What causes Fabric Copy Activity Error 20150?

FIPS (Federal Information Processing Standards) enforcement is enabled on the gateway machine, and the authentication library uses cryptographic algorithms that are non-FIPS compliant, blocking token acquisition. The gateway machine cannot reach the OAuth token endpoint (e.g., login.microsoftonline.com) due to firewall or proxy restrictions. Credentials stored in the linked service have expired or been revoked, causing the token request to be rejected by the identity provider. A service principal secret or certificate used for authentication has expired, resulting in a failed token exchange

How do I fix Fabric Copy Activity Error 20150?

Step 1: Check whether FIPS mode is enabled on the gateway machine by running 'Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' in PowerShell; if 'Enabled' is 1, FIPS is active.. Step 2: To disable FIPS enforcement for the gateway worker, navigate to the gateway installation folder at 'C:\Program Files\on-premises data gateway\FabricIntegrationRuntime\5.0\Shared', open 'fabricworker.exe.config', and add ' ' at the end of the section.. Step 3: Save the file and restart the gateway machine to apply the configuration change, then retry the pipeline.. Step 4: If FIPS is not the cause, verify that the gateway machine has outbound HTTPS access to login.microsoftonline.com and any other required OAuth endpoints by running a connectivity test from the gateway machine.. Step 5: Review the linked service credentials in Fabric Data Factory — if using a service principal, confirm the client secret or certificate has not expired and rotate it if necessary, then update the linked service.

Critical severityauthenticationMicrosoft Fabric →

Power BI Refresh Error:
Fabric Copy Activity Error 20150

What does this error mean?

The copy activity cannot obtain an access token from the target or source authentication provider, causing the connection to fail before any data transfer. This typically occurs on the on-premises data gateway when FIPS enforcement or token endpoint connectivity issues block authentication.

Common causes

1FIPS (Federal Information Processing Standards) enforcement is enabled on the gateway machine, and the authentication library uses cryptographic algorithms that are non-FIPS compliant, blocking token acquisition
2The gateway machine cannot reach the OAuth token endpoint (e.g., login.microsoftonline.com) due to firewall or proxy restrictions
3Credentials stored in the linked service have expired or been revoked, causing the token request to be rejected by the identity provider
4A service principal secret or certificate used for authentication has expired, resulting in a failed token exchange

How to fix it

1Step 1: Check whether FIPS mode is enabled on the gateway machine by running 'Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' in PowerShell; if 'Enabled' is 1, FIPS is active.
2Step 2: To disable FIPS enforcement for the gateway worker, navigate to the gateway installation folder at 'C:\Program Files\on-premises data gateway\FabricIntegrationRuntime\5.0\Shared', open 'fabricworker.exe.config', and add '<enforceFIPSPolicy enabled="false"/>' at the end of the <runtime> section.
3Step 3: Save the file and restart the gateway machine to apply the configuration change, then retry the pipeline.
4Step 4: If FIPS is not the cause, verify that the gateway machine has outbound HTTPS access to login.microsoftonline.com and any other required OAuth endpoints by running a connectivity test from the gateway machine.
5Step 5: Review the linked service credentials in Fabric Data Factory — if using a service principal, confirm the client secret or certificate has not expired and rotate it if necessary, then update the linked service.

Frequently asked questions

Will disabling FIPS in fabricworker.exe.config affect the overall security posture of the gateway machine?

Disabling FIPS only within the fabricworker.exe.config file limits the scope to the Fabric Integration Runtime worker process. The OS-level FIPS policy remains active for other applications. However, consult your security team before making this change in regulated environments, as FIPS compliance may be a policy requirement.

How do I check whether my service principal secret is expired?

Navigate to Microsoft Entra ID (Azure Active Directory) → App Registrations → select your app → Certificates & Secrets. Review the expiry dates of client secrets and certificates. If expired, create a new secret, update the linked service in Fabric Data Factory with the new value, and retest the connection.