Low severityauthentication
Power BI Error:
AADSTS65002
What does this error mean?
A developer is requesting tokens using an App ID owned by Microsoft; preauthorization is required and not granted.
Common causes
- 1A developer in the tenant is reusing an App ID that is owned and operated by Microsoft instead of registering their own.
- 2The client application requests a token for a first-party Microsoft resource (e.g. AAD Graph, Microsoft Graph, Power BI Service) that requires preauthorization by the API owner.
- 3Sample or copy-pasted code still contains a Microsoft-owned client_id (e.g. from a tutorial or legacy SDK).
- 4Custom Power BI embedding / ADF linked service / Databricks integration is configured with a Microsoft first-party client_id rather than a tenant-registered app.
- 5Preauthorization (knownClientApplications / preAuthorizedApplications) between the client and the first-party resource has not been granted by the API owner — and never will be for third-party callers.
How to fix it
- 1Identify the client_id used in the failing sign-in or token request (check the auth code, ADF linked service, Power BI embed config, or Databricks secret) and verify it is NOT a Microsoft-owned App ID.
- 2Register a new application in the Entra ID (Azure AD) portal under App registrations, owned by your own tenant, and use that Application (client) ID in your code or service configuration.
- 3On the new app registration, add the API permissions you actually need (e.g. Power BI Service, Microsoft Graph User.Read) and grant admin consent for the tenant.
- 4Update the affected integration (Power BI embedded token flow, ADF/Fabric pipeline service principal, Databricks OAuth, custom app) to use the new client_id and client secret/certificate, then retry sign-in.
- 5If you are a Microsoft partner who genuinely needs preauthorization against a first-party API, contact the API owner team — third-party reuse of Microsoft App IDs is not supported and will keep failing.