What causes AADSTS28003?

The scope parameter is omitted entirely in the POST to /oauth2/v2.0/token. The scope parameter is sent but as an empty string (scope=). Mismatch between v1.0 and v2.0 endpoints — v2.0 requires scope while v1.0 uses resource. Custom OAuth client / connector code that builds the token request manually and forgets to forward the scope from the authorize step. Embedded BI scenarios or third-party Power BI connectors where the scope was stripped during URL encoding or redirect handling

How do I fix AADSTS28003?

Inspect the exact POST body sent to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token and confirm the scope parameter is present and non-empty (e.g. scope=https://analysis.windows.net/powerbi/api/.default openid offline_access). Ensure the scope passed at the /token step matches (or is a subset of) the scope used in the original /authorize request — Entra ID rejects empty or downgraded scopes. If you are on the v1.0 endpoint, either move to v2.0 and use scope, or stay on v1.0 and use the resource parameter instead — don't mix the two. For Power BI / Fabric service principals using client credentials, set scope=https://analysis.windows.net/powerbi/api/.default; for ADF or Databricks, use the relevant resource's /.default scope. If you use MSAL or a Microsoft SDK, upgrade to the latest version and let the library construct the token request — manual cURL/Postman flows are the most common source of this bug

Low severityauthentication

Power BI Error:
AADSTS28003

What does this error mean?

OAuth token request to Microsoft Entra ID (Azure AD) failed because the scope parameter was empty or missing.

Common causes

1The scope parameter is omitted entirely in the POST to /oauth2/v2.0/token
2The scope parameter is sent but as an empty string (scope=)
3Mismatch between v1.0 and v2.0 endpoints — v2.0 requires scope while v1.0 uses resource
4Custom OAuth client / connector code that builds the token request manually and forgets to forward the scope from the authorize step
5Embedded BI scenarios or third-party Power BI connectors where the scope was stripped during URL encoding or redirect handling

How to fix it

1Inspect the exact POST body sent to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token and confirm the scope parameter is present and non-empty (e.g. scope=https://analysis.windows.net/powerbi/api/.default openid offline_access)
2Ensure the scope passed at the /token step matches (or is a subset of) the scope used in the original /authorize request — Entra ID rejects empty or downgraded scopes
3If you are on the v1.0 endpoint, either move to v2.0 and use scope, or stay on v1.0 and use the resource parameter instead — don't mix the two
4For Power BI / Fabric service principals using client credentials, set scope=https://analysis.windows.net/powerbi/api/.default; for ADF or Databricks, use the relevant resource's /.default scope
5If you use MSAL or a Microsoft SDK, upgrade to the latest version and let the library construct the token request — manual cURL/Postman flows are the most common source of this bug

Frequently asked questions

What does AADSTS28003 mean?

Provided value for the input parameter scope can't be empt

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes