What causes AADSTS50129?

A Conditional Access policy requires 'Hybrid Azure AD joined' or 'compliant device' but the device is unregistered (BYOD, personal laptop, unmanaged VM). The user is signing in from a non-domain-joined machine (e.g. a build agent, ADF self-hosted IR host, or on-prem gateway server) that was never Workplace Joined to Entra ID. Workplace Join previously succeeded but the device record was deleted or its certificate expired in Entra ID. The Power BI Gateway / ADF Integration Runtime service account signs in from a server that isn't registered in Entra ID. Browser/OS doesn't pass the PRT (Primary Refresh Token) — e.g. non-Edge/Chrome browser without the Windows Accounts extension, or Linux/Mac without Microsoft Intune Company Portal

How do I fix AADSTS50129?

Identify which Conditional Access policy is enforcing device state: in the Entra admin center go to Protection → Conditional Access → Insights and report, filter on the user/app and look for a Grant control 'Require Hybrid Azure AD joined device' or 'Require device to be marked as compliant'. Workplace Join / register the device: on Windows go to Settings → Accounts → Access work or school → Connect, and sign in with the work account; verify with `dsregcmd /status` that AzureAdJoined or WorkplaceJoined = YES. For service hosts (Power BI on-prem Gateway, ADF self-hosted IR, Databricks linked services): either register the host in Entra ID, or switch the connection to a service principal / managed identity which is exempt from the device-state CA grant. If registration isn't feasible, scope the Conditional Access policy to exclude the affected app or service account, or add a trusted-network/named-location exclusion — coordinate with your security team before changing CA. If the device should already be joined: check the device record in Entra ID → Devices, remove a stale entry, then re-run Workplace Join; reboot to refresh the PRT

Medium severityauthentication

Power BI Error:
AADSTS50129

What does this error mean?

The signing-in device is not Workplace Joined (Hybrid/Azure AD registered), which a Conditional Access policy requires.

Common causes

1A Conditional Access policy requires 'Hybrid Azure AD joined' or 'compliant device' but the device is unregistered (BYOD, personal laptop, unmanaged VM)
2The user is signing in from a non-domain-joined machine (e.g. a build agent, ADF self-hosted IR host, or on-prem gateway server) that was never Workplace Joined to Entra ID
3Workplace Join previously succeeded but the device record was deleted or its certificate expired in Entra ID
4The Power BI Gateway / ADF Integration Runtime service account signs in from a server that isn't registered in Entra ID
5Browser/OS doesn't pass the PRT (Primary Refresh Token) — e.g. non-Edge/Chrome browser without the Windows Accounts extension, or Linux/Mac without Microsoft Intune Company Portal

How to fix it

1Identify which Conditional Access policy is enforcing device state: in the Entra admin center go to Protection → Conditional Access → Insights and report, filter on the user/app and look for a Grant control 'Require Hybrid Azure AD joined device' or 'Require device to be marked as compliant'
2Workplace Join / register the device: on Windows go to Settings → Accounts → Access work or school → Connect, and sign in with the work account; verify with `dsregcmd /status` that AzureAdJoined or WorkplaceJoined = YES
3For service hosts (Power BI on-prem Gateway, ADF self-hosted IR, Databricks linked services): either register the host in Entra ID, or switch the connection to a service principal / managed identity which is exempt from the device-state CA grant
4If registration isn't feasible, scope the Conditional Access policy to exclude the affected app or service account, or add a trusted-network/named-location exclusion — coordinate with your security team before changing CA
5If the device should already be joined: check the device record in Entra ID → Devices, remove a stale entry, then re-run Workplace Join; reboot to refresh the PRT

Frequently asked questions

What does AADSTS50129 mean?

Workplace join is required to register the device.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes