What causes AADSTS50027?

Missing nonce claim in the ID token (common with custom OIDC clients that skip nonce generation). Subject (sub) claim mismatch between the ID token and the expected user identifier. Duplicate claims inside the idToken payload. Unexpected issuer (iss) or audience (aud) — token issued for a different tenant, app registration, or federation. Token outside its valid time range (expired, or nbf/iat skew between client and Entra ID). Malformed JWT structure or failed signature verification on an external/federated ID token

How do I fix AADSTS50027?

Decode the failing JWT at jwt.ms and inspect iss, aud, sub, nonce, iat, exp — compare aud to your app registration's Application (client) ID and iss to https://login.microsoftonline.com/{tenantId}/v2.0. If nonce is missing, update the OIDC/MSAL client to generate and send a nonce on every authorization request — MSAL libraries do this automatically; custom clients often don't. Check clock skew on the client/server issuing or validating the token — Entra ID allows ~5 minutes; NTP drift on a Power BI gateway, ADF self-hosted IR, or Databricks cluster will trigger this. For federated / External ID scenarios, re-import the external IdP's signing keys (JWKS endpoint) in Entra ID and confirm the issuer URL in the federation config matches the iss claim exactly. Force a fresh token: clear MSAL/token cache, re-consent the app, and retry — for Power BI service principals rotate the secret/certificate and re-acquire

High severityauthentication

Power BI Error:
AADSTS50027

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the JWT because a claim is missing, mismatched, expired, or the signature didn't verify.

Common causes

1Missing nonce claim in the ID token (common with custom OIDC clients that skip nonce generation)
2Subject (sub) claim mismatch between the ID token and the expected user identifier
3Duplicate claims inside the idToken payload
4Unexpected issuer (iss) or audience (aud) — token issued for a different tenant, app registration, or federation
5Token outside its valid time range (expired, or nbf/iat skew between client and Entra ID)
6Malformed JWT structure or failed signature verification on an external/federated ID token

How to fix it

1Decode the failing JWT at jwt.ms and inspect iss, aud, sub, nonce, iat, exp — compare aud to your app registration's Application (client) ID and iss to https://login.microsoftonline.com/{tenantId}/v2.0
2If nonce is missing, update the OIDC/MSAL client to generate and send a nonce on every authorization request — MSAL libraries do this automatically; custom clients often don't
3Check clock skew on the client/server issuing or validating the token — Entra ID allows ~5 minutes; NTP drift on a Power BI gateway, ADF self-hosted IR, or Databricks cluster will trigger this
4For federated / External ID scenarios, re-import the external IdP's signing keys (JWKS endpoint) in Entra ID and confirm the issuer URL in the federation config matches the iss claim exactly
5Force a fresh token: clear MSAL/token cache, re-consent the app, and retry — for Power BI service principals rotate the secret/certificate and re-acquire

Frequently asked questions

What does AADSTS50027 mean?

Invalid JWT token because of the following reasons:

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes