What causes AADSTS51001?

IdP-initiated sign-in (e.g. AD FS or third-party federation) where the SAML request carries an on-prem UPN/SID but no domain_hint is appended to the Azure AD/Entra ID authorize URL. Custom Power BI embedded or Fabric app sending an on-premises immutableId/SID in the login_hint without a matching domain_hint. Federated tenant with multiple verified domains where Entra ID cannot determine the home realm from the user identifier alone. Bookmark or stale deep-link to login.microsoftonline.com that omits the domain_hint parameter after a recent federation/SSO change. Misconfigured Azure Data Factory / Databricks linked service using a service principal flow that injects on-prem identity claims without tenant routing

How do I fix AADSTS51001?

Append &domain_hint=yourdomain.com (the verified federated domain in Entra ID) to the authorize URL or the SSO link the user clicked — this is the direct fix in 90% of cases. If this is an AD FS or third-party IdP-initiated flow, update the relying party / SP-initiated SAML configuration to set the domain_hint when redirecting to login.microsoftonline.com. For embedded Power BI or custom apps using MSAL, set the extraQueryParameters / domainHint property on the auth request instead of relying solely on login_hint. Verify in Entra ID > Custom domain names that the domain in the user's UPN is verified and federated; an unverified domain causes Entra ID to refuse home-realm discovery. Have the user sign in by typing their full UPN at https://login.microsoftonline.com directly (not via the failing deep link) to confirm the account itself works, isolating the issue to the calling app's URL

Low severityauthentication

Power BI Error:
AADSTS51001

What does this error mean?

Sign-in failed because the request used an on-premises SID or UPN without a required domain_hint parameter.

Common causes

1IdP-initiated sign-in (e.g. AD FS or third-party federation) where the SAML request carries an on-prem UPN/SID but no domain_hint is appended to the Azure AD/Entra ID authorize URL
2Custom Power BI embedded or Fabric app sending an on-premises immutableId/SID in the login_hint without a matching domain_hint
3Federated tenant with multiple verified domains where Entra ID cannot determine the home realm from the user identifier alone
4Bookmark or stale deep-link to login.microsoftonline.com that omits the domain_hint parameter after a recent federation/SSO change
5Misconfigured Azure Data Factory / Databricks linked service using a service principal flow that injects on-prem identity claims without tenant routing

How to fix it

1Append &domain_hint=yourdomain.com (the verified federated domain in Entra ID) to the authorize URL or the SSO link the user clicked — this is the direct fix in 90% of cases
2If this is an AD FS or third-party IdP-initiated flow, update the relying party / SP-initiated SAML configuration to set the domain_hint when redirecting to login.microsoftonline.com
3For embedded Power BI or custom apps using MSAL, set the extraQueryParameters / domainHint property on the auth request instead of relying solely on login_hint
4Verify in Entra ID > Custom domain names that the domain in the user's UPN is verified and federated; an unverified domain causes Entra ID to refuse home-realm discovery
5Have the user sign in by typing their full UPN at https://login.microsoftonline.com directly (not via the failing deep link) to confirm the account itself works, isolating the issue to the calling app's URL

Frequently asked questions

What does AADSTS51001 mean?

Domain hint must be present with on-premises security identifier or on-premises UPN.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes