What causes AADSTS50170?

Federated identity provider (external IdP, B2B direct federation, or SAML/WS-Fed app) is missing a required claim mapping in the Entra ID claims-mapping policy. Custom claims-mapping policy assigned to the service principal references a source claim that the external IdP does not emit. Cross-tenant access / B2B direct federation configuration was added but the external claims provider was never fully mapped to a user attribute (e.g. mail, UPN). Token issuance policy on the enterprise application is incomplete after migrating an app from another IdP to Entra ID. An app expects optional claims or external attributes that are not configured in the app registration's Token configuration blade

How do I fix AADSTS50170?

Open the affected enterprise application in the Microsoft Entra admin center → Enterprise applications → your app → Single sign-on, and verify that all required Attributes & Claims are mapped to a valid source (user.mail, user.userprincipalname, etc.). If the app uses a custom claims-mapping policy, run `Get-MgPolicyClaimMappingPolicy` (Microsoft Graph PowerShell) and confirm every ClaimSchema entry has a valid Source — replace any reference to an external claim that the IdP does not emit. For B2B direct federation / external identity providers, go to External Identities → All identity providers, open the federation configuration and ensure the IdP's metadata and claim mappings (issuer URI, signing cert, claim → user attribute) are complete. In the app's App registration → Token configuration, add the missing optional/group/directory claims the application expects, then have the user clear cached tokens and sign in again. If the issue started after a configuration change, capture the full sign-in error from Entra ID → Sign-in logs (Correlation ID + Request ID) and share it with the application owner so they can correct the specific missing mapping

Medium severityauthentication

Power BI Error:
AADSTS50170

What does this error mean?

Microsoft Entra ID (Azure AD) sign-in fails because the external claims provider mapping for federated authentication is missing or misconfigured.

Common causes

1Federated identity provider (external IdP, B2B direct federation, or SAML/WS-Fed app) is missing a required claim mapping in the Entra ID claims-mapping policy
2Custom claims-mapping policy assigned to the service principal references a source claim that the external IdP does not emit
3Cross-tenant access / B2B direct federation configuration was added but the external claims provider was never fully mapped to a user attribute (e.g. mail, UPN)
4Token issuance policy on the enterprise application is incomplete after migrating an app from another IdP to Entra ID
5An app expects optional claims or external attributes that are not configured in the app registration's Token configuration blade

How to fix it

1Open the affected enterprise application in the Microsoft Entra admin center → Enterprise applications → your app → Single sign-on, and verify that all required Attributes & Claims are mapped to a valid source (user.mail, user.userprincipalname, etc.)
2If the app uses a custom claims-mapping policy, run `Get-MgPolicyClaimMappingPolicy` (Microsoft Graph PowerShell) and confirm every ClaimSchema entry has a valid Source — replace any reference to an external claim that the IdP does not emit
3For B2B direct federation / external identity providers, go to External Identities → All identity providers, open the federation configuration and ensure the IdP's metadata and claim mappings (issuer URI, signing cert, claim → user attribute) are complete
4In the app's App registration → Token configuration, add the missing optional/group/directory claims the application expects, then have the user clear cached tokens and sign in again
5If the issue started after a configuration change, capture the full sign-in error from Entra ID → Sign-in logs (Correlation ID + Request ID) and share it with the application owner so they can correct the specific missing mapping

Frequently asked questions

What does AADSTS50170 mean?

The external controls mapping is missing.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes