High severityauthentication
Power BI Error:
AADSTS50168, Windows 10 SSO Token Missing or Expired
What does this error mean?
The Windows 10 Accounts broker has no valid SSO token, so the sign-in flow is interrupted to fetch a fresh one.
Common causes
- 1Cached SSO token in the Windows 10/11 Web Account Manager (WAM) broker has expired and needs to be refreshed
- 2No SSO token was issued to the client because the device is not properly Entra-joined or Hybrid-joined (Azure AD Device Registration broken)
- 3Microsoft Account / AAD broker plug-in on Windows is disabled, corrupted, or blocked by Group Policy / Intune configuration
- 4MSAL or ADAL client is configured to use WAM but the work account is missing from Windows Settings → Accounts → Access work or school
- 5Conditional Access or Token Lifetime policy forced an early token revocation, requiring the broker to obtain a new token
How to fix it
- 1Retry the sign-in once — AADSTS50168 is often self-healing because the client is instructed to fetch a fresh SSO token via the WAM broker
- 2On the affected Windows machine, open Settings → Accounts → Access work or school and verify the corporate account is connected; if missing, re-add it and run `dsregcmd /status` to confirm AzureAdJoined / WorkplaceJoined = YES
- 3Clear stale broker tokens: sign out of the application, run `dsregcmd /refreshprt` (or reboot), and let the Web Account Manager reissue tokens on next login
- 4If the application uses MSAL, ensure WAM is enabled correctly (`WithBroker(true)` / `WithParentActivityOrWindow`) and that the redirect URI `ms-appx-web://microsoft.aad.brokerplugin/{client_id}` is registered on the Entra ID app registration
- 5For fleet-wide issues, check Intune/GPO settings that disable the AAD broker plug-in (`HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin`) and review Conditional Access sign-in logs in Entra ID for the failing user/device