What causes AADSTS50089?

The user took too long to complete sign-in (MFA prompt, consent screen) and the auth code expired before redemption. Refresh token was revoked by the user (password change) or by an admin (revoke session, conditional access policy change). Clock skew between the client, the relying app, and Microsoft Entra ID (Azure AD) causing the token to be considered expired on arrival. The OAuth redirect chain is too slow — proxy, custom IdP, or B2B federation introduces enough latency that the auth code (~10 min lifetime) expires. Reuse of an already-redeemed or cached auth code (e.g. browser back-button, replayed redirect)

How do I fix AADSTS50089?

Have the user fully sign out and start a fresh sign-in — close the browser tab, clear the Power BI / Fabric session, and reconnect; this generates a new flow token. In the Entra admin center, check Sign-in logs for this user/app and confirm whether the session was revoked (Conditional Access, risky sign-in, admin revoke) — if so, restore access or have the user re-authenticate after policy compliance. Verify system clock sync (NTP) on the client machine or gateway host; >5 min skew with Entra ID will invalidate flow tokens on arrival. For Power BI scheduled refreshes / ADF linked services using OAuth, re-enter credentials on the dataset / linked service so a new refresh token is issued — old tokens revoked by an admin will keep failing until re-consented. If it recurs on a custom or federated IdP, profile the redirect chain — auth codes have a ~10 minute lifetime; reduce hops or fix slow IdP responses

Low severityauthentication

Power BI Refresh Error:
AADSTS50089

What does this error mean?

The OAuth flow token (auth code or refresh token) used during sign-in has expired or been revoked before it could be redeemed.

Common causes

1The user took too long to complete sign-in (MFA prompt, consent screen) and the auth code expired before redemption
2Refresh token was revoked by the user (password change) or by an admin (revoke session, conditional access policy change)
3Clock skew between the client, the relying app, and Microsoft Entra ID (Azure AD) causing the token to be considered expired on arrival
4The OAuth redirect chain is too slow — proxy, custom IdP, or B2B federation introduces enough latency that the auth code (~10 min lifetime) expires
5Reuse of an already-redeemed or cached auth code (e.g. browser back-button, replayed redirect)

How to fix it

1Have the user fully sign out and start a fresh sign-in — close the browser tab, clear the Power BI / Fabric session, and reconnect; this generates a new flow token
2In the Entra admin center, check Sign-in logs for this user/app and confirm whether the session was revoked (Conditional Access, risky sign-in, admin revoke) — if so, restore access or have the user re-authenticate after policy compliance
3Verify system clock sync (NTP) on the client machine or gateway host; >5 min skew with Entra ID will invalidate flow tokens on arrival
4For Power BI scheduled refreshes / ADF linked services using OAuth, re-enter credentials on the dataset / linked service so a new refresh token is issued — old tokens revoked by an admin will keep failing until re-consented
5If it recurs on a custom or federated IdP, profile the redirect chain — auth codes have a ~10 minute lifetime; reduce hops or fix slow IdP responses

Frequently asked questions

What does AADSTS50089 mean?

auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes