What causes AADSTS500133?

Access token or SAML/JWT assertion has passed its expiry time (expTime < curTime) before being exchanged. Cached token reused long after acquisition by a Power BI gateway, ADF linked service, or custom connector. Clock skew on the on-premises data gateway or self-hosted integration runtime causing 'curTime' mismatch with Entra ID. Token issuer (iss claim) doesn't match the API version or tenant the resource expects. Refresh token in the assertion is not a primary refresh token (PRT), or the assertion is malformed

How do I fix AADSTS500133?

Request a fresh token immediately and retry — do not reuse the cached assertion; in OAuth on-behalf-of flows acquire a new user assertion before the exchange call. Verify system clock and timezone on the on-premises data gateway / SHIR / Databricks driver host (NTP-synced, UTC offset correct) — even 5 minutes of drift triggers AADSTS500133. Reduce the lifetime your code holds the assertion: acquire the token as close to the API call as possible instead of caching it across long-running ADF pipelines or Power BI refreshes. Check the issuer (iss) and audience (aud) claims of the assertion at jwt.ms — confirm the issuer matches the tenant of the resource being called and the v1.0/v2.0 endpoint matches the app registration. If using on-behalf-of: ensure the inbound token is itself still valid and is a real PRT, not a refresh token from a different flow; re-authenticate the user if it has expired

High severityauthentication

Power BI Error:
AADSTS500133

Q: How do I fix AADSTS500133?

Request a fresh token immediately and retry — do not reuse the cached assertion; in OAuth on-behalf-of flows acquire a new user assertion before the exchange call. Verify system clock and timezone on the on-premises data gateway / SHIR / Databricks driver host (NTP-synced, UTC offset correct) — even 5 minutes of drift triggers AADSTS500133. Reduce the lifetime your code holds the assertion: acquire the token as close to the API call as possible instead of caching it across long-running ADF pipelines or Power BI refreshes. Check the issuer (iss) and audience (aud) claims of the assertion at jwt.ms — confirm the issuer matches the tenant of the resource being called and the v1.0/v2.0 endpoint matches the app registration. If using on-behalf-of: ensure the inbound token is itself still valid and is a real PRT, not a refresh token from a different flow; re-authenticate the user if it has expired

Q: What does AADSTS500133 mean?

Assertion isn't within its valid time range. Ensure that the access token isn't expired before using it for user assertion, or request a new token. Current time: {curTime}, expiry time of assertion {e

Q: How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

What does this error mean?

The token (assertion) used to authenticate is expired, malformed, or issued by a non-matching issuer.

Common causes

1Access token or SAML/JWT assertion has passed its expiry time (expTime < curTime) before being exchanged
2Cached token reused long after acquisition by a Power BI gateway, ADF linked service, or custom connector
3Clock skew on the on-premises data gateway or self-hosted integration runtime causing 'curTime' mismatch with Entra ID
4Token issuer (iss claim) doesn't match the API version or tenant the resource expects
5Refresh token in the assertion is not a primary refresh token (PRT), or the assertion is malformed

How to fix it

1Request a fresh token immediately and retry — do not reuse the cached assertion; in OAuth on-behalf-of flows acquire a new user assertion before the exchange call
2Verify system clock and timezone on the on-premises data gateway / SHIR / Databricks driver host (NTP-synced, UTC offset correct) — even 5 minutes of drift triggers AADSTS500133
3Reduce the lifetime your code holds the assertion: acquire the token as close to the API call as possible instead of caching it across long-running ADF pipelines or Power BI refreshes
4Check the issuer (iss) and audience (aud) claims of the assertion at jwt.ms — confirm the issuer matches the tenant of the resource being called and the v1.0/v2.0 endpoint matches the app registration
5If using on-behalf-of: ensure the inbound token is itself still valid and is a real PRT, not a refresh token from a different flow; re-authenticate the user if it has expired

Frequently asked questions

What does AADSTS500133 mean?

Assertion isn't within its valid time range. Ensure that the access token isn't expired before using it for user assertion, or request a new token. Current time: {curTime}, expiry time of assertion {e

How do I fix this error?