High severityauthentication
Power BI Error:
AADSTS50138
What does this error mean?
Microsoft Entra ID (Azure AD) cannot decrypt the session token because the encryption key environment is invalid or mismatched.
Common causes
- 1Stale or corrupted session cookie/token cached in the browser or Power BI Desktop credential store
- 2Sign-in attempt routed to a different Microsoft Entra ID environment (e.g. Public vs. GCC/GCC-High/DoD) than where the key was issued
- 3Cross-tenant token replay — a token issued for tenant A is being presented to tenant B
- 4Federated identity provider (ADFS / third-party IdP) issuing a token signed with a key Entra ID can no longer resolve
- 5Clock skew or expired key rollover on the federated STS, leaving Entra ID unable to validate the encrypted assertion
How to fix it
- 1Sign out completely and clear browser cookies for login.microsoftonline.com and login.live.com, then retry the sign-in flow
- 2In Power BI Desktop, go to File → Options → Data source settings → Global permissions, remove the cached credentials for the affected source, and re-authenticate
- 3Verify the user is signing in to the correct Microsoft Entra ID cloud (Commercial, GCC, GCC-High, DoD, China) — the auth endpoint must match the tenant's environment
- 4If a federated IdP (ADFS, Okta, Ping) is involved, ask the IdP admin to verify the token-signing/encryption certificates are current and rolled over correctly in Entra ID's federation trust
- 5If the issue persists across users, open a support ticket via the Microsoft 365 admin center with the correlation ID and timestamp from the error page