What causes AADSTS51006?

Conditional Access or a tenant-level authentication policy requires Integrated Windows Authentication (IWA) / Kerberos, but the current session token was obtained via a different method (e.g. username+password, refresh token from outside the corporate network). User is connecting from outside the domain-joined / corporate network, so the federated IdP (AD FS or Seamless SSO) cannot issue an IWA claim. Seamless SSO / Kerberos to Entra ID is misconfigured or the device is not Hybrid Azure AD joined / domain-joined as expected. Cached/refresh token from a prior non-IWA login is being reused by Power BI Desktop, the on-premises data gateway service account, or an ADF linked service. Federation trust between AD FS and Entra ID requires WIAOrMultiAuthN but the client did not present a Kerberos ticket

How do I fix AADSTS51006?

Sign the user out fully and sign in again from a domain-joined device on the corporate network so Entra ID can issue a token with the wiaormultiauthn / IWA claim. For Power BI Desktop and the on-premises data gateway: clear cached credentials (File → Options → Data source settings → Global permissions → Clear permissions) and re-authenticate with an Organizational account. Verify the user/account is in scope of the Conditional Access policy and that the device is Hybrid Azure AD joined or Azure AD joined; for service scenarios use a service principal or Managed Identity instead of a user account. Check Seamless SSO / AD FS health: confirm the AZUREADSSO computer account Kerberos decryption key is rotated and the user can reach the federation endpoint; review sign-in logs in Entra ID for the failing correlation ID. For ADF / Fabric / Databricks linked services that hit Power BI or AAD-protected sources, switch to service principal or Managed Identity authentication so IWA is not required

Medium severityauthentication

Power BI Error:
AADSTS51006

What does this error mean?

Re-authentication required because the session token is missing the Integrated Windows Authentication (IWA) claim.

Common causes

1Conditional Access or a tenant-level authentication policy requires Integrated Windows Authentication (IWA) / Kerberos, but the current session token was obtained via a different method (e.g. username+password, refresh token from outside the corporate network)
2User is connecting from outside the domain-joined / corporate network, so the federated IdP (AD FS or Seamless SSO) cannot issue an IWA claim
3Seamless SSO / Kerberos to Entra ID is misconfigured or the device is not Hybrid Azure AD joined / domain-joined as expected
4Cached/refresh token from a prior non-IWA login is being reused by Power BI Desktop, the on-premises data gateway service account, or an ADF linked service
5Federation trust between AD FS and Entra ID requires WIAOrMultiAuthN but the client did not present a Kerberos ticket

How to fix it

1Sign the user out fully and sign in again from a domain-joined device on the corporate network so Entra ID can issue a token with the wiaormultiauthn / IWA claim
2For Power BI Desktop and the on-premises data gateway: clear cached credentials (File → Options → Data source settings → Global permissions → Clear permissions) and re-authenticate with an Organizational account
3Verify the user/account is in scope of the Conditional Access policy and that the device is Hybrid Azure AD joined or Azure AD joined; for service scenarios use a service principal or Managed Identity instead of a user account
4Check Seamless SSO / AD FS health: confirm the AZUREADSSO computer account Kerberos decryption key is rotated and the user can reach the federation endpoint; review sign-in logs in Entra ID for the failing correlation ID
5For ADF / Fabric / Databricks linked services that hit Power BI or AAD-protected sources, switch to service principal or Managed Identity authentication so IWA is not required

Frequently asked questions

What does AADSTS51006 mean?

Integrated Windows authentication is needed. User logged in using a session token that is missing the integrated Windows authentication claim. Request the user to log in again.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes