Low severityauthentication
Power BI Error:
AADSTS50178
What does this error mean?
Conditional Access session controls cannot be applied to users authenticating via Pass-through Authentication (PTA).
Common causes
- 1A Conditional Access policy with 'Sign-in frequency' or 'Persistent browser session' targets a user signing in via Pass-through Authentication (PTA)
- 2Hybrid identity setup where some users authenticate via on-prem AD through PTA agents instead of cloud-managed credentials
- 3Conditional Access 'Use app enforced restrictions' or 'Use Conditional Access App Control' applied to federated/passthrough accounts
- 4Service accounts or shared mailbox identities synced via PTA being caught in tenant-wide CA policies
- 5Recent migration to Conditional Access where exclusion groups for PTA users were not configured
How to fix it
- 1Identify the affected user's authentication method in Entra ID (Azure AD) → Users → [user] → Authentication methods, and confirm whether they sign in via Pass-through Authentication
- 2In Entra ID → Protection → Conditional Access, locate the policy enforcing session controls (Sign-in frequency / Persistent browser) and review which users/groups are targeted
- 3Exclude the PTA users (or a dedicated 'PTA Users' group) from the session control policy, or scope the policy only to cloud-authenticated users
- 4Long-term: migrate users to Password Hash Synchronization (PHS) via Entra Connect — PHS supports the full set of Conditional Access session controls
- 5For Power BI Service / Fabric: re-test the sign-in or dataset refresh under the updated policy and confirm the AADSTS50178 no longer appears in the sign-in logs