High severityauthentication
Power BI Error:
AADSTS50167, Invalid pop_jwk key
What does this error mean?
The Proof-of-Possession (PoP) token request contains a malformed or invalid pop_jwk key, so Entra ID rejects the sign-in.
Common causes
- 1The client sent a PoP (Proof-of-Possession) token request with a malformed or unsupported JWK in the pop_jwk parameter
- 2An outdated MSAL (Microsoft Authentication Library) version generates a bound key Entra ID no longer accepts
- 3The JWK is missing required fields (kty, n, e for RSA) or uses an unsupported key type/algorithm
- 4A custom authentication implementation builds the pop_jwk payload incorrectly (wrong base64url encoding, wrong JSON structure)
- 5Conditional Access token-binding policies require PoP but the client/connector doesn't fully support it
How to fix it
- 1Upgrade MSAL to the latest version (MSAL.NET, MSAL.js, MSAL Python, etc.) — most pop_jwk issues are fixed in newer releases that align with Entra ID's current PoP spec
- 2If you control the auth code, verify the pop_jwk is a valid JWK (RFC 7517): correct kty, base64url-encoded modulus/exponent, and matches the algorithm declared in the request
- 3As a temporary workaround, disable Proof-of-Possession and request a standard bearer token — confirm with your security team that bearer tokens are acceptable for the resource
- 4For Power BI / Fabric / ADF: check the on-premises data gateway, custom connector, or service principal flow for an outdated auth library and update it; restart the gateway after upgrading
- 5If the error appears only under Conditional Access, work with your Entra ID admin to review token-binding / PoP policies and confirm the client supports them