Low severityauthentication
Power BI Error:
AADSTS50001, Resource Disabled or Doesn't Exist
What does this error mean?
The application is requesting a token for a resource (API) that isn't registered, is disabled, or has the wrong identifier URI.
Common causes
- 1The resource (API) has no service principal in the tenant — the app was never consented to or the enterprise application was deleted
- 2The `resource` parameter or `scope` value doesn't match the target API's Application ID URI exactly (e.g. `https://analysis.windows.net/powerbi/api` vs `https://analysis.windows.net/powerbi/api/.default`)
- 3Calling a v1.0 endpoint with a v2.0-style scope (or vice versa) — v1 expects `resource=`, v2 expects `scope=`
- 4The target service principal is disabled in Enterprise Applications (Properties → Enabled for users to sign in = No)
- 5Wrong tenant: requesting a resource that exists in another tenant than the `/{tenant}/oauth2/token` endpoint you're hitting (common with multi-tenant Power BI / Fabric setups)
How to fix it
- 1Decode the failing token request and confirm the exact `resource` or `scope` value being sent — copy it verbatim before changing anything
- 2In the Entra admin center → Enterprise applications, search for that resource URI/GUID. If it's missing, run an admin consent (e.g. `https://login.microsoftonline.com/{tenant}/adminconsent?client_id={resourceAppId}`) to provision the service principal
- 3If the service principal exists, open Properties and confirm 'Enabled for users to sign in' is Yes; re-enable if it was disabled
- 4Match the resource format to the endpoint: for Power BI on v1.0 use `resource=https://analysis.windows.net/powerbi/api`; on v2.0 use `scope=https://analysis.windows.net/powerbi/api/.default`. For Fabric/ADF/Databricks, use that service's published Application ID URI
- 5Verify the tenant in the token URL is the tenant where the resource lives — for cross-tenant Power BI Embedded or Fabric scenarios, switch to the resource's home tenant or use `/organizations/`