Low severityauthentication
Power BI Error:
AADSTS50166, External OIDC endpoint failed
What does this error mean?
Microsoft Entra ID (Azure AD) could not complete federation because the external OIDC identity provider's endpoint did not respond successfully.
Common causes
- 1The federated external OIDC identity provider (e.g. Okta, Auth0, Google, ADFS, custom IdP) was unreachable, returned a 5xx, or timed out
- 2Incorrect OIDC configuration in Entra ID: wrong issuer URL, authorization/token endpoint, or stale OpenID metadata (`.well-known/openid-configuration`)
- 3Expired or rotated client secret / signing certificate on the external IdP that Entra ID still trusts
- 4TLS/certificate problem on the external IdP (untrusted CA, expired cert, SNI mismatch) blocking the back-channel call
- 5The external IdP returned an OIDC error (invalid_client, invalid_scope, consent missing) which Entra ID surfaces as AADSTS50166
How to fix it
- 1Identify which external IdP is federated for the user's domain (Entra admin center → External Identities / Identity Providers, or `Get-MgDomainFederationConfiguration`) — AADSTS50166 only happens on federated sign-ins
- 2Test the external IdP's OIDC endpoints directly: fetch `https://<idp>/.well-known/openid-configuration` and the authorization/token URLs from the same network, check for HTTP 200, valid JSON, and a non-expired TLS certificate
- 3Check the IdP's own sign-in / audit logs for the same timestamp — if the IdP logged an error (invalid client, expired secret, blocked user), fix it there; AADSTS50166 is the downstream symptom
- 4In Entra ID, refresh or re-create the OIDC federation: update the client ID/secret, re-import metadata, and verify the issuer matches what the IdP actually returns in `iss`
- 5If the failure is intermittent and only some users are affected, have the user clear cached tokens / sign out of Power BI Desktop and the browser, then retry; persistent failures across users point to IdP-side outage or misconfiguration