What causes AADSTS90038?

The target tenant is registered in a National Cloud (Azure Government, Azure China operated by 21Vianet, or Azure Germany) while the app authenticates via the public commercial cloud login.microsoftonline.com. App registration / MSAL / ADAL configuration uses the wrong authority host (e.g. login.microsoftonline.com instead of login.microsoftonline.us or login.partner.microsoftonline.cn). Power BI Desktop or Service connecting cross-cloud to a Fabric/Power BI tenant hosted in GCC High or DoD without the matching Power BI Government client build. Service principal or OAuth flow in ADF / Databricks / dbt referencing a tenant ID that belongs to a sovereign cloud the connector cannot reach. B2B guest invitation pointing at a tenant in another national cloud — cross-cloud federation is not enabled for the source tenant

How do I fix AADSTS90038?

Identify which national cloud the target tenant belongs to: Azure Government (.us), Azure China 21Vianet (.cn), or Azure Germany. Ask the tenant admin or check the tenant's onmicrosoft domain suffix.. Switch the authentication authority to the matching sovereign endpoint — e.g. https://login.microsoftonline.us/{tenant} for Gov, https://login.partner.microsoftonline.cn/{tenant} for China — in your MSAL/ADAL config, connection string, or app registration.. For Power BI: install the correct sovereign client (Power BI Desktop for US Government / GCC High / DoD) and sign in via the Government Power BI service (app.powerbigov.us or app.high.powerbigov.us); the commercial client cannot reach a Gov tenant.. For ADF / Synapse / Databricks linked services and dbt profiles: register the application in the sovereign cloud's Entra ID (formerly Azure AD) tenant and update the OAuth endpoint, resource URL, and tenant ID accordingly.. If you only need cross-cloud B2B collaboration, have the resource tenant admin enable Microsoft cloud settings (External Identities → Cross-tenant access settings) for the partner cloud before re-inviting the user.

Low severityauthentication

Power BI Error:
AADSTS90038

What does this error mean?

The tenant lives in a National Cloud (e.g. US Government, China) that doesn't federate with the cloud instance you're authenticating against.

Common causes

1The target tenant is registered in a National Cloud (Azure Government, Azure China operated by 21Vianet, or Azure Germany) while the app authenticates via the public commercial cloud login.microsoftonline.com
2App registration / MSAL / ADAL configuration uses the wrong authority host (e.g. login.microsoftonline.com instead of login.microsoftonline.us or login.partner.microsoftonline.cn)
3Power BI Desktop or Service connecting cross-cloud to a Fabric/Power BI tenant hosted in GCC High or DoD without the matching Power BI Government client build
4Service principal or OAuth flow in ADF / Databricks / dbt referencing a tenant ID that belongs to a sovereign cloud the connector cannot reach
5B2B guest invitation pointing at a tenant in another national cloud — cross-cloud federation is not enabled for the source tenant

How to fix it

1Identify which national cloud the target tenant belongs to: Azure Government (.us), Azure China 21Vianet (.cn), or Azure Germany. Ask the tenant admin or check the tenant's onmicrosoft domain suffix.
2Switch the authentication authority to the matching sovereign endpoint — e.g. https://login.microsoftonline.us/{tenant} for Gov, https://login.partner.microsoftonline.cn/{tenant} for China — in your MSAL/ADAL config, connection string, or app registration.
3For Power BI: install the correct sovereign client (Power BI Desktop for US Government / GCC High / DoD) and sign in via the Government Power BI service (app.powerbigov.us or app.high.powerbigov.us); the commercial client cannot reach a Gov tenant.
4For ADF / Synapse / Databricks linked services and dbt profiles: register the application in the sovereign cloud's Entra ID (formerly Azure AD) tenant and update the OAuth endpoint, resource URL, and tenant ID accordingly.
5If you only need cross-cloud B2B collaboration, have the resource tenant admin enable Microsoft cloud settings (External Identities → Cross-tenant access settings) for the partner cloud before re-inviting the user.

Frequently asked questions

What does AADSTS90038 mean?

NationalCloudTenantRedirection

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes