What causes AADSTS50032?

Self-signed certificate uploaded to the app registration uses a 1024-bit RSA key (or smaller), below Microsoft's 2048-bit minimum. Legacy service principal certificate generated years ago with weak key length still in use for Power BI / Fabric service principal auth. Custom certificate-based authentication for an on-premises data gateway or ADF linked service signed with a sub-2048-bit key. SAML / WS-Fed federation metadata signing certificate uses a deprecated key size. Automated cert-rotation script falls back to a default OpenSSL key length that does not meet Entra ID requirements

How do I fix AADSTS50032?

Identify the certificate or key in use: in Azure portal → Entra ID → App registrations → your app → Certificates & secrets, check the thumbprint and inspect the key length (PowerShell: `(Get-PfxCertificate cert.pfx).PublicKey.Key.KeySize`). Generate a new RSA key of at least 2048 bits — recommended 4096: `New-SelfSignedCertificate -Subject 'CN=metricsign-spn' -KeySpec Signature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 4096 -CertStoreLocation 'Cert:\CurrentUser\My' -NotAfter (Get-Date).AddYears(2)`. Upload the new public certificate (.cer) to the app registration under Certificates & secrets, then update the consuming service (Power BI service principal, ADF linked service, Databricks Key Vault, Fabric capacity admin) with the new private key thumbprint. Update or delete the old weak certificate from the app registration so it cannot be re-selected, and roll any cached tokens. Re-test the failing flow (Power BI dataset refresh, ADF pipeline run, Fabric notebook job) and confirm tokens are issued successfully

Low severityauthentication

Power BI Error:
AADSTS50032

What does this error mean?

Azure AD / Entra ID rejected the authentication request because the RSA key used to sign the client assertion is below the minimum key length.

Common causes

1Self-signed certificate uploaded to the app registration uses a 1024-bit RSA key (or smaller), below Microsoft's 2048-bit minimum
2Legacy service principal certificate generated years ago with weak key length still in use for Power BI / Fabric service principal auth
3Custom certificate-based authentication for an on-premises data gateway or ADF linked service signed with a sub-2048-bit key
4SAML / WS-Fed federation metadata signing certificate uses a deprecated key size
5Automated cert-rotation script falls back to a default OpenSSL key length that does not meet Entra ID requirements

How to fix it

1Identify the certificate or key in use: in Azure portal → Entra ID → App registrations → your app → Certificates & secrets, check the thumbprint and inspect the key length (PowerShell: `(Get-PfxCertificate cert.pfx).PublicKey.Key.KeySize`)
2Generate a new RSA key of at least 2048 bits — recommended 4096: `New-SelfSignedCertificate -Subject 'CN=metricsign-spn' -KeySpec Signature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 4096 -CertStoreLocation 'Cert:\CurrentUser\My' -NotAfter (Get-Date).AddYears(2)`
3Upload the new public certificate (.cer) to the app registration under Certificates & secrets, then update the consuming service (Power BI service principal, ADF linked service, Databricks Key Vault, Fabric capacity admin) with the new private key thumbprint
4Update or delete the old weak certificate from the app registration so it cannot be re-selected, and roll any cached tokens
5Re-test the failing flow (Power BI dataset refresh, ADF pipeline run, Fabric notebook job) and confirm tokens are issued successfully

Frequently asked questions

What does AADSTS50032 mean?

Ind

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes