What causes AADSTS240002?

Sending an id_token instead of an access_token as the assertion in the urn:ietf:params:oauth:grant-type:jwt-bearer (OBO) request. The token's aud claim does not match the API/resource being called (e.g. Power BI Service vs. Microsoft Graph). Required claims (sub, aud, iss, exp) are missing because the token came from a different tenant or a non-standard identity provider. The client app requesting OBO is not pre-authorized or lacks delegated permissions on the target API. Token was issued for a public client/SPA flow that doesn't produce an OBO-eligible assertion

How do I fix AADSTS240002?

Verify you are passing an access_token (not an id_token) as the 'assertion' parameter in the /oauth2/v2.0/token call with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. Decode the assertion on jwt.ms and confirm aud matches the downstream resource (e.g. https://analysis.windows.net/powerbi/api for Power BI, https://graph.microsoft.com for Graph). In Entra ID > App registrations > Expose an API, add the calling client app to 'Authorized client applications' and grant the required delegated scopes; admin-consent if needed. Ensure the client requesting OBO uses a confidential client (client secret or certificate) — public clients cannot perform OBO. If the upstream token comes from a federated/B2B identity, request a fresh token in the resource tenant before exchanging it

Medium severityauthentication

Power BI Error:
AADSTS240002, id_token cannot be used for jwt-bearer grant

What does this error mean?

The id_token presented in an OAuth 2.0 On-Behalf-Of (OBO) flow is missing a required claim and is rejected by Entra ID.

Common causes

1Sending an id_token instead of an access_token as the assertion in the urn:ietf:params:oauth:grant-type:jwt-bearer (OBO) request
2The token's aud claim does not match the API/resource being called (e.g. Power BI Service vs. Microsoft Graph)
3Required claims (sub, aud, iss, exp) are missing because the token came from a different tenant or a non-standard identity provider
4The client app requesting OBO is not pre-authorized or lacks delegated permissions on the target API
5Token was issued for a public client/SPA flow that doesn't produce an OBO-eligible assertion

How to fix it

1Verify you are passing an access_token (not an id_token) as the 'assertion' parameter in the /oauth2/v2.0/token call with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
2Decode the assertion on jwt.ms and confirm aud matches the downstream resource (e.g. https://analysis.windows.net/powerbi/api for Power BI, https://graph.microsoft.com for Graph)
3In Entra ID > App registrations > Expose an API, add the calling client app to 'Authorized client applications' and grant the required delegated scopes; admin-consent if needed
4Ensure the client requesting OBO uses a confidential client (client secret or certificate) — public clients cannot perform OBO
5If the upstream token comes from a federated/B2B identity, request a fresh token in the resource tenant before exchanging it

Frequently asked questions

What does AADSTS240002 mean?

RequiredClaimIsM

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes