azure - Failed to authenticate due to error 'AADSTS500213: The resource tenant's cross-tenant access policy does

I am trying to run terraform plan -var-file=C:\dev\terraform.tfvars. It's throwing an error Subnet (Subscription) was not found. Okay, I tried az login, webbrowser was automatically opened and wrote: You have logged into Microsoft Azure!. However in powershell I see:

Failed to authenticate d0df3d96-c065 'test' due to error 'AADSTS500213: The resource tenant's cross-tenant access policy does not allow this user to access this tenant. Trace ID: 65631f19-c4f6 Correlation ID: 536c20e9-1c50 Timestamp: 2025-03-06 14:06:27Z'
Failed to authenticate d4e6f657-4208 'now' due to error 'AADSTS500021: Access to 'now' tenant is denied. Trace ID: 8209bdc9-3736 Correlation ID: 8b715edb-3f5e Timestamp: 2025-03-06 14:06:30Z'

however in Azure Portal I can click and manually create e.g Azure Storage Account.

I am trying to run terraform plan -var-file=C:\dev\terraform.tfvars. It's throwing an error Subnet (Subscription) was not found. Okay, I tried az login, webbrowser was automatically opened and wrote: You have logged into Microsoft Azure!. However in powershell I see:

Failed to authenticate d0df3d96-c065 'test' due to error 'AADSTS500213: The resource tenant's cross-tenant access policy does not allow this user to access this tenant. Trace ID: 65631f19-c4f6 Correlation ID: 536c20e9-1c50 Timestamp: 2025-03-06 14:06:27Z'
Failed to authenticate d4e6f657-4208 'now' due to error 'AADSTS500021: Access to 'now' tenant is denied. Trace ID: 8209bdc9-3736 Correlation ID: 8b715edb-3f5e Timestamp: 2025-03-06 14:06:30Z'

however in Azure Portal I can click and manually create e.g Azure Storage Account.

• azure
• authentication
• terraform

Share Improve this question Follow asked Mar 6 at 14:10 Michu93Michu93 5,75788 gold badges6060 silver badges9393 bronze badges 1

• Try running az login --tenant <your-tenant-id> and az account set --subscription <your-subscription-id> for login this make sure Terraform is authenticated to the correct tenant and subscription @Michu93 – Vinay B Commented Mar 7 at 4:13

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Failed to authenticate due to errors AADSTS500213 & AADSTS500021

Here as per the error description I can see two different authentication issue as per the error description which are related permissions cross-tenant access policy issue while trying to authenticate with Azure via az login

AADSTS500021 – Access to ‘{tenant}’ tenant is denied

The particular blocker occurs when there is any restriction applied to tenant to access.

Which means an active Restrict-Access-To-Tenants policy was enabled which blocking the users to access that particular tenant.

• To overcome this issue, you can connect with the admin team of the tenant you are trying to access and ask them to add your tenant to the list of permitted tenants.

Refer:

https://learn.microsoft/en-us/answers/questions/2201407/diagnosing-and-fixing-aadsts500021

https://learn.microsoft/en-us/entra/identity/enterprise-apps/tenant-restrictions

https://learn.microsoft/en-us/entra/identity-platform/reference-error-codes#:%7E:text=Access%20to%20%27%7Btenant%7D%27,%2DAccess%2DTo%2DTenant%20.

AADSTS500213 – The resource tenant’s cross-tenant access policy does not allow this user to access this tenant

These blockers happen when cross-tenant access policies prevent authentication for the particular user belongs to one tenant tries to access the other.

The possible cases for these when you try to access into wrong tenant unintentionally.

If you previously had access and now don’t, the cross-tenant access settings might have been changed.

• While doing az login check with the tenant you're logging into, this can be done by specifying the tenant ID with in the command

&

az login --tenant <your-tenant-id>

If you're using any SP, then specify it as mentioned below

az login --service-principal -u <app-id> -p <password> --tenant <tenant-id>

Refer:

https://learn.microsoft/en-us/answers/questions/1340306/unable-to-access-one-of-our-b2c-tenants-from-main