What causes AADSTS140001?

Session was revoked server-side (admin sign-out, password reset, or risky-sign-in policy triggered in Entra ID). Refresh token outlived its session lifetime or Conditional Access session controls (sign-in frequency) forced re-authentication. Cached session key on the client references a signing key that has since been rotated in the tenant. Token was issued in a different tenant or for a different application than the one now validating it. MSAL/ADAL token cache corruption or stale cookies in the browser/Power BI Desktop session

How do I fix AADSTS140001?

Sign the user out completely and clear the token cache: in Power BI Desktop use File → Sign out, then sign back in; for browser-based tools clear cookies for login.microsoftonline.com. For service principals or embedded scenarios, drop the cached refresh token in MSAL/ADAL and request a new token via interactive or client-credentials flow — do not retry with the same session key. Check Entra ID Sign-in logs (entra.microsoft.com → Monitoring → Sign-in logs) for the user/app and look at 'Conditional Access' and 'Session lifetime' columns to see if a policy revoked the session. If a Power BI gateway or scheduled refresh hits this, re-enter credentials on the dataset (Settings → Data source credentials → Edit credentials) so the gateway acquires a fresh session key. If it persists across users, verify the app registration's signing keys haven't been manually rotated or removed in Entra ID → App registrations → Certificates & secrets

Low severityauthentication

Power BI Error:
AADSTS140001

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the session key during token exchange because it could not be validated.

Common causes

1Session was revoked server-side (admin sign-out, password reset, or risky-sign-in policy triggered in Entra ID)
2Refresh token outlived its session lifetime or Conditional Access session controls (sign-in frequency) forced re-authentication
3Cached session key on the client references a signing key that has since been rotated in the tenant
4Token was issued in a different tenant or for a different application than the one now validating it
5MSAL/ADAL token cache corruption or stale cookies in the browser/Power BI Desktop session

How to fix it

1Sign the user out completely and clear the token cache: in Power BI Desktop use File → Sign out, then sign back in; for browser-based tools clear cookies for login.microsoftonline.com
2For service principals or embedded scenarios, drop the cached refresh token in MSAL/ADAL and request a new token via interactive or client-credentials flow — do not retry with the same session key
3Check Entra ID Sign-in logs (entra.microsoft.com → Monitoring → Sign-in logs) for the user/app and look at 'Conditional Access' and 'Session lifetime' columns to see if a policy revoked the session
4If a Power BI gateway or scheduled refresh hits this, re-enter credentials on the dataset (Settings → Data source credentials → Edit credentials) so the gateway acquires a fresh session key
5If it persists across users, verify the app registration's signing keys haven't been manually rotated or removed in Entra ID → App registrations → Certificates & secrets

Frequently asked questions

What does AADSTS140001 mean?

The session

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes