What causes AADSTS50078?

A Conditional Access 'Sign-in frequency' policy forces MFA re-authentication after a short interval (e.g. 1-8 hours).. The legacy 'Remember MFA on trusted devices' setting is disabled or expired, so each new session requires fresh MFA.. Long-running unattended workloads (Power BI scheduled refresh, ADF pipelines, Databricks jobs) using a user account instead of a service principal — the MFA token expires mid-run.. The user's device is not marked as compliant or hybrid-joined, causing Entra ID to demand MFA on every new token request.. Token cache on the client (Power BI Desktop, gateway, browser) is stale and holds an MFA claim past its allowed lifetime.

How do I fix AADSTS50078?

Sign out of the application completely and sign back in, completing the MFA prompt — this resolves the immediate occurrence in 90% of cases.. For Power BI scheduled refresh, ADF linked services or Databricks jobs: switch the connection from a user account to a service principal or managed identity, which is not subject to MFA expiry.. Review Conditional Access policies in the Entra admin center (Protection > Conditional Access) — check 'Sign-in frequency' and 'Persistent browser session' under Session controls; relax for trusted apps if the interval is unrealistically short.. In Entra ID > Security > Multifactor authentication > Additional cloud-based MFA settings, verify 'Allow users to remember multi-factor authentication on devices they trust' is enabled with a sensible duration (default 14 days).. Clear the token cache: in Power BI Desktop sign out under File > Account; for gateways, restart the on-premises data gateway service; for browsers, clear cookies for login.microsoftonline.com.

Low severityauthentication

Power BI Error:
AADSTS50078

What does this error mean?

The user's multi-factor authentication (MFA) session has expired and must be re-performed to access the resource.

Common causes

1A Conditional Access 'Sign-in frequency' policy forces MFA re-authentication after a short interval (e.g. 1-8 hours).
2The legacy 'Remember MFA on trusted devices' setting is disabled or expired, so each new session requires fresh MFA.
3Long-running unattended workloads (Power BI scheduled refresh, ADF pipelines, Databricks jobs) using a user account instead of a service principal — the MFA token expires mid-run.
4The user's device is not marked as compliant or hybrid-joined, causing Entra ID to demand MFA on every new token request.
5Token cache on the client (Power BI Desktop, gateway, browser) is stale and holds an MFA claim past its allowed lifetime.

How to fix it

1Sign out of the application completely and sign back in, completing the MFA prompt — this resolves the immediate occurrence in 90% of cases.
2For Power BI scheduled refresh, ADF linked services or Databricks jobs: switch the connection from a user account to a service principal or managed identity, which is not subject to MFA expiry.
3Review Conditional Access policies in the Entra admin center (Protection > Conditional Access) — check 'Sign-in frequency' and 'Persistent browser session' under Session controls; relax for trusted apps if the interval is unrealistically short.
4In Entra ID > Security > Multifactor authentication > Additional cloud-based MFA settings, verify 'Allow users to remember multi-factor authentication on devices they trust' is enabled with a sensible duration (default 14 days).
5Clear the token cache: in Power BI Desktop sign out under File > Account; for gateways, restart the on-premises data gateway service; for browsers, clear cookies for login.microsoftonline.com.

Frequently asked questions

What does AADSTS50078 mean?

UserStrongAuth

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes