High severityauthentication
Power BI Error:
AADSTS50099, PKeyAuthInvalidJwtUnauthorized
What does this error mean?
Microsoft Entra ID (Azure AD) rejected the device-bound PKeyAuth JWT because its signature could not be validated.
Common causes
- 1Device certificate used for PKeyAuth is expired, revoked, or no longer matches the device object in Entra ID
- 2Hybrid Azure AD Join / Workplace Join state on the client is broken (dsregcmd /status shows AzureAdJoined=NO or certificate missing)
- 3Significant clock skew between the client and Entra ID causing JWT signature/iat/exp validation to fail
- 4Corrupted WAM / Web Account Manager or stale token cache on the user's machine signing the JWT with a stale key
- 5Conditional Access device-compliance/managed-device policy forcing PKeyAuth on a device whose key material is no longer valid
How to fix it
- 1On the affected machine run `dsregcmd /status` and verify AzureAdJoined / DomainJoined and that the device certificate (Thumbprint) is present and not expired — re-join the device if it isn't
- 2Sync the system clock (`w32tm /resync`) so the JWT's iat/exp fall inside Entra ID's validation window
- 3Clear the WAM / token broker cache: sign out of the Office/Power BI Desktop account, delete entries under Credential Manager → Windows Credentials starting with `MicrosoftAccount`/`MicrosoftOffice16_Data:live.com:*`, then sign back in
- 4If the device is hybrid-joined, force an AAD Connect delta sync and confirm the device object still exists in Entra ID; if it was deleted, run `dsregcmd /leave` followed by a re-join
- 5Review the failing Sign-in log entry in Entra ID (Monitoring → Sign-in logs → filter on error 50099) to see which Conditional Access policy triggered the device-auth requirement, and temporarily exclude the user/app to confirm root cause