Low severityauthentication
Power BI Error:
AADSTS501632
What does this error mean?
Azure AD/Entra ID claims-mapping policy has a regex replacement with more $n placeholders than the regex captures.
Common causes
- 1A custom claims-mapping policy on the enterprise application uses a Regex replacement transformation where the replacement string contains $n tokens that exceed the number of capturing groups in the regex pattern
- 2Recent edit to the SAML/OIDC token configuration ('Edit claims' → Transformation = RegexReplace) introduced an extra $2/$3 placeholder
- 3Claims-mapping policy applied via Microsoft Graph or PowerShell (New-AzureADPolicy) with a malformed RegexReplace definition
- 4Copy-pasted regex from documentation where the capture groups were stripped but the replacement template was kept intact
- 5Claim transformation chained on a source attribute whose regex was simplified, leaving orphan $n references in the replacement
How to fix it
- 1Open Entra admin center → Enterprise applications → your app → Single sign-on → Attributes & Claims, and locate any claim with a Transformation of type RegexReplace
- 2Compare the regex pattern's number of capture groups (parentheses) against the $n tokens in the Replacement value — reduce the replacement so it only references groups that actually exist (e.g. pattern `^([^@]+)@.*$` supports only $1)
- 3If the claims-mapping policy was deployed via Graph/PowerShell, run `Get-AzureADPolicy` (or `Get-MgPolicyClaimsMappingPolicy`) and inspect the JSON definition; fix the RegexReplace InputParameters and re-assign with `Set-AzureADPolicy`
- 4Test the corrected mapping with the app's sign-in test feature, then have the affected user retry; tokens issued after the fix will succeed
- 5If you don't own the app registration, send the AADSTS501632 correlation ID and timestamp to your Entra ID administrator so they can locate the offending policy in sign-in logs