What causes AADSTS50076?

A Conditional Access policy targeting the user, app, or location requires MFA for this resource. Per-user MFA enforcement is enabled on the account in Entra ID. Sign-in originates from a new/untrusted location, IP, or device that triggers an MFA challenge. The Power BI / Fabric data source is configured with OAuth2 credentials on an account that cannot complete MFA non-interactively (e.g. scheduled refresh, gateway, or service account). The client/app didn't request the required claims (amr/acr) and Entra ID rejected the silent token acquisition

How do I fix AADSTS50076?

Sign in interactively to the affected resource (Power BI Service, Fabric, ADF) and complete the MFA prompt to mint a fresh token. For Power BI scheduled refresh or on-prem data gateway: replace the user-account credentials with a service principal, or exclude the refresh account from MFA via a Conditional Access exclusion / Trusted Locations. Review Entra ID → Conditional Access policies and Sign-in logs (filter on error 50076) to identify which policy is triggering the MFA requirement. If per-user MFA is causing it on automation accounts, migrate to Conditional Access + service principals instead of per-user MFA enforcement. In custom apps/SDKs, request the token with prompt=login or claims challenge handling so the MFA step happens interactively instead of failing silently

Low severityauthentication

Power BI Error:
AADSTS50076

What does this error mean?

Sign-in blocked because multifactor authentication (MFA) is required for the resource but wasn't completed.

Common causes

1A Conditional Access policy targeting the user, app, or location requires MFA for this resource
2Per-user MFA enforcement is enabled on the account in Entra ID
3Sign-in originates from a new/untrusted location, IP, or device that triggers an MFA challenge
4The Power BI / Fabric data source is configured with OAuth2 credentials on an account that cannot complete MFA non-interactively (e.g. scheduled refresh, gateway, or service account)
5The client/app didn't request the required claims (amr/acr) and Entra ID rejected the silent token acquisition

How to fix it

1Sign in interactively to the affected resource (Power BI Service, Fabric, ADF) and complete the MFA prompt to mint a fresh token
2For Power BI scheduled refresh or on-prem data gateway: replace the user-account credentials with a service principal, or exclude the refresh account from MFA via a Conditional Access exclusion / Trusted Locations
3Review Entra ID → Conditional Access policies and Sign-in logs (filter on error 50076) to identify which policy is triggering the MFA requirement
4If per-user MFA is causing it on automation accounts, migrate to Conditional Access + service principals instead of per-user MFA enforcement
5In custom apps/SDKs, request the token with prompt=login or claims challenge handling so the MFA step happens interactively instead of failing silently

Frequently asked questions

What does AADSTS50076 mean?

Due to a configuration change made by the admin such as a Conditio

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes