What causes AADSTS51004?

Application is registered as single-tenant (authority login.microsoftonline.com/ ) while the user belongs to a different Entra ID tenant. External user was expected to access the tenant but was never invited as a B2B guest, or never accepted the invitation. User signs in with a personal Microsoft account (MSA) on a tenant that only accepts work/school accounts (signInAudience mismatch). User was recently deleted, soft-deleted, or migrated between tenants and no longer exists in the target directory. Power BI / Fabric / ADF data source or service principal is configured against the wrong tenant in a cross-tenant sharing scenario

Low severityauthentication

Power BI Error:
AADSTS51004, User Account Not in Directory: Causes & Fix

What does this error mean?

The signing-in user does not exist in the Microsoft Entra ID (Azure AD) tenant the application is authenticating against.

Common causes

1Application is registered as single-tenant (authority login.microsoftonline.com/<tenant-id>) while the user belongs to a different Entra ID tenant
2External user was expected to access the tenant but was never invited as a B2B guest, or never accepted the invitation
3User signs in with a personal Microsoft account (MSA) on a tenant that only accepts work/school accounts (signInAudience mismatch)
4User was recently deleted, soft-deleted, or migrated between tenants and no longer exists in the target directory
5Power BI / Fabric / ADF data source or service principal is configured against the wrong tenant in a cross-tenant sharing scenario

How to fix it

1Verify in the Entra admin center → Users that the UPN actually exists in the target tenant — if it isn't there, that is the root cause and no app-side fix will help
2Check the authority URL in the app registration: if the app must accept users from multiple tenants, change it to /organizations or /common and set signInAudience to AzureADMultipleOrgs
3If the user is external, invite them via Entra ID → External Identities → Invite user as a B2B guest and have them accept the invitation email before retrying sign-in
4For Power BI / Fabric cross-tenant data sharing, open Entra ID → External Identities → Cross-tenant access settings and confirm inbound access from the user's home tenant is allowed for the relevant apps
5If the user signed in with a personal Microsoft account, have them sign out completely and re-authenticate with the work/school account that belongs to the target tenant

Beyond the docs

Common practitioner solutions not covered in the official documentation.

1PowerShell: Check if the user exists in the tenant — Get-MgUser -Filter "userPrincipalName eq 'user@domain.com'" | Select-Object Id, DisplayName, UserType, AccountEnabled
2PowerShell: Check B2B guest invitation status for an external user — Get-MgUser -Filter "mail eq 'external@otherdomain.com'" | Select-Object UserPrincipalName, UserType, ExternalUserState
3Multi-tenant app: If your app is registered as single-tenant (authority contains a specific tenant ID), users from other tenants get AADSTS51004. Change Supported account types to 'Accounts in any organizational directory' in App registrations → Authentication
4Tenant mismatch: Confirm the user is authenticating against the correct tenant. In the Entra sign-in log, compare the 'Home tenant ID' field with the tenant where the app is registered — a mismatch means the user is in the wrong directory
5Guest invitation: If the user is external, they must be invited as a B2B guest first. Entra ID → Users → Invite external user — then the user must redeem the invitation before sign-in is possible

Example log output

# MSAL / Azure SDK error:
AADSTS51004: The user account <user@domain.com> does not exist in the tenant '<tenant-id>'.
To sign into this application, the account must be added to the tenant.

# Power BI embed token request failure (REST API):
{
  "error": "invalid_grant",
  "error_description": "AADSTS51004: The user account does not exist in the tenant."
}

Frequently asked questions

What does AADSTS51004 mean?

AADSTS51004 (UserAccountNotInDirectory) means the user account trying to sign in does not exist in the Entra ID tenant the application is authenticating against. This happens when an app is registered as single-tenant but users from a different tenant try to sign in, when an external user has never been invited as a B2B guest, or when a personal Microsoft account is used against a tenant that only accepts work/school accounts.

How do I fix AADSTS51004?

First, open Entra admin center → Users and verify the user’s UPN actually exists in the target tenant. If not, you need to either (1) invite them as a B2B guest via Entra ID → External Identities → Invite user, or (2) change the app registration’s authority from /{tenantId} to /organizations or /common and set signInAudience to AzureADMultipleOrgs to accept multi-tenant logins. Have the user clear their browser session and retry after making the change.

Why does AADSTS51004 happen in Power BI or Fabric?

In Power BI, AADSTS51004 commonly appears when a user from an external organization tries to access a shared workspace or report in a tenant where they haven’t been added as a B2B guest. It also surfaces in cross-tenant data sharing scenarios where the service principal or linked service is configured against the wrong tenant ID. Check the Power BI admin portal for external sharing settings and confirm in Entra ID → External Identities → Cross-tenant access settings that inbound access from the user’s home tenant is allowed.

What is the difference between AADSTS51004 and AADSTS50020?

Both errors indicate a tenant mismatch but at different layers. AADSTS50020 means the user exists in Entra ID but doesn’t belong to the specific tenant the app is targeting — it often appears with personal MSA accounts hitting a work tenant. AADSTS51004 is more absolute: the account does not exist in the target directory at all. For AADSTS50020 switching the authority to /common may be enough; for AADSTS51004 the user must actually be added to the tenant first.

How do I invite an external user to my Entra ID tenant to fix AADSTS51004?

Go to Entra admin center (entra.microsoft.com) → Identity → Users → All users → Invite external user. Enter the user’s email address and send the invitation. The user must accept the email invitation before they can sign in. For bulk invitations you can use the Azure portal’s bulk invite CSV upload or the Microsoft Graph API. After the user accepts, they appear in your tenant as a Guest account and can sign in to applications that have been shared with them.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes