Low severityauthentication
Power BI Error:
AADSTS100007
What does this error mean?
The Microsoft Entra regional STS endpoint rejected the request because it only accepts Managed Identity or MSAL SN+I authentication.
Common causes
- 1Application is calling a regional Entra ID endpoint (e.g. westeurope.login.microsoft.com) while authenticating with a client secret or non-SN+I credential
- 2MSAL configuration has 'azureRegion' / instance discovery set to a region for a third-party app that doesn't qualify for regional auth
- 3Workload identity / federated credential flow misrouted to a regional STS instead of the global login endpoint
- 4Custom on-behalf-of or client-credentials flow in a Power BI / ADF custom connector hardcodes a regional authority URL
- 5First-party app expected to use SN+I certificate auth is falling back to a shared-secret credential against the regional endpoint
How to fix it
- 1Change the authority URL in your auth config from the regional endpoint (e.g. https://westeurope.login.microsoft.com/{tenant}) to the global endpoint https://login.microsoftonline.com/{tenant} and retry — this resolves the vast majority of AADSTS100007 cases
- 2If you're using MSAL (.NET/Java/Python/JS), remove the WithAzureRegion() / azureRegion setting unless the app is a Managed Identity or a first-party app with SN+I configured
- 3For Managed Identity scenarios (Azure Functions, App Service, ADF, Synapse), verify the MSI is enabled on the resource and that the IDENTITY_ENDPOINT environment variable is being used — don't manually craft a regional token request
- 4If the app must stay on the regional endpoint (1P / Microsoft infra tenant), switch the credential type to a certificate and configure Subject Name + Issuer (SN+I) trust on the app registration
- 5Inspect the failing request's authority and client_id with Fiddler or a network trace; cross-check against the app registration in Entra ID portal → App registrations → Authentication