What causes AADSTS230109?

Client or middleware is calling a Backup Auth Service endpoint directly instead of login.microsoftonline.com (the Entra Gateway). Custom corporate proxy, firewall, or SSL inspection rewriting the Entra authentication URL to a backend host. Hardcoded or cached STS/authority URL pointing to a non-gateway hostname in an older SDK or on-prem connector. Transient Microsoft Entra ID routing issue where requests are misrouted to the backup service (retry usually resolves). Power BI on-premises data gateway or ADF self-hosted IR using an outdated authentication library that resolves to a deprecated endpoint

How do I fix AADSTS230109?

Verify the authority URL used by your client/connector is exactly https://login.microsoftonline.com/{tenant} — not a regional, backup, or internal-proxy variant. Inspect any corporate proxy, ZScaler/Netskope, or firewall rules for URL rewriting on *.login.microsoftonline.com and whitelist the official Entra endpoints unmodified. Update MSAL / ADAL / Power BI on-prem data gateway / ADF self-hosted Integration Runtime to the latest version so deprecated STS hostnames are no longer used. Retry the operation after a few minutes — if the error disappears it was a transient Microsoft-side routing event; check the Microsoft 365 / Azure status page for an active incident. If the error persists from a single network only, capture a Fiddler/HAR trace of the auth call and open a Microsoft support ticket with the correlation ID and timestamp

Low severityauthentication

Power BI Error:
AADSTS230109

What does this error mean?

Authentication request hit the Microsoft Entra Backup Auth Service directly instead of via the Entra Gateway reverse proxy.

Common causes

1Client or middleware is calling a Backup Auth Service endpoint directly instead of login.microsoftonline.com (the Entra Gateway)
2Custom corporate proxy, firewall, or SSL inspection rewriting the Entra authentication URL to a backend host
3Hardcoded or cached STS/authority URL pointing to a non-gateway hostname in an older SDK or on-prem connector
4Transient Microsoft Entra ID routing issue where requests are misrouted to the backup service (retry usually resolves)
5Power BI on-premises data gateway or ADF self-hosted IR using an outdated authentication library that resolves to a deprecated endpoint

How to fix it

1Verify the authority URL used by your client/connector is exactly https://login.microsoftonline.com/{tenant} — not a regional, backup, or internal-proxy variant
2Inspect any corporate proxy, ZScaler/Netskope, or firewall rules for URL rewriting on *.login.microsoftonline.com and whitelist the official Entra endpoints unmodified
3Update MSAL / ADAL / Power BI on-prem data gateway / ADF self-hosted Integration Runtime to the latest version so deprecated STS hostnames are no longer used
4Retry the operation after a few minutes — if the error disappears it was a transient Microsoft-side routing event; check the Microsoft 365 / Azure status page for an active incident
5If the error persists from a single network only, capture a Fiddler/HAR trace of the auth call and open a Microsoft support ticket with the correlation ID and timestamp

Frequently asked questions

What does AADSTS230109 mean?

Backup Auth Service only allows AuthN req

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes