Low severityauthentication
Power BI Error:
AADSTS17003, Entra ID Cannot Provision User Key
What does this error mean?
Microsoft Entra ID (Azure AD) failed to provision the user's credential key, typically during passkey or Windows Hello for Business registration.
Common causes
- 1Passkey (FIDO2) or Windows Hello for Business is not enabled in Entra ID Authentication Methods policy
- 2User is excluded from the Authentication Method policy scope, or the targeted group does not include them
- 3Tenant-level key provisioning is blocked by Conditional Access or device compliance requirements
- 4The device attempting registration is not Entra-joined or Hybrid-joined as required by policy
- 5Key registration service is temporarily unavailable or the user has reached the maximum number of registered keys
How to fix it
- 1Open the Microsoft Entra admin center → Protection → Authentication methods → Policies, and confirm that the relevant method (Passkey/FIDO2 or Windows Hello for Business) is Enabled and that the affected user is in the included scope
- 2Verify the user is not blocked by a Conditional Access policy requiring compliant or hybrid-joined devices for registration — temporarily test with a known-compliant device
- 3Have the user remove any stale or excess registered security keys via aka.ms/mysecurityinfo, then retry provisioning
- 4For Windows Hello for Business, confirm the device is properly Entra-joined (`dsregcmd /status`) and that the WHfB Group Policy / Intune configuration profile is applied
- 5If the issue persists tenant-wide, check the Entra ID service health dashboard and open a Microsoft support case referencing correlation ID and timestamp