What causes AADSTS50165?

App registration manifest specifies a tokenEncryptionKeyId pointing to a key with an unsupported algorithm (e.g. RSA-OAEP-256 where only RSA1_5 / RSA-OAEP is accepted for that token type). SAML token encryption is enabled with a certificate using an algorithm Entra ID doesn't support for SAML assertion encryption. Custom signing key uploaded to the app registration uses an unsupported key size or algorithm. OIDC ID token encryption configured but algorithm mismatches the supported set (only certain JWE alg/enc combinations are valid). Stale or rotated encryption certificate in Entra ID still referenced by the app while the algorithm has been deprecated

How do I fix AADSTS50165?

Open the app registration in the Microsoft Entra admin center → Manifest, and inspect the 'tokenEncryptionKeyId' and 'keyCredentials' entries — note the algorithm in use. For SAML apps: go to Enterprise applications → your app → Single sign-on → SAML Signing Certificate / Token encryption, and verify the encryption certificate uses a supported algorithm (RSA-OAEP with AES-CBC/AES-GCM); re-upload a compliant certificate if not. For OIDC apps: remove the tokenEncryptionKeyId from the manifest (or set it to null) to fall back to standard signed tokens, then re-test sign-in. If you require encrypted tokens, generate a new certificate with a supported algorithm (RSA 2048+), upload it under Certificates & secrets, and reference its keyId in tokenEncryptionKeyId. After changes, wait ~5 minutes for propagation and retry — capture the correlation ID from the next failure for a Microsoft support case if it persists

Low severityauthentication

Power BI Error:
AADSTS50165

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the sign-in because the app requested a token encryption algorithm that isn't supported for this token type.

Common causes

1App registration manifest specifies a tokenEncryptionKeyId pointing to a key with an unsupported algorithm (e.g. RSA-OAEP-256 where only RSA1_5 / RSA-OAEP is accepted for that token type)
2SAML token encryption is enabled with a certificate using an algorithm Entra ID doesn't support for SAML assertion encryption
3Custom signing key uploaded to the app registration uses an unsupported key size or algorithm
4OIDC ID token encryption configured but algorithm mismatches the supported set (only certain JWE alg/enc combinations are valid)
5Stale or rotated encryption certificate in Entra ID still referenced by the app while the algorithm has been deprecated

How to fix it

1Open the app registration in the Microsoft Entra admin center → Manifest, and inspect the 'tokenEncryptionKeyId' and 'keyCredentials' entries — note the algorithm in use
2For SAML apps: go to Enterprise applications → your app → Single sign-on → SAML Signing Certificate / Token encryption, and verify the encryption certificate uses a supported algorithm (RSA-OAEP with AES-CBC/AES-GCM); re-upload a compliant certificate if not
3For OIDC apps: remove the tokenEncryptionKeyId from the manifest (or set it to null) to fall back to standard signed tokens, then re-test sign-in
4If you require encrypted tokens, generate a new certificate with a supported algorithm (RSA 2048+), upload it under Certificates & secrets, and reference its keyId in tokenEncryptionKeyId
5After changes, wait ~5 minutes for propagation and retry — capture the correlation ID from the next failure for a Microsoft support case if it persists

Frequently asked questions

What does AADSTS50165 mean?

The token encrypting algorithm '{algorithm}' requested by the application isn't

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes