What causes AADSTS700027?

The certificate used to sign the client assertion is not (or no longer) uploaded to the app registration in Entra ID — e.g. after a cert rotation only one side was updated. The `x5t` / `kid` thumbprint in the JWT header does not match the thumbprint of any certificate registered on the app. The assertion is signed with the wrong algorithm or key (e.g. RS256 expected, signed with a different private key than the public cert uploaded). JWT claims are malformed: missing/incorrect `iss`, `sub` (must equal client_id), `aud` (must be the v1/v2 token endpoint), or `jti`. Expired or future-dated certificate, or `nbf`/`exp` claims outside the allowed window (clock skew on the signing host)

How do I fix AADSTS700027?

Decode the client assertion JWT (jwt.ms) and inspect the header — note the `x5t` (or `kid`) and `alg` values, plus the `iss`, `sub`, `aud`, `exp` claims. In the Azure portal → Entra ID → App registrations → your app → Certificates & secrets, confirm a certificate with the exact same thumbprint (`x5t`) is uploaded and not expired. Verify `aud` matches the tenant-specific token endpoint (e.g. `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token`) and `sub` = `iss` = your application (client) ID. If you recently rotated the certificate: upload the new public cert (.cer) to the app registration and ensure the signing process on your side uses the matching private key. Check the clock on the signing host — `exp` must be in the future, `nbf` not too far ahead; standard skew tolerance is ~5 minutes

Low severityauthentication

Power BI Refresh Error:
AADSTS700027

What does this error mean?

The signed client assertion (JWT) sent during app authentication could not be validated against the registered certificate in Entra ID.

Common causes

1The certificate used to sign the client assertion is not (or no longer) uploaded to the app registration in Entra ID — e.g. after a cert rotation only one side was updated
2The `x5t` / `kid` thumbprint in the JWT header does not match the thumbprint of any certificate registered on the app
3The assertion is signed with the wrong algorithm or key (e.g. RS256 expected, signed with a different private key than the public cert uploaded)
4JWT claims are malformed: missing/incorrect `iss`, `sub` (must equal client_id), `aud` (must be the v1/v2 token endpoint), or `jti`
5Expired or future-dated certificate, or `nbf`/`exp` claims outside the allowed window (clock skew on the signing host)

How to fix it

1Decode the client assertion JWT (jwt.ms) and inspect the header — note the `x5t` (or `kid`) and `alg` values, plus the `iss`, `sub`, `aud`, `exp` claims
2In the Azure portal → Entra ID → App registrations → your app → Certificates & secrets, confirm a certificate with the exact same thumbprint (`x5t`) is uploaded and not expired
3Verify `aud` matches the tenant-specific token endpoint (e.g. `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token`) and `sub` = `iss` = your application (client) ID
4If you recently rotated the certificate: upload the new public cert (.cer) to the app registration and ensure the signing process on your side uses the matching private key
5Check the clock on the signing host — `exp` must be in the future, `nbf` not too far ahead; standard skew tolerance is ~5 minutes

Frequently asked questions

What does AADSTS700027 mean?

the app is attempting to sign in without the necessary or correct authentication parameters.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes