Low severityauthentication
Power BI Error:
AADSTS67003
What does this error mean?
The actor (calling service) presenting the token is not a valid service identity for on-behalf-of or service-to-service authentication.
Common causes
- 1The calling service principal (actor) does not exist or is disabled in the target tenant — often after a tenant migration or app deletion
- 2On-Behalf-Of (OBO) flow misconfiguration: the middle-tier app is not granted the required delegated permissions on the downstream API
- 3The actor token was issued for a different audience/resource than the one being called (audience mismatch)
- 4Cross-tenant scenario where the actor app is not provisioned (consented) in the resource tenant
- 5Using a multi-tenant app whose service principal was never created in the user's home tenant via admin consent
How to fix it
- 1Identify the 'actor' app: decode the failing token at jwt.ms and inspect the `azp`/`appid` and `actor` claims to find which service principal Entra ID is rejecting
- 2In the Entra admin center → Enterprise applications, confirm that service principal exists in the resource tenant and is enabled; if missing, trigger admin consent (`/adminconsent` endpoint) to provision it
- 3For OBO flows: in the middle-tier app registration, grant the required delegated permissions on the downstream API and ensure 'knownClientApplications' is set on the downstream API manifest
- 4Verify the token request uses the correct `scope`/`resource` — the audience must match the downstream API's Application ID URI exactly
- 5If this is a Power BI embedded / service-principal-on-behalf scenario, ensure the SPN is added to a workspace with the right role and that 'Service principals can use Power BI APIs' is enabled in the Fabric admin portal