[AADSTS500021] error occurs when getting access token

조시언 책임 해운SCM팀 0 Reputation points

Hi, I'm developing API in my company in south korea.

But, I faced error when requests access token.

POST https://login.microsoftonline.com/{tenant_of_destination}/oauth2/v2.0/token

Error contents

    "error": "invalid_grant",
    "error_description": "AADSTS500021: Access to '****' tenant is denied.\r\nTrace ID: ****-97f7-d1044baeec00\r\nCorrelation ID: ****-9523-944761fc978c\r\nTimestamp: 2023-10-12 06:47:36Z",
    "error_codes": [
    "timestamp": "2023-10-12 06:47:36Z",
    "trace_id": "9513768e-ff17-44ba-97f7-d1044baeec00",
    "correlation_id": "67d477d0-d570-4983-9523-944761fc978c",
    "error_uri": "https://login.microsoftonline.com/error?code=500021"


  • We're using Intranet(we have out firewall policies block some domain and IP). And also we may have proxy server.
  • We can get an access token when requests in public network with same parameter. (so, tenant restriction doesn't matter)
  • it's client_credentials grant, and client_secret, client_id, scope parameters are right.

Is there any domains we should open when we request access token?

And, please give me some possible causes of this problem.

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-10-20T23:41:29.5366667+00:00

    Hello @조시언 책임 해운SCM팀 , the Microsoft Entra ID (formerly Azure AD) AADSTS500021 error is caused by the destination tenant not being included in the Restrict-Access-To-Tenants header. You need to ensure your intranet proxy is adding the destination tenant to the aforementioned header.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    0 comments No comments