AADSTS50059 - No Tenant-Identifying Information Found
Azure AADSTS50059 is a tenant-routing failure that occurs when a sign-in request reaches Microsoft Entra ID without sufficient information, such as a tenant ID or domain, to determine which directory should process the request.
Last reviewed: April 5, 2026|Editorial standard: source-backed technical guidance
What Does No Tenant-Identifying Information Found Mean?
AADSTS50059 is a destination-missing error. Microsoft Entra ID is a multi-tenant service, which means it needs a specific path to know where to look for a user. If the request omits the tenant segment in the authority URL or provides an ambiguous identifier that Entra cannot resolve, the process halts before authentication even begins. It differs from AADSTS90002, where the tenant string exists but is invalid. In AADSTS50059, the platform has not found enough tenant information to validate at all.
Common Causes
- -Empty Or Null Authority: The application is initialized with a blank or incomplete authority URL such as
https://login.microsoftonline.com/. - -Stripped URL Segments: A proxy, load balancer, or custom middleware accidentally removes the
/{tenant}/portion of the OAuth2 authorize endpoint. - -Missing Environment Variables:
AZURE_TENANT_IDor equivalent config is missing in one environment, producing an undefined or incomplete path. - -Ambiguous Login Hints: A
login_hintordomain_hintconflicts with the authority or is too generic for Entra to resolve a directory cleanly. - -Inconsistent SDK Config: A single-tenant client library is mixed with multi-tenant authority settings, or vice versa.
How to Fix No Tenant-Identifying Information Found
- 1Hardcode The Tenant Temporarily: Replace the dynamic authority with the actual tenant ID to confirm the error disappears.
- 2Audit Authority URL Construction: Ensure your code is not accidentally producing
//, trailing slashes, orundefinedwhere the tenant ID should be. - 3Align With The App Model: If the app is single-tenant, use the specific tenant ID. If it is multi-tenant, use
/organizationsor/commonconsistently. - 4Check Proxy Logic: If a reverse proxy or custom auth gateway is involved, verify it is preserving the tenant path segment correctly.
Step-by-Step Diagnosis for No Tenant-Identifying Information Found
- 1Open Browser DevTools and inspect the
/authorizerequest. Confirm the URL path contains a valid GUID, verified domain, or a supported shared segment such ascommonororganizations. - 2Compare the request URL from a working environment against the failing one to see exactly what tenant-identifying information is missing.
- 3Verify that environment variables such as
TENANT_IDorAZURE_AUTHORITYare loaded correctly at runtime. - 4Check whether the error disappears when custom
login_hintordomain_hintvalues are removed from the request.
Missing vs. Invalid Tenant
- -AADSTS50059: "I do not know where you want to go." The URL is empty, ambiguous, or missing tenant context.
- -AADSTS90002: "I know where you want to go, but that tenant does not exist." The tenant string is present but invalid.
Authority Patterns
- -Specific:
https://login.microsoftonline.com/{tenant-id-or-domain} - -Global:
https://login.microsoftonline.com/commonfor work, school, and personal Microsoft account support where appropriate. - -Org-Only:
https://login.microsoftonline.com/organizationsfor organizational accounts only.
Implementation Examples
// Incorrect: missing tenant segment
const msalConfig = { auth: { authority: "https://login.microsoftonline.com/" } };
// Correct: explicit tenant (single-tenant)
const msalConfigFixed = { auth: { authority: "https://login.microsoftonline.com/your-tenant-id" } };
// Correct: organizations (multi-tenant)
const msalConfigMulti = { auth: { authority: "https://login.microsoftonline.com/organizations" } };# Use -v to inspect the full authorize URL and confirm the tenant path is present
curl -v "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=..."How to Verify the Fix
- -Confirm the
/authorizeURL in the network trace now includes the correct tenant identifier. - -Verify the Entra sign-in page displays the expected organization context or branding when applicable.
- -Ensure the login flow completes and returns an authorization code or token to the application.
How to Prevent Recurrence
- -Validate At Startup: Add an application startup check that fails fast if the authority URL or tenant ID is null or malformed.
- -Use Standard SDK Patterns: Prefer MSAL or established OIDC library configuration patterns that enforce valid authority structures.
- -Keep CI/CD Secrets Consistent: Ensure every target environment has the required tenant-related secrets and config values.
- -Pro tip: When building custom OIDC wrappers, use a URL builder instead of string concatenation so you do not accidentally strip the tenant path segment.
Decision Support
Compare Guide
429 Too Many Requests vs 503 Service Unavailable
Use 429 for caller-specific throttling and 503 for service-wide outages, so retry behavior, escalation paths, and incident ownership stay correct.
Compare Guide
500 Internal Server Error vs 502 Bad Gateway: Root Cause
Debug 500 vs 502 faster: use 500 for origin failures and 502 for invalid upstream responses at gateways, then route incidents to the right team.
Playbook
API Timeout Playbook (502 / 504 / DEADLINE_EXCEEDED)
Use this playbook to separate invalid upstream responses from upstream wait expiration and deadline exhaustion, and apply timeout budgets, safe retries, and circuit-breaker controls safely.
Playbook
Availability and Dependency Playbook (500 / 503 / ServiceUnavailable)
Use this playbook to separate origin-side 500 failures from temporary 503 dependency or capacity outages, then apply safe retry and escalation paths.
Official References
Provider Context
This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.