What causes AADSTS50137?

Administrator marked the account with 'User must change password at next sign-in' in Entra ID (Azure AD). Password expired under the tenant's password expiration policy. Identity Protection / risky-user policy forced a password reset due to detected sign-in risk. Conditional Access password-change grant control triggered for this user. Account was recently restored or migrated, leaving the temporary-password flag set

How do I fix AADSTS50137?

Have the affected user sign in at https://aka.ms/sspr (or https://account.activedirectory.windowsazure.com/ChangePassword.aspx) and complete the password change — this clears the flag in seconds.. If SSPR is not enabled for the user, an Entra ID admin must reset the password in the Microsoft Entra admin center → Users → select user → Reset password, and share the temporary credentials securely.. After reset, re-authenticate the affected Power BI / Fabric / ADF data source: in Power BI Service → Dataset → Settings → Data source credentials → Edit credentials, and in ADF/Fabric update the linked service or connection.. Check Entra ID → Protection → Risky users to confirm the user isn't still flagged; dismiss or remediate the risk event if the reset already happened.. For service accounts hitting this repeatedly: switch the data source / linked service to a service principal or managed identity so it isn't subject to interactive password-expiry policies.

Low severityauthentication

Power BI Error:
AADSTS50137, Password Must Be Changed

What does this error mean?

User signed in successfully but Entra ID (Azure AD) requires a password change before access is granted.

Common causes

1Administrator marked the account with 'User must change password at next sign-in' in Entra ID (Azure AD)
2Password expired under the tenant's password expiration policy
3Identity Protection / risky-user policy forced a password reset due to detected sign-in risk
4Conditional Access password-change grant control triggered for this user
5Account was recently restored or migrated, leaving the temporary-password flag set

How to fix it

1Have the affected user sign in at https://aka.ms/sspr (or https://account.activedirectory.windowsazure.com/ChangePassword.aspx) and complete the password change — this clears the flag in seconds.
2If SSPR is not enabled for the user, an Entra ID admin must reset the password in the Microsoft Entra admin center → Users → select user → Reset password, and share the temporary credentials securely.
3After reset, re-authenticate the affected Power BI / Fabric / ADF data source: in Power BI Service → Dataset → Settings → Data source credentials → Edit credentials, and in ADF/Fabric update the linked service or connection.
4Check Entra ID → Protection → Risky users to confirm the user isn't still flagged; dismiss or remediate the risk event if the reset already happened.
5For service accounts hitting this repeatedly: switch the data source / linked service to a service principal or managed identity so it isn't subject to interactive password-expiry policies.

Frequently asked questions

What does AADSTS50137 mean?

Password needs to be changed due to security policy rule.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes