Medium severityauthentication
Power BI Error:
AADSTS50146, app-specific signing key missing or expired
What does this error mean?
The Entra ID (Azure AD) application has no valid app-specific token signing key configured, or the key expired.
Common causes
- 1The app registration has no token signing certificate uploaded while the app manifest requires one (e.g. SAML SSO enterprise apps, custom-signed token apps)
- 2The previously uploaded signing certificate has expired (notBefore/notAfter outside current time)
- 3The signing key was rolled but the new keyId was never activated as the active token signing key in the app manifest
- 4Manifest property 'tokenEncryptionKeyId' or 'keyCredentials' references a key that no longer exists in the tenant
- 5Multi-tenant app where the customer tenant's admin has not configured a signing key for their copy of the enterprise application
How to fix it
- 1Open Microsoft Entra admin center → Enterprise applications (or App registrations) → select the failing app, and check Certificates & secrets / Token signing certificate
- 2If no certificate is present, generate or upload a new token signing certificate and mark it as active in the app manifest (set the matching keyId)
- 3If the certificate is present but expired, create a new one, activate it, and remove the expired entry; update any relying party with the new public key
- 4For SAML-based SSO apps: under Single sign-on → SAML Signing Certificate, click 'New Certificate', activate it, then save and re-test sign-in
- 5If you don't own the app (third-party SaaS), contact the application vendor — only the app owner can rotate the signing key