Azure Error: 'AADSTS90002: Tenant not found' — Cause, Fix, and Troubleshooting Guide
Fix Entra ID AADSTS90002: tenant not found. Verify the tenant id/domain in your authority URL and check the sovereign cloud endpoint.
- #azure
- #cloud
- #troubleshooting
- #errors
- #entra
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
Entra ID returns AADSTS90002 when the tenant named in the authority URL of a sign-in request does not exist (or is not reachable at the endpoint you called). The token request never gets as far as checking credentials — the directory itself could not be found. The literal error:
AADSTS90002: Tenant 'contoso-typo.onmicrosoft.com' not found. Check to make sure you have the
correct tenant ID and are signing into the correct cloud. Check with your subscription administrator,
this may happen if there are no active subscriptions for the tenant. Trace ID: ... Correlation ID: ...
The message lists the three real causes: a wrong tenant identifier, signing into the wrong cloud, or a tenant with no active subscriptions.
Symptoms
az login --tenant <value>, an SDK credential, or an OAuth authority URL fails withAADSTS90002.- The tenant value is a GUID or
*.onmicrosoft.comdomain that does not resolve. - A pipeline works against public Azure but fails with this error when pointed at Azure Government/China.
- A freshly created tenant with no subscription cannot be signed into by some flows.
Common Root Causes
- Wrong tenant id or domain — a typo, a stale GUID, or the wrong verified domain in the authority.
- Wrong cloud endpoint — using
login.microsoftonline.comfor a sovereign cloud (Government useslogin.microsoftonline.us, China useslogin.chinacloudapi.cn). - Tenant does not exist / was deleted — the directory was removed or never existed.
- Custom domain not yet verified — using a vanity domain that has not completed verification, so the tenant is not resolvable by that name.
- No active subscription — some flows fail to resolve a tenant that has never had an active subscription.
How to diagnose
Confirm the tenant id you should be using and the ones your identity can reach:
az account tenant list --query "[].{tenantId:tenantId, name:displayName, domains:domains}" -o table
Check the authority/endpoint your tooling is calling — for the CLI, confirm the active cloud:
az cloud show --query "{name:name, activeDirectory:endpoints.activeDirectory}" -o json
If the tenant value is a domain, verify it resolves via the OpenID configuration (a 200 confirms it exists at that cloud; a 404/error confirms AADSTS90002):
az rest --method get \
--url "https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration" \
--query "issuer" -o tsv
Swap the host for the sovereign cloud endpoint if you operate there before concluding the tenant is missing.
Fixes
Use the correct tenant identifier (prefer the GUID to avoid domain-verification issues):
az login --tenant 99998888-7777-6666-5555-444433332211
Target the correct cloud before logging in, so the authority host matches the directory:
az cloud set --name AzureUSGovernment
az login --tenant <gov-tenant-id>
In an SDK, build the authority from the right host and a valid tenant:
from azure.identity import ClientSecretCredential
cred = ClientSecretCredential(
tenant_id="99998888-7777-6666-5555-444433332211",
client_id="<appId>",
client_secret="<secret>",
authority="https://login.microsoftonline.com", # or .us / .chinacloudapi.cn
)
Verify a custom domain in the tenant before using it as the authority, or fall back to the *.onmicrosoft.com initial domain or the tenant GUID.
What to watch out for
- Prefer the GUID. Tenant GUIDs never suffer from unverified-domain resolution problems the way vanity domains can.
- Sovereign clouds have different hosts.
AADSTS90002against a Government tenant almost always means you called the commercialmicrosoftonline.comendpoint. AADSTS90002vsInvalidAuthenticationTokenTenant. This one is “tenant does not resolve at all”; the latter is “valid token, but for a different tenant than the resource.”- New tenants need a subscription for some sign-in paths; associate or activate a subscription if a brand-new directory will not resolve.
Related
- InvalidAuthenticationTokenTenant — a valid token issued for the wrong tenant.
- AADSTS700016 / AADSTS50076 — application-not-found and MFA-required errors.
- DefaultAzureCredential failed to retrieve a token — SDK credential-chain failures including bad authority/tenant.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.