Critical severityauthentication
Power BI Error:
AADSTS50131
What does this error mean?
Sign-in blocked by a Microsoft Entra ID (Azure AD) Conditional Access policy due to device, location, or risk signals.
Common causes
- 1Device is not Hybrid Azure AD joined, Intune-compliant, or marked as trusted, while the policy requires a compliant/managed device
- 2Sign-in originates from an untrusted location (IP outside named locations, or blocked country) covered by a CA policy
- 3Identity Protection flagged the sign-in as risky (risky user / risky sign-in) and the policy blocks medium/high risk
- 4Service principal or workload identity falls under a CA policy that doesn't grant it the required controls (e.g. MFA on a non-interactive flow)
- 5Required client app type is excluded - e.g. legacy auth / non-browser clients blocked, or Power BI Gateway running under an account that doesn't meet grant controls
How to fix it
- 1Open Microsoft Entra ID > Sign-in logs, find the failed sign-in for this user/app, and open the 'Conditional Access' tab on the entry to see exactly which policy applied and which grant control failed
- 2If a managed device is required: enroll the device in Intune or complete Hybrid Azure AD join, then have the user sign in again from that device
- 3If the failure is location-based: add the gateway/server IP to Named Locations as Trusted, or exclude the service account from the location-scoped policy
- 4For Power BI scheduled refresh, ADF linked services, or Fabric pipelines failing under a service principal: exclude the SPN from interactive-MFA policies, or move to a workload identity with a CA policy that grants access via certificate / Managed Identity
- 5If risk-based: investigate the user in Identity Protection, dismiss the risk if benign or force a secure password reset, then retry; for persistent false positives, scope the risk policy to exclude the affected service account