This post was most recently updated on September 1st, 2021.3 min read.
Another day, another variant of AADSTS50011! With a lot of apps and web services using Azure Active Directory for authentication, you’re bound to run into issues, right?
Ah well, one would hope to avoid them. But at least this one is usually easy to fix!
Let’s first take a closer look at the different versions of the error you might face, and then see how we can fix or avoid them altogether!
I’ve encountered 2 different variants of this particular issue – the error message may or may not contain the name of the principal it’s looking for, and the guid of the tenant it’s looking for the principal in.
AADSTS500011 – The resource principal named was not found in the tenant.
AADSTS500011 – The resource principal named [URI] was not found in the tenant named [guid]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Or, the worst of all, you might be greeted with an empty page or pop-up, with the URL being something like this:
But what gives?
Solutions & workarounds
There’s a couple of possible reasons for this particular variant of the error. Let’s go trough them together, shall we?
First of all, maybe it’s true. Maybe the application, website or service you’re logging in to is trying to log in to the wrong Azure AD instance, or it’s logging in to the right Azure AD, but it’s a multi-tenant application that hasn’t been consented to by the administrator at said tenant.
Let’s go through the steps below to verify the configuration is correct! Each step also comes with proposed workarounds or solutions.
Time needed: 30 minutes.
How to fix AADSTS500011 “The resource principal named was not found in the tenant” -error?
- Verify, that the request really went to the right tenant!
You can see the tenant Id in the error message. Verify that it’s YOUR tenant (or the one you’re using for this scenario anyway).
Not sure how to find out the id of your Azure AD? This blog post should help:
How to find out the Directory ID of your Azure AD tenant?
If the tenant ids don’t match, the application is either misconfigured, in which case you need to change the configuration of your authentication provider, or…
- The application is trying to reuse your existing log-in or otherwise trying to dynamically figure out the right tenant to log in against, and failing
Wow, where to even begin with this one?
I suppose this one more or less falls under “misconfiguration” as well, but if the authentication parameters are being configured at runtime, it’s possible that the authentication requests is sent to the wrong Azure AD instant because of your existing cookies.
Try clearing your cookies or opening an incognito/private browsing session, and see if the problem persists.
- It’s the right AAD, but the app isn’t there
In case it’s an enterprise application, verify that registering applications is allowed on the tenant.
In case it’s not an enterprise application, register your app on the tenant.
Microsoft has decent documentation on these scenarios!
- It’s the right AAD and the app is there, but hasn’t been consented to
If you’re trying to log in from an application that doesn’t support user consent flow or you’re unable to use it otherwise, you can use the same special login url crafting trick that I proposed in my article for resolving consent-related issues when getting error AADSTS650001, and create a url like this:
If the application requires admin consent, replace “consent” with “admin_consent”.
- Is this multi-tenant/enterprise application not present in your tenant?
The configuration for enterprise applications can be a bit confusing and there’s a lot of steps that could go wrong. While you’d typically get an AADSTS650001 error for this, it might still be worthwhile recruiting your local Global Administrator to try logging in instead.
- Using a URI as resource principal?
In case your application id is an URI and not a Guid, verify you’ve written it properly. It doesn’t need to be a valid domain – it just needs to match the URI configured for your application!
I think that’s all I had for today. Still having issues? Ping me in the comments -section below!
- System.Text.Json.JsonPropertyName not working for CosmosDb in .NET Core/5? - October 19, 2021
- Errors loading an assembly that’s using Microsoft Graph API - October 12, 2021
- ILogger binding suddely failing for Azure Functions – what to do? - October 5, 2021