What causes AADSTS50177?

User is authenticating via Pass-through Authentication (PTA) but Conditional Access requires MFA or another external challenge that PTA can't satisfy. Service principal or app is configured for passthrough auth while the tenant enforces MFA on the targeted resource (Power BI, Fabric, Dataverse). Federation/PTA hybrid setup where the user's UPN domain is still routed through an on-prem IdP that doesn't support the challenge type. Legacy authentication flow (ROPC, basic auth) attempted against a user that is MFA-enforced via Conditional Access. Power BI gateway or ADF linked service using a passthrough/PTA-bound account instead of a managed cloud-only account or service principal

How do I fix AADSTS50177?

Identify the affected account in the Entra ID sign-in logs (Entra admin center → Sign-in logs, filter on error 50177) and confirm whether it authenticates via PTA or federation. For Power BI / Fabric / ADF service connections: replace the passthrough user with a cloud-only service principal or a managed account that supports modern auth + MFA. If MFA is the trigger, enable Seamless SSO and move MFA enforcement to Entra ID Conditional Access (not on-prem), so the challenge is handled in the cloud instead of via PTA. For federated domains: verify the on-prem IdP (ADFS/third-party) supports the requested challenge, or switch the affected user's domain to managed authentication via `Set-MsolDomainAuthentication`. Re-test the sign-in with an interactive browser flow to confirm the challenge completes; update the Power BI gateway / ADF linked service credential and re-run the refresh

Low severityauthentication

Power BI Error:
AADSTS50177

What does this error mean?

Entra ID (Azure AD) blocks an external authentication challenge (like MFA or federation) for a passthrough authentication user.

Common causes

1User is authenticating via Pass-through Authentication (PTA) but Conditional Access requires MFA or another external challenge that PTA can't satisfy
2Service principal or app is configured for passthrough auth while the tenant enforces MFA on the targeted resource (Power BI, Fabric, Dataverse)
3Federation/PTA hybrid setup where the user's UPN domain is still routed through an on-prem IdP that doesn't support the challenge type
4Legacy authentication flow (ROPC, basic auth) attempted against a user that is MFA-enforced via Conditional Access
5Power BI gateway or ADF linked service using a passthrough/PTA-bound account instead of a managed cloud-only account or service principal

How to fix it

1Identify the affected account in the Entra ID sign-in logs (Entra admin center → Sign-in logs, filter on error 50177) and confirm whether it authenticates via PTA or federation
2For Power BI / Fabric / ADF service connections: replace the passthrough user with a cloud-only service principal or a managed account that supports modern auth + MFA
3If MFA is the trigger, enable Seamless SSO and move MFA enforcement to Entra ID Conditional Access (not on-prem), so the challenge is handled in the cloud instead of via PTA
4For federated domains: verify the on-prem IdP (ADFS/third-party) supports the requested challenge, or switch the affected user's domain to managed authentication via `Set-MsolDomainAuthentication`
5Re-test the sign-in with an interactive browser flow to confirm the challenge completes; update the Power BI gateway / ADF linked service credential and re-run the refresh

Frequently asked questions

What does AADSTS50177 mean?

ExternalChallengeNotSupportedFo

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes