What causes AADSTS50141?

The PoP/session key in the token request is bound to a different user than the one signing in (common with WAM broker or shared workstations). Stale Web Account Manager (WAM) or token broker cache holding a previous user's protected key. Hybrid-joined or Entra-joined device registered to another user, while a different user attempts interactive sign-in. Primary Refresh Token (PRT) mismatch after a user switch without full sign-out. Application using MSAL with an incorrect account hint or cached IAccount from a previous session

How do I fix AADSTS50141?

Sign out fully from Power BI Desktop / Power BI Service / the affected app and clear the Windows credential cache: Control Panel → Credential Manager → remove all 'MicrosoftOffice' and 'MicrosoftAccount' entries. Clear the MSAL/WAM token cache: delete %LOCALAPPDATA%\Microsoft\IdentityCache and %LOCALAPPDATA%\.IdentityService, then restart the machine. If on a shared or hybrid-joined device, run `dsregcmd /status` to verify the device is registered to the correct user; if not, re-register with `dsregcmd /leave` followed by re-join. In application code (MSAL), call `RemoveAsync(account)` for any cached IAccount before acquiring a token for a different user, instead of relying on silent acquisition. If the error persists across users on the same device, raise a support ticket with the correlation ID — protected-key mismatches occasionally indicate a device certificate that needs reissuing by the Entra ID admin

Low severityauthentication

Power BI Error:
AADSTS50141

What does this error mean?

The Proof-of-Possession (PoP) key bound to the token doesn't match the user being authenticated by Entra ID.

Common causes

1The PoP/session key in the token request is bound to a different user than the one signing in (common with WAM broker or shared workstations)
2Stale Web Account Manager (WAM) or token broker cache holding a previous user's protected key
3Hybrid-joined or Entra-joined device registered to another user, while a different user attempts interactive sign-in
4Primary Refresh Token (PRT) mismatch after a user switch without full sign-out
5Application using MSAL with an incorrect account hint or cached IAccount from a previous session

How to fix it

1Sign out fully from Power BI Desktop / Power BI Service / the affected app and clear the Windows credential cache: Control Panel → Credential Manager → remove all 'MicrosoftOffice' and 'MicrosoftAccount' entries
2Clear the MSAL/WAM token cache: delete %LOCALAPPDATA%\Microsoft\IdentityCache and %LOCALAPPDATA%\.IdentityService, then restart the machine
3If on a shared or hybrid-joined device, run `dsregcmd /status` to verify the device is registered to the correct user; if not, re-register with `dsregcmd /leave` followed by re-join
4In application code (MSAL), call `RemoveAsync(account)` for any cached IAccount before acquiring a token for a different user, instead of relying on silent acquisition
5If the error persists across users on the same device, raise a support ticket with the correlation ID — protected-key mismatches occasionally indicate a device certificate that needs reissuing by the Entra ID admin

Frequently asked questions

What does AADSTS50141 mean?

Protected key isn't intended for the authenticated user.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes