What causes AADSTS90019?

Authority URL set to `https://login.microsoftonline.com/common` (or `/organizations`) while the flow requires a concrete tenant — most common in custom-coded Power BI Embedded and ADF integrations. Client credentials / service principal flow (daemon app, ADF SPN, Databricks SPN, Fabric capacity auth) calling `/common` — app-only tokens are never valid against `/common` or `/organizations`. User signs in with a personal Microsoft account (MSA) on an endpoint configured for work/school accounts only, so Entra ID has no tenant to bind the request to. User's UPN/email domain is not added or not verified in any Entra ID tenant (typo in domain, unverified custom domain, or guest invite never redeemed). On-behalf-of or token-exchange flow where the upstream token's `tid` claim is missing or stripped by an API gateway / reverse proxy before it reaches Entra ID

How do I fix AADSTS90019?

Replace `/common` or `/organizations` in your authority URL with the explicit tenant GUID or verified domain — e.g. `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize`. This resolves the majority of AADSTS90019 cases. For Power BI Embedded, ADF linked services, Fabric capacity auth, or Databricks Unity Catalog connections: open the connection/linked-service config and set the Tenant ID field explicitly instead of leaving it blank. For any client credentials / service principal flow: hardcode `/{tenant-id}` in the authority — `/common` and `/organizations` are unsupported for app-only tokens and will always fail with AADSTS90019. In MSAL apps, set the authority via `WithTenantId()` (or `TenantId` in app config) rather than relying on `AzureCloudInstance.AzurePublic` defaults; in ADAL/legacy code, replace the authority string directly. Verify the signing-in user's domain in the target tenant: Entra admin center → Custom domain names. If `user@contoso.com` is failing, `contoso.com` must be added and verified in that tenant, or the user must be invited as a guest

Low severityauthentication

Power BI Refresh Error:
AADSTS90019

What does this error mean?

Microsoft Entra ID (Azure AD) can't resolve which tenant to authenticate against from the incoming request.

Common causes

1Authority URL set to `https://login.microsoftonline.com/common` (or `/organizations`) while the flow requires a concrete tenant — most common in custom-coded Power BI Embedded and ADF integrations
2Client credentials / service principal flow (daemon app, ADF SPN, Databricks SPN, Fabric capacity auth) calling `/common` — app-only tokens are never valid against `/common` or `/organizations`
3User signs in with a personal Microsoft account (MSA) on an endpoint configured for work/school accounts only, so Entra ID has no tenant to bind the request to
4User's UPN/email domain is not added or not verified in any Entra ID tenant (typo in domain, unverified custom domain, or guest invite never redeemed)
5On-behalf-of or token-exchange flow where the upstream token's `tid` claim is missing or stripped by an API gateway / reverse proxy before it reaches Entra ID

How to fix it

1Replace `/common` or `/organizations` in your authority URL with the explicit tenant GUID or verified domain — e.g. `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize`. This resolves the majority of AADSTS90019 cases
2For Power BI Embedded, ADF linked services, Fabric capacity auth, or Databricks Unity Catalog connections: open the connection/linked-service config and set the Tenant ID field explicitly instead of leaving it blank
3For any client credentials / service principal flow: hardcode `/{tenant-id}` in the authority — `/common` and `/organizations` are unsupported for app-only tokens and will always fail with AADSTS90019
4In MSAL apps, set the authority via `WithTenantId()` (or `TenantId` in app config) rather than relying on `AzureCloudInstance.AzurePublic` defaults; in ADAL/legacy code, replace the authority string directly
5Verify the signing-in user's domain in the target tenant: Entra admin center → Custom domain names. If `user@contoso.com` is failing, `contoso.com` must be added and verified in that tenant, or the user must be invited as a guest

Frequently asked questions

What does AADSTS90019 mean?

Microsoft Entr

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes