Low severityauthentication
Power BI Error:
AADSTS51005
What does this error mean?
Azure AD (Entra ID) returned an HTTP 307 redirect; the client must re-issue the request to the URL in the Location header.
Common causes
- 1HTTP client or SDK does not follow 307 redirects automatically (curl without -L, custom HttpClient with AllowAutoRedirect=false, older MSAL/ADAL versions)
- 2Client follows the redirect but downgrades POST to GET, losing the original token request body
- 3Corporate proxy, WAF, or reverse proxy strips the Location header or rewrites login.microsoftonline.com endpoints
- 4Hardcoded Azure AD endpoint pointing at a region/tenant that has been moved — Entra ID redirects to the new authority but the client ignores it
- 5On-Premises Data Gateway or a Power BI / ADF integration runtime running an outdated build that mishandles 307 responses during OAuth token acquisition
How to fix it
- 1Stop hardcoding login.microsoftonline.com endpoints and let MSAL / the official Azure SDK resolve the authority — these libraries handle 307 (including POST-preserving redirects) correctly out of the box.
- 2If you control the HTTP client, enable automatic redirect following AND ensure POST body + Authorization headers are re-sent on the redirect (HttpClientHandler.AllowAutoRedirect = true, or curl -L --post301 --post302 --post307).
- 3Update MSAL / ADAL, the On-Premises Data Gateway, and any Self-hosted Integration Runtime (ADF) to the latest version — older builds have known issues with 307 handling on token endpoints.
- 4Check your outbound proxy / WAF: capture a trace and confirm the Location header from login.microsoftonline.com reaches the client untouched. Whitelist *.login.microsoftonline.com and *.login.microsoft.com end-to-end.
- 5If the error appears on a service principal / daemon flow, log the full response (status + Location header) and replay the request manually against the redirected URL to confirm whether the downstream endpoint accepts the token request.