What causes AADSTS50127?

Conditional Access policy requires an approved client app or compliant/Intune-managed device, but the broker app is missing. Microsoft Authenticator (iOS) or Intune Company Portal (Android) not installed on the device attempting sign-in. Broker app installed but the work or school account is not yet registered in it. Mobile Power BI / Fabric / Office app using MSAL falling back to the system browser instead of the broker, so device identity cannot be presented. Device not Azure AD joined / Hybrid joined / Workplace joined where the CA policy requires it

How do I fix AADSTS50127?

Install the required broker app: Microsoft Authenticator (iOS) or Microsoft Intune Company Portal (Android) from the official app store. Open the broker app and add the corporate work or school account; complete device registration / enrollment if Intune prompts for it. Retry sign-in to the Power BI Mobile / Fabric / target app — it should now route auth through the broker; verify with your admin in Entra ID > Sign-in logs that the device shows as compliant. If the error persists on a managed device, ask your Entra ID admin to review the relevant Conditional Access policy (Grant controls: 'Require approved client app' or 'Require app protection policy') and confirm the app is on the approved client list. For desktop/web Power BI scenarios where this surfaces unexpectedly: confirm the user is hitting the policy from the right device class — CA policies targeting mobile platforms shouldn't trigger on Windows, so check the policy's 'Conditions > Device platforms' filter

Low severityauthentication

Power BI Error:
AADSTS50127

What does this error mean?

Sign-in blocked because the device lacks a required broker app (Microsoft Authenticator or Company Portal) for Conditional Access.

Common causes

1Conditional Access policy requires an approved client app or compliant/Intune-managed device, but the broker app is missing
2Microsoft Authenticator (iOS) or Intune Company Portal (Android) not installed on the device attempting sign-in
3Broker app installed but the work or school account is not yet registered in it
4Mobile Power BI / Fabric / Office app using MSAL falling back to the system browser instead of the broker, so device identity cannot be presented
5Device not Azure AD joined / Hybrid joined / Workplace joined where the CA policy requires it

How to fix it

1Install the required broker app: Microsoft Authenticator (iOS) or Microsoft Intune Company Portal (Android) from the official app store
2Open the broker app and add the corporate work or school account; complete device registration / enrollment if Intune prompts for it
3Retry sign-in to the Power BI Mobile / Fabric / target app — it should now route auth through the broker; verify with your admin in Entra ID > Sign-in logs that the device shows as compliant
4If the error persists on a managed device, ask your Entra ID admin to review the relevant Conditional Access policy (Grant controls: 'Require approved client app' or 'Require app protection policy') and confirm the app is on the approved client list
5For desktop/web Power BI scenarios where this surfaces unexpectedly: confirm the user is hitting the policy from the right device class — CA policies targeting mobile platforms shouldn't trigger on Windows, so check the policy's 'Conditions > Device platforms' filter

Frequently asked questions

What does AADSTS50127 mean?

User needs to install a broker app to gain access to this content.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes