What causes AADSTS50125?

User hit a forced password change (admin-reset, expired password, or risky-user policy in Identity Protection). SSPR (Self-Service Password Reset) registration is enforced by tenant policy and the user hasn't completed it yet. Conditional Access or Identity Protection flagged the account as compromised and requires a secure password change. Interactive sign-in used in a flow that cannot show UI (e.g. embedded iframe, headless service, ROPC) so the interrupt page can't render. Cached refresh token used after the user's password was reset — the token is invalid until interactive re-auth completes

How do I fix AADSTS50125?

Have the user open https://login.microsoftonline.com in a normal browser and complete the password reset or SSPR registration prompt — the interrupt clears once finished. If this happens in an embedded/headless context (Power BI Embedded, custom connector, ADF linked service with user creds), switch the failing flow to an interactive browser sign-in once to clear the interrupt. For service accounts hitting this: stop using user credentials — migrate the Power BI/ADF/Fabric connection to a service principal or managed identity, which is not subject to SSPR interrupts. Check Entra ID → Protection → Authentication methods → Password reset to see if SSPR registration is enforced, and Entra ID → Sign-in logs filtered on error 50125 to identify affected users. If the account is flagged risky, review Entra ID → Identity Protection → Risky users and confirm/dismiss the risk after the user completes the secure password change

Low severityauthentication

Power BI Error:
AADSTS50125

What does this error mean?

Microsoft Entra ID (Azure AD) interrupted the sign-in flow to force the user through password reset or SSPR registration.

Common causes

1User hit a forced password change (admin-reset, expired password, or risky-user policy in Identity Protection)
2SSPR (Self-Service Password Reset) registration is enforced by tenant policy and the user hasn't completed it yet
3Conditional Access or Identity Protection flagged the account as compromised and requires a secure password change
4Interactive sign-in used in a flow that cannot show UI (e.g. embedded iframe, headless service, ROPC) so the interrupt page can't render
5Cached refresh token used after the user's password was reset — the token is invalid until interactive re-auth completes

How to fix it

1Have the user open https://login.microsoftonline.com in a normal browser and complete the password reset or SSPR registration prompt — the interrupt clears once finished
2If this happens in an embedded/headless context (Power BI Embedded, custom connector, ADF linked service with user creds), switch the failing flow to an interactive browser sign-in once to clear the interrupt
3For service accounts hitting this: stop using user credentials — migrate the Power BI/ADF/Fabric connection to a service principal or managed identity, which is not subject to SSPR interrupts
4Check Entra ID → Protection → Authentication methods → Password reset to see if SSPR registration is enforced, and Entra ID → Sign-in logs filtered on error 50125 to identify affected users
5If the account is flagged risky, review Entra ID → Identity Protection → Risky users and confirm/dismiss the risk after the user completes the secure password change

Frequently asked questions

What does AADSTS50125 mean?

Sign-in was interrupted because of a password reset or password registration entry.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes