What causes AADSTS650056?

The Issuer/AppID sent in the SAML or OAuth request does not match the Identifier (Entity ID) configured on the Enterprise Application. The Reply URL (redirect URI) used by the client is not listed on the app registration. The client requested Microsoft Graph or Power BI Service permissions that are not granted (no admin consent) on the service principal. The application is registered in a different tenant than the one the user is signing in to (wrong tenant ID / multi-tenant flag missing). Stale or duplicate service principal after re-registration — old AppID still cached by the client

How do I fix AADSTS650056?

Open the exact error message and copy the application identifier (GUID or URI) it mentions — that is the value the client is sending. In the Microsoft Entra admin center → Enterprise Applications, open the app and verify the Identifier (Entity ID) and Reply URL match the value from step 1 exactly, including any trailing slash. Under App registrations → API permissions, confirm all requested scopes (e.g. Power BI Service, Dataset.ReadWrite.All) are listed and have admin consent granted for the tenant. If this is a Power BI gateway, ADF Linked Service, or Fabric pipeline using a service principal, re-enter the Application (client) ID and secret in the connection — a recreated app registration changes the AppID. Run Test SSO in Entra admin center (or capture the SAML/OIDC request via Fiddler) and paste the error into 'Resolving Errors' to see the exact Issuer vs. Identifier diff

Low severityauthentication

Power BI Error:
AADSTS650056

What does this error mean?

The application is misconfigured in Microsoft Entra ID (Azure AD) — usually a mismatch between the app identifier sent and the one registered.

Common causes

1The Issuer/AppID sent in the SAML or OAuth request does not match the Identifier (Entity ID) configured on the Enterprise Application
2The Reply URL (redirect URI) used by the client is not listed on the app registration
3The client requested Microsoft Graph or Power BI Service permissions that are not granted (no admin consent) on the service principal
4The application is registered in a different tenant than the one the user is signing in to (wrong tenant ID / multi-tenant flag missing)
5Stale or duplicate service principal after re-registration — old AppID still cached by the client

How to fix it

1Open the exact error message and copy the application identifier (GUID or URI) it mentions — that is the value the client is sending
2In the Microsoft Entra admin center → Enterprise Applications, open the app and verify the Identifier (Entity ID) and Reply URL match the value from step 1 exactly, including any trailing slash
3Under App registrations → API permissions, confirm all requested scopes (e.g. Power BI Service, Dataset.ReadWrite.All) are listed and have admin consent granted for the tenant
4If this is a Power BI gateway, ADF Linked Service, or Fabric pipeline using a service principal, re-enter the Application (client) ID and secret in the connection — a recreated app registration changes the AppID
5Run Test SSO in Entra admin center (or capture the SAML/OIDC request via Fiddler) and paste the error into 'Resolving Errors' to see the exact Issuer vs. Identifier diff

Frequently asked questions

What does AADSTS650056 mean?

Misconfigured application. This could be due to one of the following: the client has not listed any permissions for '{name}' in the requested permi

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts650056-misconfigured-app