What causes AADSTS50013?

Token expired or outside its valid time window (nbf/exp), often caused by clock skew between the client and Entra ID. Issuer (iss) in the assertion doesn't match the tenant authority the API expects (e.g. /common vs. /{tenantId}, or v1.0 vs. v2.0 endpoint mismatch). Malformed JWT — wrong signing certificate, invalid signature, or a client assertion signed with a rotated/expired certificate. A non-primary refresh token (e.g. an app-only or delegated RT) was used in an On-Behalf-Of flow that requires a primary refresh token. Federated credential or service principal certificate has been rotated in Entra ID but the calling app/gateway still uses the old one

How do I fix AADSTS50013?

Decode the failing JWT on jwt.ms and verify iss, aud, nbf and exp — this immediately tells you whether it's an issuer/audience mismatch or an expiry/clock issue. Force a fresh token: clear the MSAL/ADAL token cache (or restart the On-premises Data Gateway) and re-authenticate so a new assertion is minted from the correct tenant authority. Check NTP sync on the calling host — Entra ID allows only ~5 minutes of clock skew; a drifted gateway or VM is a frequent root cause. In the App registration (Entra ID portal → App registrations → Certificates & secrets), confirm the client certificate/secret is current and matches the one the app uses to sign the assertion; rotate if needed. If the call is an OBO (on-behalf-of) flow, ensure you're exchanging a user-delegated access token (not an app-only or non-primary refresh token) and that the upstream API issued it for the same tenant

High severityauthentication

Power BI Error:
AADSTS50013, Token Assertion Rejected

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the token assertion because it's expired, malformed, or issued by the wrong authority.

Common causes

1Token expired or outside its valid time window (nbf/exp), often caused by clock skew between the client and Entra ID
2Issuer (iss) in the assertion doesn't match the tenant authority the API expects (e.g. /common vs. /{tenantId}, or v1.0 vs. v2.0 endpoint mismatch)
3Malformed JWT — wrong signing certificate, invalid signature, or a client assertion signed with a rotated/expired certificate
4A non-primary refresh token (e.g. an app-only or delegated RT) was used in an On-Behalf-Of flow that requires a primary refresh token
5Federated credential or service principal certificate has been rotated in Entra ID but the calling app/gateway still uses the old one

How to fix it

1Decode the failing JWT on jwt.ms and verify iss, aud, nbf and exp — this immediately tells you whether it's an issuer/audience mismatch or an expiry/clock issue
2Force a fresh token: clear the MSAL/ADAL token cache (or restart the On-premises Data Gateway) and re-authenticate so a new assertion is minted from the correct tenant authority
3Check NTP sync on the calling host — Entra ID allows only ~5 minutes of clock skew; a drifted gateway or VM is a frequent root cause
4In the App registration (Entra ID portal → App registrations → Certificates & secrets), confirm the client certificate/secret is current and matches the one the app uses to sign the assertion; rotate if needed
5If the call is an OBO (on-behalf-of) flow, ensure you're exchanging a user-delegated access token (not an app-only or non-primary refresh token) and that the upstream API issued it for the same tenant

Frequently asked questions

What does AADSTS50013 mean?

Assertion is invalid because of various reasons - The token issuer doesn't match the API version within its valid time range -expired

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes