What causes AADSTS700023?

The scope parameter is empty, null, or omitted entirely from the /oauth2/v2.0/token request. Scope contains only permission names (e.g. 'Dataset.Read.All') without the resource URI prefix expected by the v2.0 endpoint. Mixing v1.0 'resource' parameter syntax with v2.0 'scope' syntax - v2.0 requires fully qualified scopes like 'https://analysis.windows.net/powerbi/api/.default'. Typo or wrong casing in the resource URI (e.g. 'powerBI' instead of 'powerbi', missing trailing slash). Using a resource identifier that isn't exposed by the target API's app registration in Entra ID

How do I fix AADSTS700023?

Inspect the actual token request body and confirm the 'scope' parameter is present and non-empty - log the raw HTTP request from your client (MSAL, ADAL, custom curl) to verify. For Power BI, set scope to 'https://analysis.windows.net/powerbi/api/.default' when using client credentials, or specific scopes like 'https://analysis.windows.net/powerbi/api/Dataset.Read.All' for delegated flows. If you migrated from v1.0 (/oauth2/token) to v2.0 (/oauth2/v2.0/token), replace the 'resource' query parameter with a fully qualified 'scope' value - v2.0 does not accept the 'resource' parameter. In Entra ID > App registrations > your app > API permissions, verify the Power BI Service / Fabric / ADF API permissions are added and admin-consented so the requested scope is recognized. Test the fixed scope with a manual curl to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token before redeploying the service principal flow

Low severityauthentication

Power BI Error:
AADSTS700023

What does this error mean?

The scope parameter sent in the OAuth token request is malformed, empty, or contains no valid resource identifier.

Common causes

1The scope parameter is empty, null, or omitted entirely from the /oauth2/v2.0/token request
2Scope contains only permission names (e.g. 'Dataset.Read.All') without the resource URI prefix expected by the v2.0 endpoint
3Mixing v1.0 'resource' parameter syntax with v2.0 'scope' syntax - v2.0 requires fully qualified scopes like 'https://analysis.windows.net/powerbi/api/.default'
4Typo or wrong casing in the resource URI (e.g. 'powerBI' instead of 'powerbi', missing trailing slash)
5Using a resource identifier that isn't exposed by the target API's app registration in Entra ID

How to fix it

1Inspect the actual token request body and confirm the 'scope' parameter is present and non-empty - log the raw HTTP request from your client (MSAL, ADAL, custom curl) to verify
2For Power BI, set scope to 'https://analysis.windows.net/powerbi/api/.default' when using client credentials, or specific scopes like 'https://analysis.windows.net/powerbi/api/Dataset.Read.All' for delegated flows
3If you migrated from v1.0 (/oauth2/token) to v2.0 (/oauth2/v2.0/token), replace the 'resource' query parameter with a fully qualified 'scope' value - v2.0 does not accept the 'resource' parameter
4In Entra ID > App registrations > your app > API permissions, verify the Power BI Service / Fabric / ADF API permissions are added and admin-consented so the requested scope is recognized
5Test the fixed scope with a manual curl to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token before redeploying the service principal flow

Frequently asked questions

What does AADSTS700023 mean?

The provided value for the input parameter scope isn't valid when requesting an access token.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes