Low severityauthentication
Power BI Error:
AADSTS135010
What does this error mean?
Microsoft Entra ID (Azure AD) cannot find the signing or decryption key referenced by your app's token or SAML configuration.
Common causes
- 1The signing certificate on the app registration was rotated or expired and the old key is still being referenced
- 2The app manifest's keyCredentials or tokenEncryptionKeyId points to a key that no longer exists
- 3A service principal used by Power BI / ADF / Fabric authenticates with a client certificate that was deleted from the app registration
- 4SAML SSO configuration references a token signing certificate that has been removed from Entra ID
- 5Cached/old JWKS metadata on the client side after a key rollover, causing it to send a stale kid
How to fix it
- 1Open the app registration in the Microsoft Entra admin center → Certificates & secrets, and verify which certificates/keys are currently active and not expired
- 2Inspect the app manifest (Manifest blade) and confirm that keyCredentials and tokenEncryptionKeyId reference an existing, non-expired key — remove or update stale entries
- 3If a certificate was rotated, upload the new public certificate and update the calling service (Power BI service principal, ADF linked service, Databricks secret scope) with the matching private key
- 4For SAML/SSO apps, go to Enterprise applications → SSO → SAML signing certificate, and ensure the active certificate matches what the relying party expects; re-download metadata if needed
- 5Force a refresh of OIDC/JWKS metadata on the client (restart the app or clear the discovery cache) so it picks up the current key set