What causes AADSTS90043?

App registered in a national cloud (US Gov, China 21Vianet, Germany) but sign-in initiated against the global Azure AD/Entra ID endpoint. Hardcoded authority URL (login.microsoftonline.com) instead of the cloud-specific authority for the user's tenant. Power BI / Fabric client configured for Commercial cloud while the data source or tenant lives in GCC High or DoD. MSAL/ADAL library using default authority without setting AzureCloudInstance for sovereign clouds. Cross-cloud B2B guest scenario where redirection between clouds is not enabled by the home tenant

How do I fix AADSTS90043?

Identify which national/sovereign cloud the tenant belongs to (Commercial, US Gov GCC High, DoD, China 21Vianet, Germany) via the Microsoft 365 admin center or Entra ID overview. Replace the authority endpoint in your client/app config with the matching national cloud URL — e.g. login.microsoftonline.us for GCC High, login.partner.microsoftonline.cn for China, login.microsoftonline.de for Germany. In MSAL set `AzureCloudInstance` (or `cloud_instance_host_name`) to the correct sovereign cloud instead of relying on AzureCloudInstance.AzurePublic. For Power BI / Fabric: ensure users sign in via the sovereign portal (app.powerbigov.us, app.powerbi.cn) and that gateway/service principal auth uses the matching cloud authority. If a cross-cloud B2B scenario is required, have the resource tenant admin enable Microsoft cloud settings (External Identities → Cross-tenant access settings) for the partner cloud

Low severityauthentication

Power BI Error:
AADSTS90043

What does this error mean?

Sign-in failed because national cloud auth code redirection is disabled for this tenant or application.

Common causes

1App registered in a national cloud (US Gov, China 21Vianet, Germany) but sign-in initiated against the global Azure AD/Entra ID endpoint
2Hardcoded authority URL (login.microsoftonline.com) instead of the cloud-specific authority for the user's tenant
3Power BI / Fabric client configured for Commercial cloud while the data source or tenant lives in GCC High or DoD
4MSAL/ADAL library using default authority without setting AzureCloudInstance for sovereign clouds
5Cross-cloud B2B guest scenario where redirection between clouds is not enabled by the home tenant

How to fix it

1Identify which national/sovereign cloud the tenant belongs to (Commercial, US Gov GCC High, DoD, China 21Vianet, Germany) via the Microsoft 365 admin center or Entra ID overview
2Replace the authority endpoint in your client/app config with the matching national cloud URL — e.g. login.microsoftonline.us for GCC High, login.partner.microsoftonline.cn for China, login.microsoftonline.de for Germany
3In MSAL set `AzureCloudInstance` (or `cloud_instance_host_name`) to the correct sovereign cloud instead of relying on AzureCloudInstance.AzurePublic
4For Power BI / Fabric: ensure users sign in via the sovereign portal (app.powerbigov.us, app.powerbi.cn) and that gateway/service principal auth uses the matching cloud authority
5If a cross-cloud B2B scenario is required, have the resource tenant admin enable Microsoft cloud settings (External Identities → Cross-tenant access settings) for the partner cloud

Frequently asked questions

What does AADSTS90043 mean?

NationalCloudA

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes