What causes AADSTS650059?

App registration's signInAudience manifest property is set to AzureADMyOrg (single-tenant) while a user from a different tenant tries to sign in. Cross-tenant scenario where the app was never registered or provisioned in the user's home tenant. Multi-tenant app was reverted to single-tenant in the Entra ID portal (Authentication > Supported account types). Power BI / Fabric / ADF service principal authenticating against the wrong tenant ID in the authority URL. Guest (B2B) user attempting to use an app that has not enabled multi-tenant access

How do I fix AADSTS650059?

Open the app registration in Entra ID (Azure AD) portal > Authentication and confirm 'Supported account types'. If cross-tenant access is needed, switch to 'Accounts in any organizational directory' (this sets signInAudience to AzureADMultipleOrgs). If the app must stay single-tenant, ensure users sign in via the home tenant's authority (https://login.microsoftonline.com/{home-tenant-id}) instead of /common or /organizations. For Power BI / ADF / Fabric service principals: verify the tenant ID in your connection string or linked service matches the tenant where the app registration lives. After changing signInAudience, have an admin of the consuming tenant grant admin consent at https://login.microsoftonline.com/{tenant}/adminconsent?client_id={app-id}. If using a Microsoft-published or third-party app, contact the publisher — only the app owner can change signInAudience in the home tenant

Low severityauthentication

Power BI Error:
AADSTS650059

What does this error mean?

The app's signInAudience is set to AzureADMyOrg, restricting sign-in to its home tenant only.

Common causes

1App registration's signInAudience manifest property is set to AzureADMyOrg (single-tenant) while a user from a different tenant tries to sign in
2Cross-tenant scenario where the app was never registered or provisioned in the user's home tenant
3Multi-tenant app was reverted to single-tenant in the Entra ID portal (Authentication > Supported account types)
4Power BI / Fabric / ADF service principal authenticating against the wrong tenant ID in the authority URL
5Guest (B2B) user attempting to use an app that has not enabled multi-tenant access

How to fix it

1Open the app registration in Entra ID (Azure AD) portal > Authentication and confirm 'Supported account types'. If cross-tenant access is needed, switch to 'Accounts in any organizational directory' (this sets signInAudience to AzureADMultipleOrgs)
2If the app must stay single-tenant, ensure users sign in via the home tenant's authority (https://login.microsoftonline.com/{home-tenant-id}) instead of /common or /organizations
3For Power BI / ADF / Fabric service principals: verify the tenant ID in your connection string or linked service matches the tenant where the app registration lives
4After changing signInAudience, have an admin of the consuming tenant grant admin consent at https://login.microsoftonline.com/{tenant}/adminconsent?client_id={app-id}
5If using a Microsoft-published or third-party app, contact the publisher — only the app owner can change signInAudience in the home tenant

Frequently asked questions

What does AADSTS650059 mean?

The application is not configured for use in the tenant. The value AzureADMyOrg set for application property signInAudience is limiting its use in the tenant.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes