What causes AADSTS50086?

The SAS token is expired (past its 'se' expiry timestamp) or its start time ('st') is in the future due to clock skew. The SAS was signed with a storage account key that has since been rotated or regenerated. The SAS lacks the required permissions ('sp') or resource scope ('sr') for the operation requested during sign-in. Malformed SAS — missing required fields, wrong signed-version ('sv'), or URL-encoding issues in the signature. The associated Stored Access Policy on the container/queue/table was deleted or modified, invalidating all SAS tokens issued under it

How do I fix AADSTS50086?

Decode the SAS token from the failing request and check the 'se' (expiry) and 'st' (start) parameters against current UTC time — regenerate if expired. In the Azure portal, verify the storage account key used to sign the SAS hasn't been rotated; if it was, reissue the SAS with the current key (or switch to user delegation SAS backed by Entra ID). Confirm the SAS scope ('sr') and permissions ('sp') match the operation — e.g. a container-scoped read-only SAS can't be used for blob writes. If a Stored Access Policy is referenced ('si'), confirm it still exists on the resource and hasn't been altered; recreate it if needed. Replace long-lived account-key SAS with user delegation SAS or a managed identity where possible — these don't break on key rotation

Low severityauthentication

Power BI Error:
AADSTS50086, SAS token validation failed

What does this error mean?

Azure AD / Entra ID rejected a Shared Access Signature (SAS) during sign-in; the failure is non-retryable and needs a config fix.

Common causes

1The SAS token is expired (past its 'se' expiry timestamp) or its start time ('st') is in the future due to clock skew
2The SAS was signed with a storage account key that has since been rotated or regenerated
3The SAS lacks the required permissions ('sp') or resource scope ('sr') for the operation requested during sign-in
4Malformed SAS — missing required fields, wrong signed-version ('sv'), or URL-encoding issues in the signature
5The associated Stored Access Policy on the container/queue/table was deleted or modified, invalidating all SAS tokens issued under it

How to fix it

1Decode the SAS token from the failing request and check the 'se' (expiry) and 'st' (start) parameters against current UTC time — regenerate if expired
2In the Azure portal, verify the storage account key used to sign the SAS hasn't been rotated; if it was, reissue the SAS with the current key (or switch to user delegation SAS backed by Entra ID)
3Confirm the SAS scope ('sr') and permissions ('sp') match the operation — e.g. a container-scoped read-only SAS can't be used for blob writes
4If a Stored Access Policy is referenced ('si'), confirm it still exists on the resource and hasn't been altered; recreate it if needed
5Replace long-lived account-key SAS with user delegation SAS or a managed identity where possible — these don't break on key rotation

Frequently asked questions

What does AADSTS50086 mean?

SasNonRetryableError

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes