What causes AADSTS50158?

Conditional Access policy required MFA and the user cancelled, timed out, or failed the prompt. A Conditional Access Terms of Use was assigned and not yet accepted by the user. Federated sign-in to an external IdP (ADFS, Okta, Ping, B2B partner tenant) that returned without completing its challenge. Third-party MFA / external authentication method provider (Duo, RSA, custom auth extension) didn't return a successful assertion. Session/state lost between the redirect and return (cookies blocked, browser closed mid-flow, or device compliance check failed)

How do I fix AADSTS50158?

Open Entra ID → Sign-in logs, filter on the affected user and this error code, and inspect the 'Authentication Details' and 'Conditional Access' tabs to see exactly which challenge (MFA, ToU, external IdP) was triggered and whether it was satisfied or failed.. Have the user retry sign-in in a clean browser session (private window, third-party cookies allowed) and complete every prompt — MFA, ToU acceptance, and any external IdP page — without closing tabs in between.. If a Terms of Use is the trigger, confirm the user accepts it once; if MFA is the trigger, verify the user's registered authentication methods in Entra ID → Authentication methods and re-register if the device/number changed.. If a federated or third-party MFA provider is involved, check that IdP's logs for the same timestamp — the failure usually originates there (expired SAML response, clock skew, blocked country, disabled account) and Entra ID only surfaces the downstream symptom.. For service principals or non-interactive Power BI / ADF / Fabric flows: this code shouldn't appear — if it does, the connection is using a user (delegated) credential subject to Conditional Access; switch to a service principal or exclude the automation account from interactive CA policies.. If it persists across users, review recently changed Conditional Access policies and external authentication method configurations in Entra ID for misconfiguration.

Low severityauthentication

Power BI Error:
AADSTS50158, External Security Challenge Not Satisfied

What does this error mean?

Microsoft Entra ID (Azure AD) redirected the user to an additional authentication challenge (MFA, ToU, or external IdP) that wasn't completed.

Common causes

1Conditional Access policy required MFA and the user cancelled, timed out, or failed the prompt
2A Conditional Access Terms of Use was assigned and not yet accepted by the user
3Federated sign-in to an external IdP (ADFS, Okta, Ping, B2B partner tenant) that returned without completing its challenge
4Third-party MFA / external authentication method provider (Duo, RSA, custom auth extension) didn't return a successful assertion
5Session/state lost between the redirect and return (cookies blocked, browser closed mid-flow, or device compliance check failed)

How to fix it

1Open Entra ID → Sign-in logs, filter on the affected user and this error code, and inspect the 'Authentication Details' and 'Conditional Access' tabs to see exactly which challenge (MFA, ToU, external IdP) was triggered and whether it was satisfied or failed.
2Have the user retry sign-in in a clean browser session (private window, third-party cookies allowed) and complete every prompt — MFA, ToU acceptance, and any external IdP page — without closing tabs in between.
3If a Terms of Use is the trigger, confirm the user accepts it once; if MFA is the trigger, verify the user's registered authentication methods in Entra ID → Authentication methods and re-register if the device/number changed.
4If a federated or third-party MFA provider is involved, check that IdP's logs for the same timestamp — the failure usually originates there (expired SAML response, clock skew, blocked country, disabled account) and Entra ID only surfaces the downstream symptom.
5For service principals or non-interactive Power BI / ADF / Fabric flows: this code shouldn't appear — if it does, the connection is using a user (delegated) credential subject to Conditional Access; switch to a service principal or exclude the automation account from interactive CA policies.
6If it persists across users, review recently changed Conditional Access policies and external authentication method configurations in Entra ID for misconfiguration.

Frequently asked questions

What does AADSTS50158 mean?

External security challenge not satisfied.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes