What causes AADSTS221000?

Sign-in performed with `device code` or device-context flow without a user signing in, producing a token with only a device claim. Service or daemon code reusing a device token to call a user-context API like the Power BI REST API or Fabric API. Conditional Access or device compliance flow that returned a device-only token instead of escalating to user authentication. Calling a resource (Power BI, Fabric, Dataverse) that explicitly requires `upn`/`oid` user claims with a token missing those claims. MSAL/ADAL client configured with a device-identity scope (e.g. `Device.Read`) instead of a delegated user scope for the target resource

How do I fix AADSTS221000?

Inspect the failing token at jwt.ms — confirm it has no `upn`/`oid` user claim, only a `deviceid`. That confirms it's a device-only token.. Switch the auth flow from device-only to a delegated user flow: use `acquireTokenInteractive` or `acquireTokenByDeviceCode` (with user sign-in) in MSAL, requesting the resource's delegated scope (e.g. `https://analysis.windows.net/powerbi/api/.default`).. If running headless (ADF, Databricks job, automation), use a service principal with the correct application permissions on the target resource and request an app-only token via client credentials — not a device token.. In Power BI / Fabric: ensure the workspace and dataset grant access to the user or service principal you're authenticating as, and that the tenant setting 'Service principals can use Fabric APIs' is enabled if relevant.. Review Conditional Access policies in Entra ID for 'Require compliant device' rules that may be downgrading the token — exclude the workload or require user MFA so a full user+device token is issued.

Low severityauthentication

Power BI Error:
AADSTS221000

What does this error mean?

The target resource (e.g. Power BI, Fabric) rejects the access token because it was issued for a device, not a user.

Common causes

1Sign-in performed with `device code` or device-context flow without a user signing in, producing a token with only a device claim
2Service or daemon code reusing a device token to call a user-context API like the Power BI REST API or Fabric API
3Conditional Access or device compliance flow that returned a device-only token instead of escalating to user authentication
4Calling a resource (Power BI, Fabric, Dataverse) that explicitly requires `upn`/`oid` user claims with a token missing those claims
5MSAL/ADAL client configured with a device-identity scope (e.g. `Device.Read`) instead of a delegated user scope for the target resource

How to fix it

1Inspect the failing token at jwt.ms — confirm it has no `upn`/`oid` user claim, only a `deviceid`. That confirms it's a device-only token.
2Switch the auth flow from device-only to a delegated user flow: use `acquireTokenInteractive` or `acquireTokenByDeviceCode` (with user sign-in) in MSAL, requesting the resource's delegated scope (e.g. `https://analysis.windows.net/powerbi/api/.default`).
3If running headless (ADF, Databricks job, automation), use a service principal with the correct application permissions on the target resource and request an app-only token via client credentials — not a device token.
4In Power BI / Fabric: ensure the workspace and dataset grant access to the user or service principal you're authenticating as, and that the tenant setting 'Service principals can use Fabric APIs' is enabled if relevant.
5Review Conditional Access policies in Entra ID for 'Require compliant device' rules that may be downgrading the token — exclude the workload or require user MFA so a full user+device token is issued.

Frequently asked questions

What does AADSTS221000 mean?

The resource isn't configured to accept dev

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes