What causes AADSTS50147?

code_challenge shorter than 43 or longer than 128 characters (RFC 7636 violation). code_challenge generated from a code_verifier that wasn't base64url-encoded after SHA-256 hashing, producing wrong length. Padding (=) included in the base64url-encoded code_challenge — must be stripped. Custom OAuth client implementation truncating or zero-padding the challenge string. Outdated MSAL library version with a known PKCE generation bug

How do I fix AADSTS50147?

Capture the failing authorization request URL and inspect the code_challenge query parameter — verify its length is between 43 and 128 characters. If you control the client: regenerate code_verifier as 43–128 chars of [A-Z, a-z, 0-9, -._~], then set code_challenge = BASE64URL(SHA256(verifier)) with NO '=' padding and code_challenge_method=S256. Upgrade to the latest MSAL.js / MSAL.NET / MSAL Python library — the SDKs handle PKCE correctly out of the box, avoiding manual implementation bugs. If using a third-party connector or embedded auth (Power BI custom connector, Logic Apps OAuth, custom ADF linked service), contact the vendor — only the application owner can fix this. As a temporary workaround for first-party Microsoft tools, retry the sign-in flow in a fresh incognito session to rule out a corrupted cached challenge

High severityauthentication

Power BI Error:
AADSTS50147

What does this error mean?

The PKCE code_challenge parameter sent during OAuth 2.0 authorization has an invalid length.

Common causes

1code_challenge shorter than 43 or longer than 128 characters (RFC 7636 violation)
2code_challenge generated from a code_verifier that wasn't base64url-encoded after SHA-256 hashing, producing wrong length
3Padding (=) included in the base64url-encoded code_challenge — must be stripped
4Custom OAuth client implementation truncating or zero-padding the challenge string
5Outdated MSAL library version with a known PKCE generation bug

How to fix it

1Capture the failing authorization request URL and inspect the code_challenge query parameter — verify its length is between 43 and 128 characters
2If you control the client: regenerate code_verifier as 43–128 chars of [A-Z, a-z, 0-9, -._~], then set code_challenge = BASE64URL(SHA256(verifier)) with NO '=' padding and code_challenge_method=S256
3Upgrade to the latest MSAL.js / MSAL.NET / MSAL Python library — the SDKs handle PKCE correctly out of the box, avoiding manual implementation bugs
4If using a third-party connector or embedded auth (Power BI custom connector, Logic Apps OAuth, custom ADF linked service), contact the vendor — only the application owner can fix this
5As a temporary workaround for first-party Microsoft tools, retry the sign-in flow in a fresh incognito session to rule out a corrupted cached challenge

Frequently asked questions

What does AADSTS50147 mean?

Invalid size of the

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes