What causes AADSTS70003?

Typo or wrong value in the grant_type parameter (must be exactly authorization_code, refresh_token, client_credentials, password, urn:ietf:params:oauth:grant-type:device_code, urn:ietf:params:oauth:grant-type:jwt-bearer, or urn:ietf:params:oauth:grant-type:saml2-bearer). Using a v1.0-only grant against the v2.0 endpoint (or vice versa) — e.g. SAML/JWT bearer flows against /oauth2/v2.0/token without proper configuration. Resource Owner Password Credentials (ROPC, grant_type=password) used with a confidential client, federated/MFA users, or guest accounts where it is blocked. Device code flow (urn:ietf:params:oauth:grant-type:device_code) used while 'Allow public client flows' is set to No on the app registration in Entra ID. Custom on-behalf-of or token-exchange flows where the assertion grant type is not enabled for the application (no API permissions consented or no 'knownClientApplications' linkage)

How do I fix AADSTS70003?

Capture the exact HTTP request your app sends to /oauth2/v2.0/token (or /oauth2/token) and verify the grant_type value matches one of the supported strings character-for-character — no trailing spaces, correct URN prefix. Confirm you're hitting the right endpoint version: v2.0 supports authorization_code, refresh_token, client_credentials, device_code and password; legacy flows like SAML/JWT bearer assertion behave differently on v1.0 vs v2.0. In the Entra ID portal → App registrations → Authentication, set 'Allow public client flows' to Yes if you use device code or ROPC from a desktop/CLI app; leave it No for confidential web apps using client_credentials. If you're calling on-behalf-of for Power BI, ADF, or Fabric service principals, verify the middle-tier app has the downstream API permissions consented and uses grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer with a valid user assertion. Switch deprecated flows: replace ROPC with authorization_code + PKCE for interactive sign-in, or with client_credentials for unattended service-to-service calls (Power BI service principal, ADF managed identity)

Low severityauthentication

Power BI Error:
AADSTS70003

What does this error mean?

The OAuth token endpoint received a grant_type value it doesn't support for the requested flow or app type.

Common causes

1Typo or wrong value in the grant_type parameter (must be exactly authorization_code, refresh_token, client_credentials, password, urn:ietf:params:oauth:grant-type:device_code, urn:ietf:params:oauth:grant-type:jwt-bearer, or urn:ietf:params:oauth:grant-type:saml2-bearer)
2Using a v1.0-only grant against the v2.0 endpoint (or vice versa) — e.g. SAML/JWT bearer flows against /oauth2/v2.0/token without proper configuration
3Resource Owner Password Credentials (ROPC, grant_type=password) used with a confidential client, federated/MFA users, or guest accounts where it is blocked
4Device code flow (urn:ietf:params:oauth:grant-type:device_code) used while 'Allow public client flows' is set to No on the app registration in Entra ID
5Custom on-behalf-of or token-exchange flows where the assertion grant type is not enabled for the application (no API permissions consented or no 'knownClientApplications' linkage)

How to fix it

1Capture the exact HTTP request your app sends to /oauth2/v2.0/token (or /oauth2/token) and verify the grant_type value matches one of the supported strings character-for-character — no trailing spaces, correct URN prefix
2Confirm you're hitting the right endpoint version: v2.0 supports authorization_code, refresh_token, client_credentials, device_code and password; legacy flows like SAML/JWT bearer assertion behave differently on v1.0 vs v2.0
3In the Entra ID portal → App registrations → Authentication, set 'Allow public client flows' to Yes if you use device code or ROPC from a desktop/CLI app; leave it No for confidential web apps using client_credentials
4If you're calling on-behalf-of for Power BI, ADF, or Fabric service principals, verify the middle-tier app has the downstream API permissions consented and uses grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer with a valid user assertion
5Switch deprecated flows: replace ROPC with authorization_code + PKCE for interactive sign-in, or with client_credentials for unattended service-to-service calls (Power BI service principal, ADF managed identity)

Frequently asked questions

What does AADSTS70003 mean?

The app returned an unsupported grant type.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes