Low severityauthentication
Power BI Error:
AADSTS530032, Blocked by Tenant Security Policy
What does this error mean?
Sign-in is blocked by a tenant-level security policy (Conditional Access or Security Defaults) configured by the Entra ID admin.
Common causes
- 1A Conditional Access policy requires MFA, a compliant/Hybrid-joined device, or a managed app, and the current sign-in does not meet it
- 2Security Defaults are enabled on the tenant and block legacy authentication or non-MFA sign-ins (common for Power BI Gateway service accounts)
- 3Sign-in originates from an untrusted location, unmanaged device, or blocked country in a CA location/country policy
- 4Service principal or workload identity is excluded from a CA workload identity policy, or the user/app is outside the policy's assigned group
- 5Legacy auth flows (ROPC, basic auth) used by older Power BI Gateway, ADF linked services, or custom scripts are blocked by policy
How to fix it
- 1Open Microsoft Entra admin center → Monitoring → Sign-in logs, filter on the failing user/app and the AADSTS530032 event, then open the 'Conditional Access' tab on the failed sign-in to see exactly which policy fired
- 2Review that policy's grant controls (MFA, compliant device, app protection) and either complete the requirement (e.g. enroll the device in Intune, register for MFA) or ask the tenant admin to add an exclusion for the affected user/service principal
- 3If the failing identity is a Power BI Gateway, ADF, or Fabric service account, switch from username/password to a service principal with certificate auth, or place the identity in a CA exclusion group — Security Defaults block ROPC by design
- 4For location-based blocks, sign in from a trusted/named location or have the admin add the gateway/ADF runtime IP range to the Named Locations and exclude it from the policy
- 5Re-test the refresh or pipeline run and confirm in Sign-in logs that the result is 'Success' and no Conditional Access policy is in 'Failure' state