What causes AADSTS50097?

A Conditional Access policy with 'Require Hybrid Azure AD joined device' or 'Require device to be marked as compliant' targets the user or app, but the device isn't joined/compliant. Sign-in attempted from an unmanaged device (personal laptop, BYOD) while CA requires a managed device. Power BI gateway, ADF linked service, or Fabric service principal running on a VM/server that isn't Entra-joined or Intune-enrolled. Device certificate or Primary Refresh Token (PRT) is missing, expired, or not flowing because the device dropped out of Entra ID. Service account / non-interactive flow caught by a CA policy intended for interactive users (policy scope too broad)

How do I fix AADSTS50097?

Open Entra ID > Sign-in logs, find the failed sign-in for this user/app and check the 'Conditional Access' tab to identify which CA policy triggered the device requirement. Verify device state: on the affected machine run `dsregcmd /status` and confirm AzureAdJoined=YES or DomainJoined=YES + AzureAdPrt=YES; if not, register or hybrid-join the device. If it's a managed device that should be compliant, check Intune > Devices and force a compliance sync; resolve any non-compliant settings (encryption, OS version, antivirus). For service principals, gateways, or unattended Power BI / ADF / Fabric workloads, exclude the service principal or use a CA policy filter that doesn't require a user-device PRT. If the policy is correct and the user shouldn't have access from this device, route the user to a managed device or grant temporary access via a CA policy exclusion with Privileged Identity Management approval

Low severityauthentication

Power BI Error:
AADSTS50097

What does this error mean?

Conditional Access requires a managed or compliant device, but the sign-in came from a device that isn't registered or hybrid-joined.

Common causes

1A Conditional Access policy with 'Require Hybrid Azure AD joined device' or 'Require device to be marked as compliant' targets the user or app, but the device isn't joined/compliant
2Sign-in attempted from an unmanaged device (personal laptop, BYOD) while CA requires a managed device
3Power BI gateway, ADF linked service, or Fabric service principal running on a VM/server that isn't Entra-joined or Intune-enrolled
4Device certificate or Primary Refresh Token (PRT) is missing, expired, or not flowing because the device dropped out of Entra ID
5Service account / non-interactive flow caught by a CA policy intended for interactive users (policy scope too broad)

How to fix it

1Open Entra ID > Sign-in logs, find the failed sign-in for this user/app and check the 'Conditional Access' tab to identify which CA policy triggered the device requirement
2Verify device state: on the affected machine run `dsregcmd /status` and confirm AzureAdJoined=YES or DomainJoined=YES + AzureAdPrt=YES; if not, register or hybrid-join the device
3If it's a managed device that should be compliant, check Intune > Devices and force a compliance sync; resolve any non-compliant settings (encryption, OS version, antivirus)
4For service principals, gateways, or unattended Power BI / ADF / Fabric workloads, exclude the service principal or use a CA policy filter that doesn't require a user-device PRT
5If the policy is correct and the user shouldn't have access from this device, route the user to a managed device or grant temporary access via a CA policy exclusion with Privileged Identity Management approval

Frequently asked questions

What does AADSTS50097 mean?

Device

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes