What causes AADSTS50172?

The federated identity provider (e.g. an external SAML/OIDC IdP or partner tenant) is not registered as an approved claims provider in Entra ID. The external claims provider was previously configured but has been removed, disabled, or its trust was revoked by an admin. Cross-tenant access settings or B2B/External Identities policy block claims from this provider. The claims provider's metadata, certificate, or issuer URI changed and no longer matches the approved configuration. User is signing in via a guest/federation flow that points to an IdP not whitelisted for the resource tenant

How do I fix AADSTS50172?

Capture the {provider} value from the error and the user's UPN, then identify which external IdP / partner tenant issued the token. In the Entra admin center, go to External Identities → All identity providers (or Cross-tenant access settings) and verify the provider is listed and enabled for this tenant. If missing, add or re-approve the claims provider: register the IdP, upload current federation metadata/signing certificate, and confirm the issuer URI matches what Entra received. Review Conditional Access and Cross-tenant access policies to ensure inbound claims from this provider aren't being blocked for the target application (e.g. Power BI Service). Have the user clear cached credentials and retry; if it still fails, collect the correlation ID from login.microsoftonline.com/error and open a ticket with the IdP owner or Microsoft support

Low severityauthentication

Power BI Error:
AADSTS50172

What does this error mean?

Microsoft Entra ID (Azure AD) rejects sign-in because the federated external claims provider is not approved for this tenant.

Common causes

1The federated identity provider (e.g. an external SAML/OIDC IdP or partner tenant) is not registered as an approved claims provider in Entra ID
2The external claims provider was previously configured but has been removed, disabled, or its trust was revoked by an admin
3Cross-tenant access settings or B2B/External Identities policy block claims from this provider
4The claims provider's metadata, certificate, or issuer URI changed and no longer matches the approved configuration
5User is signing in via a guest/federation flow that points to an IdP not whitelisted for the resource tenant

How to fix it

1Capture the {provider} value from the error and the user's UPN, then identify which external IdP / partner tenant issued the token
2In the Entra admin center, go to External Identities → All identity providers (or Cross-tenant access settings) and verify the provider is listed and enabled for this tenant
3If missing, add or re-approve the claims provider: register the IdP, upload current federation metadata/signing certificate, and confirm the issuer URI matches what Entra received
4Review Conditional Access and Cross-tenant access policies to ensure inbound claims from this provider aren't being blocked for the target application (e.g. Power BI Service)
5Have the user clear cached credentials and retry; if it still fails, collect the correlation ID from login.microsoftonline.com/error and open a ticket with the IdP owner or Microsoft support

Frequently asked questions

What does AADSTS50172 mean?

External claims provider {provider} isn't approved.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes