What causes AADSTS650057?

The `resource` / `scope` parameter in the auth request points to an API (e.g. Power BI Service `https://analysis.windows.net/powerbi/api`) that isn't added under API permissions of the client app registration in Microsoft Entra ID (Azure AD). Mismatch between the resource App ID URI used in code and the one configured — e.g. using the GUID while the app registration only lists the URI form, or a trailing slash difference. Admin consent never granted for the requested API permission, so the resource isn't effectively part of the registered permission list at token-issue time. Wrong tenant: the client app registration lives in a different tenant than the one being authenticated against, so the resource isn't visible in that tenant's app registration. Service principal for the resource API (e.g. Power BI Service, Azure Data Factory, Fabric) isn't provisioned in the tenant, so it can't appear in the app registration's permission list

How do I fix AADSTS650057?

Open the Microsoft Entra admin center → App registrations → select the client app shown in `Client app ID: {appId}` from the error, and open API permissions. Add a permission for the resource referenced in `Resource value from request` / `Resource app ID` (e.g. Power BI Service, Azure Service Management, Microsoft Graph, Fabric API) and pick the exact delegated/application scopes your code requests. Click Grant admin consent for so the new permission is active for all users and service principals in the tenant. In your code (Power BI Embedded, ADF linked service, Databricks SPN, custom connector), verify the `resource` or `scope` value matches one of the URIs in `regList` from the error — including any trailing slash, and prefer the `.default` scope on v2.0 endpoints. Re-run the sign-in / refresh; if it still fails, decode the auth request (Fiddler or browser network tab) and compare the exact `resource`/`scope` to the resource App ID URIs listed in the app registration manifest. If the resource service principal is missing entirely, register it in the tenant via `New-MgServicePrincipal -AppId ` (PowerShell Graph) before re-adding the permission

High severityauthentication

Power BI Error:
AADSTS650057

What does this error mean?

The client app requested a token for a resource (API) that isn't declared in its app registration's required permissions.

Common causes

1The `resource` / `scope` parameter in the auth request points to an API (e.g. Power BI Service `https://analysis.windows.net/powerbi/api`) that isn't added under API permissions of the client app registration in Microsoft Entra ID (Azure AD)
2Mismatch between the resource App ID URI used in code and the one configured — e.g. using the GUID while the app registration only lists the URI form, or a trailing slash difference
3Admin consent never granted for the requested API permission, so the resource isn't effectively part of the registered permission list at token-issue time
4Wrong tenant: the client app registration lives in a different tenant than the one being authenticated against, so the resource isn't visible in that tenant's app registration
5Service principal for the resource API (e.g. Power BI Service, Azure Data Factory, Fabric) isn't provisioned in the tenant, so it can't appear in the app registration's permission list

How to fix it

1Open the Microsoft Entra admin center → App registrations → select the client app shown in `Client app ID: {appId}` from the error, and open API permissions
2Add a permission for the resource referenced in `Resource value from request` / `Resource app ID` (e.g. Power BI Service, Azure Service Management, Microsoft Graph, Fabric API) and pick the exact delegated/application scopes your code requests
3Click Grant admin consent for <tenant> so the new permission is active for all users and service principals in the tenant
4In your code (Power BI Embedded, ADF linked service, Databricks SPN, custom connector), verify the `resource` or `scope` value matches one of the URIs in `regList` from the error — including any trailing slash, and prefer the `.default` scope on v2.0 endpoints
5Re-run the sign-in / refresh; if it still fails, decode the auth request (Fiddler or browser network tab) and compare the exact `resource`/`scope` to the resource App ID URIs listed in the app registration manifest
6If the resource service principal is missing entirely, register it in the tenant via `New-MgServicePrincipal -AppId <resourceAppId>` (PowerShell Graph) before re-adding the permission

Frequently asked questions

What does AADSTS650057 mean?

Invalid resource. The client has requested access to a resource which isn't listed in the requested permissions in the client's application registration. Client app ID: {appId}({appName}). Resource va

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes