What causes AADSTS28002?

Scope contains a typo or unsupported value (e.g. 'https://analysis.windows.net/powerbi/api/Dataset.Read' instead of '.../.default'). Client credentials flow used without the required '/.default' suffix on the resource scope. Scope references a resource URI that doesn't exist or the API isn't registered in the tenant. Mixing v1.0 resource identifiers with v2.0 scope syntax in the same request. Permission name in the scope is not exposed by the target app registration (API permissions not configured or admin consent missing)

How do I fix AADSTS28002?

Verify the exact scope string sent in the token request — for client credentials flows it must be ' /.default' (e.g. 'https://analysis.windows.net/powerbi/api/.default'). Confirm the resource URI matches the target API: Power BI = https://analysis.windows.net/powerbi/api, Fabric = https://api.fabric.microsoft.com, ADF/Databricks each have their own resource ID. Check the app registration in Entra ID → API permissions: every delegated/application permission referenced in the scope must be added and admin-consented. If using v2.0 endpoint, use scope names like 'Dataset.Read.All'; if using v1.0 endpoint, use 'resource' parameter instead of 'scope'. Decode the failing token request (Fiddler / network trace) and compare the scope value character-by-character with Microsoft's documented scopes for that API

Low severityauthentication

Power BI Error:
AADSTS28002

What does this error mean?

The scope value sent to Azure AD / Entra ID is malformed or references a resource/permission that doesn't exist.

Common causes

1Scope contains a typo or unsupported value (e.g. 'https://analysis.windows.net/powerbi/api/Dataset.Read' instead of '.../.default')
2Client credentials flow used without the required '/.default' suffix on the resource scope
3Scope references a resource URI that doesn't exist or the API isn't registered in the tenant
4Mixing v1.0 resource identifiers with v2.0 scope syntax in the same request
5Permission name in the scope is not exposed by the target app registration (API permissions not configured or admin consent missing)

How to fix it

1Verify the exact scope string sent in the token request — for client credentials flows it must be '<resource>/.default' (e.g. 'https://analysis.windows.net/powerbi/api/.default')
2Confirm the resource URI matches the target API: Power BI = https://analysis.windows.net/powerbi/api, Fabric = https://api.fabric.microsoft.com, ADF/Databricks each have their own resource ID
3Check the app registration in Entra ID → API permissions: every delegated/application permission referenced in the scope must be added and admin-consented
4If using v2.0 endpoint, use scope names like 'Dataset.Read.All'; if using v1.0 endpoint, use 'resource' parameter instead of 'scope'
5Decode the failing token request (Fiddler / network trace) and compare the scope value character-by-character with Microsoft's documented scopes for that API

Frequently asked questions

What does AADSTS28002 mean?

Provided value for the input parameter scope '{scope}' isn't va

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes