Low severityauthentication
Power BI Error:
AADSTS135011
What does this error mean?
The device attempting Microsoft Entra ID (Azure AD) sign-in has been disabled in the directory and cannot authenticate.
Common causes
- 1Device object disabled in Microsoft Entra ID (Azure AD) by an administrator, often via Conditional Access cleanup or a security incident response
- 2Stale or expired device registration that was automatically disabled by an Intune / Entra ID lifecycle policy
- 3Device removed from the trusted/compliant pool after failing a compliance check (e.g. encryption, OS version, jailbreak detection)
- 4User signing in from a non-Azure AD-joined or non-registered device while a Conditional Access policy requires a managed device
- 5Hybrid Azure AD join sync failure — on-prem AD device object exists but the corresponding Entra ID object is disabled or out of sync
How to fix it
- 1Step 1: Identify the device — check Entra admin center → Devices → All devices, search by the user's machine name or device ID from the sign-in log (Sign-in logs → filter on AADSTS135011)
- 2Step 2: Re-enable the device object in Entra ID (Devices → select device → Enable), or delete and re-register if it was intentionally retired
- 3Step 3: If the device was disabled by a compliance policy, fix the underlying compliance issue in Intune (encryption, OS patch level, antivirus) and let it re-evaluate before retrying sign-in
- 4Step 4: For hybrid setups, run a Microsoft Entra Connect delta sync (`Start-ADSyncSyncCycle -PolicyType Delta`) to push the on-prem device state to Entra ID
- 5Step 5: If the user must access Power BI / Fabric urgently, have them sign in from another enabled, registered device, or temporarily scope them out of the device-restricting Conditional Access policy