What causes AADSTS50176?

A Conditional Access policy references a custom/external control (controlId) that has been deleted or was never fully provisioned in the tenant. The third-party authentication provider (Duo, RSA SecurID, Ping, Silverfort, etc.) was uninstalled or its service principal removed while a CA policy still requires it. Tenant migration or directory restore left CA policies pointing to controlIds that don't exist in the new tenant. The external control is in the process of being created/published but hasn't propagated yet, or the publisher revoked it. A Power BI / Fabric service principal or user is hitting a CA policy scoped to apps that still mandates the missing custom control

How do I fix AADSTS50176?

In the Entra admin center → Protection → Conditional Access → Custom controls (preview), check whether the controlId from the error message still exists; if missing, this is the root cause. Identify which CA policy references the missing control: open each policy under Conditional Access → Policies and inspect Grant → Require custom controls. Either re-create/re-publish the external control via the third-party provider's onboarding JSON, or edit the CA policy to remove the reference and (if needed) replace it with a built-in grant such as Require MFA. If the external MFA vendor was decommissioned, coordinate with the vendor admin to re-register the service principal and re-publish the custom control definition before re-enabling the policy. After the fix, have the affected user (or Power BI gateway / service principal) re-attempt sign-in and verify via Entra ID Sign-in logs that AADSTS50176 no longer appears

Medium severityauthentication

Power BI Error:
AADSTS50176, Missing external control definition

What does this error mean?

Conditional Access requested an external authentication control that isn't defined in the Entra ID (Azure AD) tenant.

Common causes

1A Conditional Access policy references a custom/external control (controlId) that has been deleted or was never fully provisioned in the tenant
2The third-party authentication provider (Duo, RSA SecurID, Ping, Silverfort, etc.) was uninstalled or its service principal removed while a CA policy still requires it
3Tenant migration or directory restore left CA policies pointing to controlIds that don't exist in the new tenant
4The external control is in the process of being created/published but hasn't propagated yet, or the publisher revoked it
5A Power BI / Fabric service principal or user is hitting a CA policy scoped to apps that still mandates the missing custom control

How to fix it

1In the Entra admin center → Protection → Conditional Access → Custom controls (preview), check whether the controlId from the error message still exists; if missing, this is the root cause
2Identify which CA policy references the missing control: open each policy under Conditional Access → Policies and inspect Grant → Require custom controls
3Either re-create/re-publish the external control via the third-party provider's onboarding JSON, or edit the CA policy to remove the reference and (if needed) replace it with a built-in grant such as Require MFA
4If the external MFA vendor was decommissioned, coordinate with the vendor admin to re-register the service principal and re-publish the custom control definition before re-enabling the policy
5After the fix, have the affected user (or Power BI gateway / service principal) re-attempt sign-in and verify via Entra ID Sign-in logs that AADSTS50176 no longer appears

Frequently asked questions

What does AADSTS50176 mean?

Missing definition of external control: {controlId}.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes