What causes AADSTS501631?

A claims mapping policy or custom claims transformation uses a regex that is too broad (e.g. greedy `.*` or unanchored patterns) and matches multiple segments of the source claim. The source claim value (such as UPN, email, or a directory extension attribute) contains repeating characters or delimiters that the regex was not designed to handle. A recent change to the enterprise application's SSO claims configuration introduced a faulty RegexReplace transformation. Directory data drift: user attribute values changed shape (e.g. extra domain segments, multiple '@' characters) so the regex now over-matches. Copy-paste of a regex template from another tenant/app without anchoring (`^`/`$`) or non-greedy quantifiers

How do I fix AADSTS501631?

Open the affected enterprise application in Microsoft Entra admin center → Single sign-on → Attributes & Claims, and identify the claim that uses a Regex-based transformation. Inspect the regex pattern: anchor it with `^` and `$`, replace greedy quantifiers (`.*`) with non-greedy (`.*?`), and limit it to match exactly one occurrence in the source claim. Test the regex against the actual user's source claim value (UPN/email/extensionAttribute) using a regex tester to confirm it produces a single match, not multiple. If a claims mapping policy is applied via PowerShell (`New-AzureADPolicy` / Microsoft Graph `claimsMappingPolicies`), update the policy JSON and reassign it to the service principal. Have the user re-attempt sign-in; if the error persists, capture the correlation ID and check Entra ID sign-in logs → Authentication Details for the exact claim value that triggered the over-match

Low severityauthentication

Power BI Error:
AADSTS501631, Claims Transformation Regex Too Many Matches

What does this error mean?

A regex used in a claims transformation rule matched too many substrings in the source claim, blocking token issuance.

Common causes

1A claims mapping policy or custom claims transformation uses a regex that is too broad (e.g. greedy `.*` or unanchored patterns) and matches multiple segments of the source claim
2The source claim value (such as UPN, email, or a directory extension attribute) contains repeating characters or delimiters that the regex was not designed to handle
3A recent change to the enterprise application's SSO claims configuration introduced a faulty RegexReplace transformation
4Directory data drift: user attribute values changed shape (e.g. extra domain segments, multiple '@' characters) so the regex now over-matches
5Copy-paste of a regex template from another tenant/app without anchoring (`^`/`$`) or non-greedy quantifiers

How to fix it

1Open the affected enterprise application in Microsoft Entra admin center → Single sign-on → Attributes & Claims, and identify the claim that uses a Regex-based transformation
2Inspect the regex pattern: anchor it with `^` and `$`, replace greedy quantifiers (`.*`) with non-greedy (`.*?`), and limit it to match exactly one occurrence in the source claim
3Test the regex against the actual user's source claim value (UPN/email/extensionAttribute) using a regex tester to confirm it produces a single match, not multiple
4If a claims mapping policy is applied via PowerShell (`New-AzureADPolicy` / Microsoft Graph `claimsMappingPolicies`), update the policy JSON and reassign it to the service principal
5Have the user re-attempt sign-in; if the error persists, capture the correlation ID and check Entra ID sign-in logs → Authentication Details for the exact claim value that triggered the over-match

Frequently asked questions

What does AADSTS501631 mean?

Regular expression replacement for c

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes