Low severityauthentication
Power BI Error:
AADSTS530035
What does this error mean?
Sign-in blocked because Microsoft Entra ID security defaults rejected the request as legacy auth or otherwise unsafe.
Common causes
- 1Client uses legacy authentication protocols (Basic auth, IMAP, POP3, SMTP AUTH, MAPI, EWS, ActiveSync with basic auth)
- 2On-premises Power BI Gateway or data source connector still authenticating with a legacy flow instead of OAuth 2.0 / service principal
- 3ROPC (Resource Owner Password Credentials) flow used by an unattended script or older PowerShell module (e.g. legacy AzureAD / MSOnline cmdlets)
- 4Older Office / Power BI Desktop / SSMS build that hasn't been updated to use MSAL-based modern auth
- 5Tenant has Security Defaults enabled while a workload still requires an exception that should be handled via Conditional Access
How to fix it
- 1Identify the offending client: open Entra ID > Sign-in logs, filter on error code 530035, and inspect the 'Client app' and 'User agent' columns to confirm it's a legacy auth flow.
- 2Upgrade the client to modern authentication: update Power BI Desktop / Gateway / Office to the latest build, switch PowerShell scripts from AzureAD/MSOnline to Microsoft Graph PowerShell or Az modules, and replace ROPC with client credentials (service principal) or device code flow.
- 3For Power BI / Fabric data source connections, configure the gateway data source to use OAuth2 or a service principal instead of stored Basic credentials.
- 4If the workload genuinely cannot be modernised, disable Security Defaults (Entra admin center > Properties > Manage security defaults) and replace them with Conditional Access policies that block legacy auth for everyone except a tightly scoped exception group — never leave the tenant without legacy-auth blocking.
- 5Re-test sign-in and verify in Entra Sign-in logs that the same user/app now authenticates via a modern client (Browser, Mobile Apps and Desktop clients, or a service principal) without the 530035 error.