Low severityauthentication
Power BI Error:
AADSTS50164, Access token issued for the wrong audience
What does this error mean?
The access token was issued for a different resource (audience) than the API or service it is being presented to.
Common causes
- 1Token was acquired with the wrong `scope` or `resource` parameter (e.g. Microsoft Graph token used to call the Power BI REST API).
- 2Reusing a cached token across multiple APIs that each require their own audience-specific token.
- 3Service principal / app registration is missing the API permission for the target resource, so MSAL falls back to a token for a different audience.
- 4On-Behalf-Of (OBO) flow exchanges the incoming token for the wrong downstream resource.
- 5Hard-coded `resource` GUID points to a deprecated or incorrect API (e.g. old AAD Graph instead of Microsoft Graph, or wrong Power BI resource ID `https://analysis.windows.net/powerbi/api`).
How to fix it
- 1Decode the failing access token at jwt.ms and inspect the `aud` claim — confirm it does not match the API you are calling, and note what audience was actually issued.
- 2In your MSAL / OAuth client, set the correct scope for the target API: Power BI → `https://analysis.windows.net/powerbi/api/.default`, Microsoft Graph → `https://graph.microsoft.com/.default`, Fabric → `https://api.fabric.microsoft.com/.default`. Acquire a separate token per resource — do not reuse tokens across audiences.
- 3In the Entra ID (Azure AD) app registration under *API permissions*, verify the required permission for the target API is added and admin-consented; without it MSAL cannot mint a token for that audience.
- 4Clear the MSAL token cache (or restart the calling service) so a stale token for the wrong resource is not returned, then re-acquire.
- 5For OBO / delegated flows, ensure the downstream `scope` passed to `AcquireTokenOnBehalfOf` matches the target API exactly, and that the upstream token includes that resource in its allowed audiences.