Entra ID errors
Sign-in and authorization failures from Microsoft Entra ID (formerly Azure AD). AADSTS error codes, Conditional Access blocks, missing consent, and app registration problems.
Every Entra error you'll see comes with an AADSTS code. That code is the most specific information you have — Microsoft documents most of them at learn.microsoft.com, and the number tells you exactly which authentication step failed. The trick is mapping the code to the right place to fix it: app registration, Conditional Access policy, user object, or tenant configuration. The pages here cover the most common AADSTS codes and where to look for each.
20 errors in this category.
All Entra ID errors
- AADSTS500011: Resource principal named <name> was not found in the tenantFix Entra ID error AADSTS500011 'resource principal not found in tenant'. Provision service principals correctly.
- AADSTS500113: No reply address registered for the applicationFix Entra ID error AADSTS500113 'no reply address registered'. Add a redirect URI to your app registration.
- AADSTS50034: User does not existFix Entra ID error AADSTS50034 'user account does not exist in directory'. Verify UPN, restore from recycle bin if deleted.
- AADSTS50056: Invalid or null passwordFix Entra ID error AADSTS50056 'invalid or null password'. Sync identity, check PHS/PTA/federation health.
- AADSTS50058: Session information is not sufficient for single-sign-onFix Entra ID error AADSTS50058 'session information is not sufficient for single-sign-on'. Silent SSO and cookie issues.
- AADSTS50079: Due to a configuration change, the user is required to use multi-factor authenticationFix Entra ID error AADSTS50079 'user is required to use multi-factor authentication'. MFA registration and temporary access pass.
- AADSTS50105: The signed in user is not assigned to a role for the applicationFix Entra ID error AADSTS50105 'user is not assigned to a role for the application'. Manage app assignment and roles.
- AADSTS53003: Access has been blocked by Conditional Access policiesFix Entra ID error AADSTS53003 'Access has been blocked by Conditional Access policies'. Diagnose the policy and required control.
- AADSTS65001: The user or administrator has not consented to use the applicationFix Entra ID error AADSTS65001 'user or administrator has not consented to use the application'.
- AADSTS700016: Application not found in the directoryFix Entra ID error AADSTS700016 'Application not found in the directory'. Client IDs, tenants, and multi-tenant apps.
- AADSTS7000215: Invalid client secret providedFix Entra ID error AADSTS7000215 'Invalid client secret provided'. Common mistakes and how to switch to certificates or managed identity.
- AADSTS90072: User account does not exist in tenantFix Entra ID error AADSTS90072 'user account does not exist in tenant'. Guest invitations and multi-tenant app config.
- Admin consent requiredFix 'Admin consent required' in Entra ID. How and when an admin needs to consent for an app's permissions.
- App role assignment failedFix Entra ID 'App role assignment failed'. Correctly map AppRoleId, ResourceId, and PrincipalId.
- Conditional Access blocked because Multi-Factor Authentication is requiredFix 'Conditional Access requires MFA' sign-in failures. Register MFA methods or issue a Temporary Access Pass.
- Conditional Access policy does not allow legacy authenticationFix Entra ID 'Conditional Access policy blocked legacy authentication'. Upgrade clients, scope exceptions narrowly.
- Entra Connect: Stopped-extension-dll-exceptionFix Entra Connect 'stopped-extension-dll-exception'. Diagnose custom sync rules and update the engine.
- Entra ID directory sync error: Object not syncedFix Microsoft Entra Connect 'object not synced' export errors. Identify the failing attribute and correct on-prem.
- Entra ID sign-in error AADSTS50020Fix Entra ID error AADSTS50020 'user from identity provider does not exist in tenant'. B2B invitations and cross-tenant settings.
- User not foundFix 'User not found' in Microsoft Entra ID and Microsoft Graph. UPN, tenant, and guest user lookup tips.
Frequently asked questions
What does AADSTS stand for?
Azure Active Directory Secure Token Service. Every code starts with AADSTS followed by a number. The number is the specific failure reason; the message is descriptive but the number is what to search.
Where do I find Sign-in logs?
Microsoft Entra admin center → Users → select user → Sign-in logs (or for tenant-wide: Monitoring → Sign-in logs). They show every authentication attempt with the AADSTS code and the Conditional Access result.
Why does the same sign-in work in incognito?
Cached SSO tokens. Your normal browser may be reusing a stale account selection. Incognito forces a fresh sign-in, which often surfaces the real cause (or works because there's no stale state).
Browse other categories
- Microsoft Graph PowerShellFix Microsoft Graph PowerShell errors. Insufficient privileges, invalid object ID, missing cmdlets, token problems, and more.
- Microsoft TeamsFix Microsoft Teams errors. Desktop app loading issues, Teams Rooms audio/video drops, federation, and meeting access problems.
- VercelFix Vercel deployment errors. Build failures, missing output directories, exceeded build duration, missing env vars, and module resolution issues.
- Windows AdminFix Windows administration errors. Access denied, RPC server unavailable, trust relationship failures, Group Policy errors, and network path issues.
Or paste your own error into the error decoder to find a match across all categories.