High severityauthentication
Power BI Error:
AADSTS220501
What does this error mean?
Azure AD / Entra ID could not download the Certificate Revocation List (CRL) needed to validate a client certificate during authentication.
Common causes
- 1The CRL Distribution Point (CDP) URL inside the client certificate is unreachable, returns HTTP errors, or has expired
- 2Network/firewall blocking outbound access from the Entra ID validation path to the CA's CRL endpoint
- 3Certificate Authority (CA) has published an outdated or malformed CRL file
- 4Certificate-Based Authentication (CBA) configured with a CA whose CRL is not properly hosted or accessible from the public internet
- 5DNS resolution failure for the CRL host, or TLS issues on the CRL endpoint
How to fix it
- 1Open the client certificate and locate the 'CRL Distribution Points' extension — copy the URL and try downloading the CRL from a public network with curl/browser to confirm it returns a valid CRL file
- 2If the CRL URL is unreachable or stale, contact the Certificate Authority owner to republish the CRL and ensure the CDP endpoint is publicly reachable over HTTP (port 80) — Entra ID validates CRLs over HTTP, not HTTPS
- 3In the Microsoft Entra admin center, go to Protection → Certificate authorities, verify the uploaded CA certificate, and confirm the CRL URL field matches a working endpoint
- 4Check the CRL's 'Next Update' timestamp — if it has passed, the CA must publish a fresh CRL before authentication will succeed
- 5If using a private/internal CA for Entra CBA, expose the CRL via a publicly reachable HTTP endpoint (Azure Blob Storage with anonymous read is a common pattern)