Critical severityauthentication
Power BI Error:
AADSTS130007
What does this error mean?
The Windows Hello for Business (NGC) device used for sign-in has been disabled in Microsoft Entra ID (Azure AD).
Common causes
- 1Device object was manually disabled by an admin in the Entra ID portal (Devices > All devices)
- 2Device was automatically disabled by a Conditional Access or device lifecycle/cleanup policy after inactivity
- 3Device was marked non-compliant or stale by Intune and subsequently disabled
- 4Windows Hello for Business (NGC) key on the device was invalidated after a TPM reset, OS reinstall, or profile corruption
- 5User account was migrated or the device registration was orphaned from the current tenant
How to fix it
- 1In the Entra admin center go to Devices > All devices, search for the affected device, and check the 'Enabled' state — if it is disabled, re-enable it (requires Cloud Device Administrator or Global Administrator role)
- 2Have the user sign in once with username + password instead of Windows Hello to confirm whether the account itself works and only the NGC/device path is blocked
- 3If the device should no longer exist (lost, reimaged, decommissioned), delete the stale device object and have the user re-register the device via Settings > Accounts > Access work or school > Connect, then re-enroll Windows Hello for Business
- 4Check Intune compliance status for the device and resolve any non-compliance (encryption, OS version, antivirus) that may have triggered automatic disablement
- 5Review Conditional Access and device lifecycle policies (Entra ID > Devices > Device settings) to confirm the inactivity threshold isn't disabling devices that are still in active use