Low severityauthentication
Power BI Error:
AADSTS50017
What does this error mean?
Azure AD / Entra ID could not validate the client certificate presented during authentication.
Common causes
- 1Issuing CA certificate is not in the tenant's trusted certificates list (uploaded via trustedCertificateAuthorities)
- 2CRL distribution point (CDP) URL in the certificate is unreachable, returns a timeout, or is blocked by firewall
- 3Delta CRL distribution point is configured without a corresponding base CRL distribution point
- 4CRL segment is malformed, expired, or signed by an untrusted issuer
- 5Certificate-based authentication (CBA) policy in Entra ID references a CA that has been rotated or removed
How to fix it
- 1Verify the issuing CA is uploaded to the tenant: Entra admin center → Protection → Show more → Security Center / Identity Secure Score → Certificate Authorities (or via Graph: `organization/{tenantId}/certificateBasedAuthConfiguration`) — re-upload the full chain (root + intermediates) as .cer if missing
- 2Test the CRL endpoint listed in the certificate (`certutil -url <cert.cer>` or `openssl x509 -in cert.pem -noout -text | grep CRL`) from a network path that mirrors Entra ID — endpoint must be publicly reachable over HTTP, not behind auth or a proxy
- 3If a Delta CRL is configured, ensure a base CRL distribution point is also published and accessible — Entra ID rejects delta-only configurations
- 4Check CRL freshness and signature: download the .crl file, run `certutil -dump <file.crl>`, confirm Next Update is in the future and the signing CA matches the uploaded trust chain
- 5If using Power BI / Fabric service principals or ADF managed identities with cert auth, rotate to a new certificate signed by a CA already in the trusted list, then update the credential in the workspace / linked service