What causes AADSTS50199?

Native/desktop app uses an embedded WebView2 or system webview with a custom URI scheme (e.g. msal-{clientid}://) instead of the safelisted http://, https:// or chrome-extension:// schemes. Mobile browser sign-in flow involves a scheme redirect that triggers the anti-spoofing interrupt for every redirect. Power BI Desktop / Gateway / on-premises data gateway re-authentication where the embedded auth dialog is closed before the user clicks the confirmation. Conditional Access or tenant security settings that escalate confirmation prompts for first-party-looking apps. Automated/headless token acquisition (service principal flow misconfigured to use interactive flow) where no human can click the prompt

How do I fix AADSTS50199?

Register or update the redirect URI in Entra ID (Azure portal → App registrations → Authentication) so it uses https://, http://localhost, or chrome-extension:// — not a custom scheme like msal-xxx://. In native apps, switch from an embedded WebView to the system browser via MSAL: set WithUseEmbeddedWebView(false) (.NET) or SystemWebViewOptions / WithBroker on iOS/Android. For Power BI Desktop / Gateway: sign out (File → Sign out), restart the app, sign back in and explicitly click 'Yes' / 'Continue' on the confirmation prompt before it times out. For unattended scenarios (scheduled refresh, ADF linked services, Fabric pipelines): replace interactive auth with a service principal or managed identity so no user confirmation is required. If the prompt keeps appearing on mobile, ensure the latest MSAL SDK is used and that the app handles the CmsiInterrupt by re-launching the auth request in the system browser

Medium severityauthentication

Power BI Error:
AADSTS50199, User Confirmation Required

What does this error mean?

Microsoft Entra ID (Azure AD) interrupted sign-in to ask the user to confirm the app, blocking automated token acquisition.

Common causes

1Native/desktop app uses an embedded WebView2 or system webview with a custom URI scheme (e.g. msal-{clientid}://) instead of the safelisted http://, https:// or chrome-extension:// schemes
2Mobile browser sign-in flow involves a scheme redirect that triggers the anti-spoofing interrupt for every redirect
3Power BI Desktop / Gateway / on-premises data gateway re-authentication where the embedded auth dialog is closed before the user clicks the confirmation
4Conditional Access or tenant security settings that escalate confirmation prompts for first-party-looking apps
5Automated/headless token acquisition (service principal flow misconfigured to use interactive flow) where no human can click the prompt

How to fix it

1Register or update the redirect URI in Entra ID (Azure portal → App registrations → Authentication) so it uses https://, http://localhost, or chrome-extension:// — not a custom scheme like msal-xxx://
2In native apps, switch from an embedded WebView to the system browser via MSAL: set WithUseEmbeddedWebView(false) (.NET) or SystemWebViewOptions / WithBroker on iOS/Android
3For Power BI Desktop / Gateway: sign out (File → Sign out), restart the app, sign back in and explicitly click 'Yes' / 'Continue' on the confirmation prompt before it times out
4For unattended scenarios (scheduled refresh, ADF linked services, Fabric pipelines): replace interactive auth with a service principal or managed identity so no user confirmation is required
5If the prompt keeps appearing on mobile, ensure the latest MSAL SDK is used and that the app handles the CmsiInterrupt by re-launching the auth request in the system browser

Frequently asked questions

What does AADSTS50199 mean?

For security reasons, user confirmation is required for this request. Interrupt is shown for all scheme redirects in mobile browsers.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes