What causes FailedToGetOAuth2AccessToken?

Failed to obtain OAuth2 access token. Integration runtime configuration is incorrect or outdated. Authentication credentials or permissions are insufficient. The feature or setting is not supported for the selected connector or copy mode

How do I fix FailedToGetOAuth2AccessToken?

Open the linked service and verify the token endpoint URL is correct and reachable — a wrong tenant ID in the token URL (e.g., https://login.microsoftonline.com/{tenantId}/oauth2/token) is a common cause.. Check whether the client secret in the linked service has expired — go to Azure AD > App registrations > the app > Certificates & secrets to verify the expiry.. Verify the IR can reach the OAuth2 token endpoint — if using a self-hosted IR, confirm the SHIR host machine has outbound HTTPS access to the authorization server (login.microsoftonline.com or the third-party OAuth endpoint).. If credentials were recently rotated, update the linked service secret in ADF and save — ADF does not automatically pick up Azure Key Vault secret rotation; you must re-save the linked service to refresh the cached value.. Test the linked service using 'Test connection' in ADF Studio after making changes — a successful test confirms the token acquisition works before the next pipeline run.

Medium severityauthentication

Power BI Refresh Error:
FailedToGetOAuth2AccessToken

What does this error mean?

ADF could not acquire an OAuth2 access token for the linked service. This may be due to invalid client credentials, an unreachable token endpoint, or expired secrets.

Common causes

1Failed to obtain OAuth2 access token
2Integration runtime configuration is incorrect or outdated
3Authentication credentials or permissions are insufficient
4The feature or setting is not supported for the selected connector or copy mode

How to fix it

1Open the linked service and verify the token endpoint URL is correct and reachable — a wrong tenant ID in the token URL (e.g., https://login.microsoftonline.com/{tenantId}/oauth2/token) is a common cause.
2Check whether the client secret in the linked service has expired — go to Azure AD > App registrations > the app > Certificates & secrets to verify the expiry.
3Verify the IR can reach the OAuth2 token endpoint — if using a self-hosted IR, confirm the SHIR host machine has outbound HTTPS access to the authorization server (login.microsoftonline.com or the third-party OAuth endpoint).
4If credentials were recently rotated, update the linked service secret in ADF and save — ADF does not automatically pick up Azure Key Vault secret rotation; you must re-save the linked service to refresh the cached value.
5Test the linked service using 'Test connection' in ADF Studio after making changes — a successful test confirms the token acquisition works before the next pipeline run.

Frequently asked questions

Who needs to take action to fix an authentication failure in ADF?

Typically the pipeline owner (to re-authorize OAuth or update credentials) or an Azure AD admin (to re-enable a disabled service principal or reset a Conditional Access block). The error message indicates which identity is failing.

Can a Conditional Access policy cause ADF authentication failures?

Yes — Conditional Access policies requiring MFA or blocking non-compliant devices can affect ADF service principals. Check Azure AD sign-in logs for the service principal to identify the blocking policy.

Does ADF support managed identities to avoid credential management?

Yes — ADF supports system-assigned and user-assigned managed identities for many connectors (Azure SQL, Blob Storage, Key Vault, etc.). Managed identities use token-based authentication with no credentials to rotate or expire.

How long does it take for a new service principal secret to take effect in ADF?

After updating the secret in the ADF linked service and saving, the next pipeline run immediately uses the new credential. There is no propagation delay.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/connector-troubleshoot-guide