What causes AADSTS50171?

The client requested a token for a resource that requires Mutual-TLS sender-constrained tokens (RFC 8705), but used the standard token endpoint instead of the mTLS endpoint (e.g. mtlsauth.microsoft.com).. The application is configured for certificate-based authentication / token binding, but the client is sending a client_secret or no certificate at all on the TLS handshake.. The client uses a stale audience/resource identifier (e.g. an old Power BI / Fabric / ADF resource URI) that has since been migrated to mTLS-only issuance.. First-party Microsoft service audiences (internal) are being requested by a third-party app — these audiences are reserved for mTLS-bound first-party callers.. MSAL/ADAL or a custom OAuth client is hardcoded to the v2.0 /token endpoint while the resource demands the mTLS variant.

How do I fix AADSTS50171?

Switch the token request from `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token` to the Mutual-TLS endpoint `https://{tenant}.mtlsauth.microsoft.com/{tenant}/oauth2/v2.0/token` and present a valid client certificate during the TLS handshake.. Verify the `scope` / `resource` parameter — request a token for the audience your app is actually entitled to (e.g. `https://analysis.windows.net/powerbi/api/.default` for Power BI), not an internal Microsoft audience that is mTLS-restricted.. Configure the app registration in Microsoft Entra ID for certificate credentials (Certificates & secrets → Certificates) and remove reliance on client secrets if the resource enforces token binding.. In MSAL, use `ConfidentialClientApplicationBuilder.WithCertificate(...)` (or the Python/JS equivalent) instead of `WithClientSecret(...)`, and ensure the MSAL version supports mTLS PoP tokens.. If this happens in an ADF / Fabric / Synapse linked service or Power BI gateway, recreate the connection with a service principal that uses certificate authentication and confirm the gateway machine trusts the certificate chain.

Low severityauthentication

Power BI Error:
AADSTS50171

What does this error mean?

The requested token audience is restricted to Mutual TLS (mTLS) token endpoints and cannot be issued via the standard token endpoint.

Common causes

1The client requested a token for a resource that requires Mutual-TLS sender-constrained tokens (RFC 8705), but used the standard token endpoint instead of the mTLS endpoint (e.g. mtlsauth.microsoft.com).
2The application is configured for certificate-based authentication / token binding, but the client is sending a client_secret or no certificate at all on the TLS handshake.
3The client uses a stale audience/resource identifier (e.g. an old Power BI / Fabric / ADF resource URI) that has since been migrated to mTLS-only issuance.
4First-party Microsoft service audiences (internal) are being requested by a third-party app — these audiences are reserved for mTLS-bound first-party callers.
5MSAL/ADAL or a custom OAuth client is hardcoded to the v2.0 /token endpoint while the resource demands the mTLS variant.

How to fix it

1Switch the token request from `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token` to the Mutual-TLS endpoint `https://{tenant}.mtlsauth.microsoft.com/{tenant}/oauth2/v2.0/token` and present a valid client certificate during the TLS handshake.
2Verify the `scope` / `resource` parameter — request a token for the audience your app is actually entitled to (e.g. `https://analysis.windows.net/powerbi/api/.default` for Power BI), not an internal Microsoft audience that is mTLS-restricted.
3Configure the app registration in Microsoft Entra ID for certificate credentials (Certificates & secrets → Certificates) and remove reliance on client secrets if the resource enforces token binding.
4In MSAL, use `ConfidentialClientApplicationBuilder.WithCertificate(...)` (or the Python/JS equivalent) instead of `WithClientSecret(...)`, and ensure the MSAL version supports mTLS PoP tokens.
5If this happens in an ADF / Fabric / Synapse linked service or Power BI gateway, recreate the connection with a service principal that uses certificate authentication and confirm the gateway machine trusts the certificate chain.

Frequently asked questions

What does AADSTS50171 mean?

The given audience can only be used in Mutual-TLS token calls.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes