What causes AADSTS50142?

A Conditional Access policy with the 'Change password' grant control is targeting this user (often triggered by Identity Protection user-risk evaluation). The account was flagged as risky or compromised in Microsoft Entra ID Protection, forcing a secure password reset. An administrator manually reset the password and set 'User must change password at next sign-in'. The password has expired under the tenant's password policy. The sign-in is happening through a non-interactive flow (service principal, ROPC, embedded webview, dataset gateway credentials) that cannot complete the interactive password-change prompt

How do I fix AADSTS50142?

Have the affected user sign in interactively at https://portal.office.com or https://myaccount.microsoft.com and complete the forced password change — this clears the Conditional Access requirement. If the error occurred on a Power BI dataset, dataflow, or gateway data source: re-enter the credentials under Settings → Data source credentials → Edit credentials after the password change. In the Entra admin center, open Protection → Conditional Access → Sign-in logs, find the failed sign-in for this user, and inspect the 'Conditional Access' tab to confirm which policy fired and why. Check Entra ID Protection → Risky users; if the user is flagged, confirm or dismiss the risk after the password reset to prevent the policy from firing again on the next sign-in. For service / automation accounts hitting this error, switch to a service principal or managed identity — interactive password-change prompts cannot be answered by headless flows

Medium severityauthentication

Power BI Error:
AADSTS50142

What does this error mean?

Sign-in blocked because a Conditional Access policy requires the user to change their password before continuing.

Common causes

1A Conditional Access policy with the 'Change password' grant control is targeting this user (often triggered by Identity Protection user-risk evaluation)
2The account was flagged as risky or compromised in Microsoft Entra ID Protection, forcing a secure password reset
3An administrator manually reset the password and set 'User must change password at next sign-in'
4The password has expired under the tenant's password policy
5The sign-in is happening through a non-interactive flow (service principal, ROPC, embedded webview, dataset gateway credentials) that cannot complete the interactive password-change prompt

How to fix it

1Have the affected user sign in interactively at https://portal.office.com or https://myaccount.microsoft.com and complete the forced password change — this clears the Conditional Access requirement
2If the error occurred on a Power BI dataset, dataflow, or gateway data source: re-enter the credentials under Settings → Data source credentials → Edit credentials after the password change
3In the Entra admin center, open Protection → Conditional Access → Sign-in logs, find the failed sign-in for this user, and inspect the 'Conditional Access' tab to confirm which policy fired and why
4Check Entra ID Protection → Risky users; if the user is flagged, confirm or dismiss the risk after the password reset to prevent the policy from firing again on the next sign-in
5For service / automation accounts hitting this error, switch to a service principal or managed identity — interactive password-change prompts cannot be answered by headless flows

Frequently asked questions

What does AADSTS50142 mean?

Password change is required due to a Condit

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes