Low severityauthentication
Power BI Error:
AADSTS50007
What does this error mean?
Microsoft Entra ID (Azure AD) cannot find the partner encryption certificate registered for this application.
Common causes
- 1The token encryption certificate on the application's service principal has been removed or has expired without a replacement
- 2A federated/partner app (e.g. third-party SaaS connected via SAML SSO) lost its encryption certificate during a tenant migration or directory change
- 3Manual edits or scripted updates to the service principal removed the keyCredentials entry holding the encryption cert
- 4The app is configured to require encrypted tokens/assertions but no valid certificate is currently bound on the Microsoft side
- 5An internal Microsoft Entra ID provisioning issue left the partner certificate in an inconsistent state
How to fix it
- 1Open a Microsoft support ticket via https://learn.microsoft.com/entra/fundamentals/how-to-get-support — this error explicitly requires Microsoft to restore the partner encryption certificate; you cannot fix it from the Azure portal alone
- 2While preparing the ticket, capture the correlation ID, timestamp, tenant ID and the affected Application (client) ID from the sign-in error screen — Microsoft support will ask for these
- 3In the Microsoft Entra admin center, open the affected Enterprise Application → Single sign-on → SAML Signing/Encryption Certificate, and check whether an encryption certificate is listed and not expired; export the current state for the support engineer
- 4If you control the app registration, review Manifest → keyCredentials and verify whether an entry with usage 'Encrypt' / 'Verify' is present; do not delete remaining entries before Microsoft support investigates
- 5As a temporary workaround, if the application allows it, disable token/assertion encryption on both sides so users can sign in until Microsoft restores the partner certificate