The custom claims-mapping policy is assigned to the service principal but was tested only against accounts with small attribute values
- 5Combined with group or role claims emission, the total claim payload exceeds Entra ID's allowed token claim size
How to fix it
- 1Identify the affected app: in the Entra admin center, open Enterprise applications → the app shown in the sign-in error → Single sign-on, and note any custom claims or claims-mapping policy assigned to its service principal
- 2Retrieve the policy with Microsoft Graph or Graph PowerShell (Get-MgPolicyClaimsMappingPolicy) and locate the ClaimsSchema entry using a RegexReplace transformation
- 3Test the regex against a real user's source attribute value (e.g. with a sign-in for the failing user) and shorten the output: tighten the pattern, drop unused capture groups, or truncate via a Substring transformation before RegexReplace
- 4Update the claims-mapping policy (Update-MgPolicyClaimsMappingPolicy) and re-assign it to the service principal; ask the user to sign in again in a fresh session
- 5If the bloat comes from group claims combined with the transformed claim, switch to emitting only groups assigned to the application or use group filtering to reduce token size