Share via

Diagnosing and Fixing AADSTS500021

richard miller 0 Reputation points
2025-03-05T14:24:51.88+00:00

Hi

I have an Entra domain (A) for my organisation and have invited customers from their domain (B) so that they can use a SaaS ( Azure Appservice) provided by us. This works fine for most clients but for one client when some of their users try to access the SaaS they get a AADSTS500021 error indicating that Tenant Restrictions are in place. I can see the failed access attempts in (A)'s External Identities Troubleshooting ( https://entra.microsoft.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/Diagnose/menuId/Settings) -> All Sign in events.

(A)'s Cross-tenant access settings -> Inbound (and Outbound) access settings -> B2B collaboration are all set to Allow.

Which domain (A or B) do we have to change to allow access?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,564 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 14,490 Reputation points MVP
    2025-03-05T15:13:38.72+00:00

    Hello Miller, Welcome to MS Q&A

    As mentioned here the mentioned error specifies that Access to '{tenant}' tenant is denied. AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that is not in the list of allowed tenants specified in the header Restrict-Access-To-Tenant.

    This means that for that one client the users of that organization side there is setting for restricted tenant and your tenant is not configured under set of permitted tenants on user side as explained in above example and hence they are getting the error. The mentioned feature is configured in many tenants for security reason and hence this setting is needed to be changed on user side to add your tenant to the list of Restricted Access to tenants. You can refer to the above article for settings to be made on their Tenant side.

    Additionally you can reference to this article which specifies For Restrict-Access-To-Tenants, use a value of <permitted tenant list>, which is a comma-separated list of tenants you want to allow users to access. Any domain that is registered with a tenant can be used to identify the tenant in this list, as well as the directory ID itself. For an example of all three ways of describing a tenant, the name/value pair to allow Contoso, Fabrikam, and Microsoft looks like: Restrict-Access-To-Tenants: contoso.com,fabrikam.onmicrosoft.com,72f988bf-86f1-41af-91ab-2d7cd011db47

    Please let us know if any further questions

    Kindly accept if it helps

    Thanks

    Deepanshu

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.