Low severityauthentication
Power BI Error:
AADSTS120011
What does this error mean?
Azure AD/Entra ID could not infer the User Principal Name (UPN) during a password change request, so the operation was aborted.
Common causes
- 1User signed in with an alternate login ID (mail alias or proxyAddress) instead of the canonical userPrincipalName, so Entra ID cannot bind the password-change request to a single account
- 2The account is federated or synced from on-premises AD with HomeRealmDiscovery hints missing, causing UPN inference to fail
- 3Password change initiated from a context (e.g. embedded webview, legacy client, or SSPR flow) that does not pass the UPN claim to the token endpoint
- 4Multiple accounts in Entra ID share the same proxyAddress/mail attribute, making UPN resolution ambiguous
- 5Stale cached credentials or a broken SSO session sending an incomplete identity hint to login.microsoftonline.com
How to fix it
- 1Sign out completely (https://login.microsoftonline.com/logout) and sign back in using the full canonical UPN (user@tenantdomain.com), not an alias or alternate login ID, then retry the password change
- 2If the user is on-premises synced, have the AD administrator verify that userPrincipalName is unique and matches a routable verified domain in Entra ID (Azure AD Connect → Synchronization Service Manager)
- 3Check for duplicate proxyAddresses or mail attributes in Entra ID: `Get-MgUser -Filter "proxyAddresses/any(p:p eq 'smtp:user@domain.com')"` — resolve any duplicates
- 4If the password change was triggered from SSPR or a Power BI/Fabric embedded login, redirect the user to https://account.activedirectory.windowsazure.com/ChangePassword.aspx and complete the change there instead
- 5Review Entra ID sign-in logs (Entra admin center → Monitoring → Sign-in logs) for the failed correlation ID to confirm which identifier was sent and adjust the client to send the UPN claim explicitly