What causes AADSTS700020?

A silent token acquisition (acquireTokenSilent / refresh token flow) was attempted while Conditional Access requires MFA, device compliance, or a managed device.. Admin or user consent for one or more requested scopes has not yet been granted on the Entra ID application registration.. The user's session or refresh token expired and the client tried to renew it without a UI (common in Power BI Gateway, embedded scenarios, or background service flows).. A Conditional Access session control (sign-in frequency, terms of use, risk-based policy) forces re-authentication that the silent flow cannot satisfy.. The flow used (e.g. client_credentials or ROPC) does not support the requested scope/permission, so Entra ID downgrades to requiring an interactive grant.

How do I fix AADSTS700020?

Reproduce the error with an interactive sign-in: open the Power BI / Fabric / client app in a browser session and complete MFA, consent, or the Conditional Access prompt — this clears the pending interaction requirement and refreshes the token cache.. In the Entra admin center → Enterprise applications → your app → Permissions, click 'Grant admin consent for ' so users are not bounced to an interactive consent screen on every silent renewal.. Review Conditional Access policies (Entra ID → Protection → Conditional Access) targeting this user, app, or 'Office 365 / Power BI Service'. Check whether MFA, compliant device, or sign-in frequency is forcing re-prompts; adjust scope or add the service account to a documented exclusion if appropriate.. For background / unattended workloads (Power BI Gateway, ADF linked services, Databricks SPN), switch from delegated user tokens to a service principal with client_credentials and pre-granted application permissions, so no interactive step is ever required.. Inspect the Sign-in logs (Entra ID → Monitoring → Sign-in logs) and filter on error code 700020 — the 'Additional Details' column tells you exactly which policy or consent condition triggered the interaction requirement.

Low severityauthentication

Power BI Error:
AADSTS700020, Interaction Required

What does this error mean?

The token request cannot be completed silently — the user must sign in interactively to satisfy a conditional access or consent requirement.

Common causes

1A silent token acquisition (acquireTokenSilent / refresh token flow) was attempted while Conditional Access requires MFA, device compliance, or a managed device.
2Admin or user consent for one or more requested scopes has not yet been granted on the Entra ID application registration.
3The user's session or refresh token expired and the client tried to renew it without a UI (common in Power BI Gateway, embedded scenarios, or background service flows).
4A Conditional Access session control (sign-in frequency, terms of use, risk-based policy) forces re-authentication that the silent flow cannot satisfy.
5The flow used (e.g. client_credentials or ROPC) does not support the requested scope/permission, so Entra ID downgrades to requiring an interactive grant.

How to fix it

1Reproduce the error with an interactive sign-in: open the Power BI / Fabric / client app in a browser session and complete MFA, consent, or the Conditional Access prompt — this clears the pending interaction requirement and refreshes the token cache.
2In the Entra admin center → Enterprise applications → your app → Permissions, click 'Grant admin consent for <tenant>' so users are not bounced to an interactive consent screen on every silent renewal.
3Review Conditional Access policies (Entra ID → Protection → Conditional Access) targeting this user, app, or 'Office 365 / Power BI Service'. Check whether MFA, compliant device, or sign-in frequency is forcing re-prompts; adjust scope or add the service account to a documented exclusion if appropriate.
4For background / unattended workloads (Power BI Gateway, ADF linked services, Databricks SPN), switch from delegated user tokens to a service principal with client_credentials and pre-granted application permissions, so no interactive step is ever required.
5Inspect the Sign-in logs (Entra ID → Monitoring → Sign-in logs) and filter on error code 700020 — the 'Additional Details' column tells you exactly which policy or consent condition triggered the interaction requirement.

Frequently asked questions

What does AADSTS700020 mean?

The access grant requires interaction.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes