Low severityauthentication
Power BI Error:
AADSTS901011
What does this error mean?
External OIDC identity provider did not return an email claim, often because the user chose 'Hide my email' during sign-up.
Common causes
- 1User selected 'Hide my email' during first sign-up via Apple ID or another privacy-preserving OIDC provider, so the IdP returns a relay address only on first consent and nothing afterwards
- 2External OIDC identity provider (Apple, Google, Facebook, custom OIDC) is not configured to request or release the 'email' scope/claim
- 3The federated IdP app registration in Microsoft Entra External ID is missing the email claim mapping in the OIDC claims configuration
- 4User's account at the external IdP genuinely has no verified email address attached
- 5Custom OIDC IdP returns the email under a non-standard claim name that Entra ID cannot map automatically
How to fix it
- 1Have the user revoke the app's access at the external IdP (e.g. appleid.apple.com → Sign in with Apple → stop using) and sign in again, this time choosing 'Share My Email' instead of 'Hide My Email'
- 2In the Microsoft Entra admin center → External Identities → All identity providers, open the OIDC/Apple/Google provider and verify that the 'email' scope is requested and that the email claim mapping points to the correct claim name returned by the IdP
- 3At the external OIDC provider's app registration, confirm the application is approved to request the 'email' scope and that the user's account at that IdP has a verified email address
- 4For custom OIDC providers, inspect the id_token returned by the IdP (jwt.ms) and confirm an 'email' claim is present; if it uses a different name, add a claim mapping policy in Entra ID
- 5If the user must keep their email private, provision them as a guest with a known email via B2B invitation instead of relying on self-service federated sign-up