What causes AADSTS50156?

The application requested a token via device code flow against a v2.0-only resource (e.g. a Microsoft Graph or Power BI scope) that doesn't accept device tokens. Mixing v1.0 (Azure AD) and v2.0 (Microsoft identity platform) endpoints — token issued for the wrong endpoint version. App registration in Entra ID (Azure AD) is configured as v2.0-only while the client still calls the legacy /oauth2/devicecode endpoint. Using an outdated MSAL/ADAL library that defaults to device-token behavior incompatible with the requested scope. Service principal or daemon app incorrectly configured to use device code flow instead of client credentials

How do I fix AADSTS50156?

Identify the failing client and the requested scope/resource in the auth request — confirm whether it targets the v1.0 (/oauth2/token) or v2.0 (/oauth2/v2.0/token) endpoint. Replace the device code flow with an appropriate flow for the resource: use authorization code + PKCE for interactive users, or client credentials for service-to-service (Power BI service principals, ADF linked services, Databricks SPN). Upgrade ADAL to MSAL (ADAL is deprecated) and request scopes in the v2.0 format (e.g. https://analysis.windows.net/powerbi/api/.default) instead of v1.0 resource IDs. In the Entra ID app registration, verify Authentication → 'Allow public client flows' is only enabled when device code is genuinely required, and align Supported account types with the target tenant. Retry sign-in after the flow change; if it's a Power BI gateway or ADF Linked Service, re-edit the connection and reauthenticate with the corrected credential type

Low severityauthentication

Power BI Error:
AADSTS50156

What does this error mean?

A device code / device token was used to acquire a token for a v2.0 resource endpoint that doesn't accept this grant type.

Common causes

1The application requested a token via device code flow against a v2.0-only resource (e.g. a Microsoft Graph or Power BI scope) that doesn't accept device tokens
2Mixing v1.0 (Azure AD) and v2.0 (Microsoft identity platform) endpoints — token issued for the wrong endpoint version
3App registration in Entra ID (Azure AD) is configured as v2.0-only while the client still calls the legacy /oauth2/devicecode endpoint
4Using an outdated MSAL/ADAL library that defaults to device-token behavior incompatible with the requested scope
5Service principal or daemon app incorrectly configured to use device code flow instead of client credentials

How to fix it

1Identify the failing client and the requested scope/resource in the auth request — confirm whether it targets the v1.0 (/oauth2/token) or v2.0 (/oauth2/v2.0/token) endpoint
2Replace the device code flow with an appropriate flow for the resource: use authorization code + PKCE for interactive users, or client credentials for service-to-service (Power BI service principals, ADF linked services, Databricks SPN)
3Upgrade ADAL to MSAL (ADAL is deprecated) and request scopes in the v2.0 format (e.g. https://analysis.windows.net/powerbi/api/.default) instead of v1.0 resource IDs
4In the Entra ID app registration, verify Authentication → 'Allow public client flows' is only enabled when device code is genuinely required, and align Supported account types with the target tenant
5Retry sign-in after the flow change; if it's a Power BI gateway or ADF Linked Service, re-edit the connection and reauthenticate with the corrected credential type

Frequently asked questions

What does AADSTS50156 mean?

Device tokens are not supported for V2 resource.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes