What causes AADSTS700030?

The certificate used to sign the client_assertion is not (or no longer) uploaded under Certificates & secrets on the Entra ID app registration. Subject Name Issuer Authentication (SNI) is configured but the cert's Subject/SAN doesn't match any trusted issuer/subject pair on the app. A renewed or rotated certificate was deployed to the service principal but never registered in Entra ID. Wrong certificate is being picked up at runtime (e.g. service account loading a stale cert from the Windows cert store or Key Vault). Service principal in a federated/multi-tenant scenario presents a cert whose subject isn't whitelisted in the resource tenant

How do I fix AADSTS700030?

Open the failing app in Entra ID → App registrations → Certificates & secrets and compare the Thumbprint / Subject listed there against the cert actually being sent (check the {certificateSubjects} value returned in the error). If the subject doesn't match, export the public key (.cer) of the certificate your client/gateway is using and upload it to the app registration; wait ~5 minutes for propagation. For Power BI / Fabric service principal auth or ADF Linked Services with cert-based auth: verify the Key Vault secret version referenced still points to the live, non-expired certificate. If using SNI auth (trustedCertificateSubjects), confirm the issuer chain and subject DN are added to the app manifest's trustedCertificateSubjects collection. Re-acquire the token after the cert is registered; if the error persists, decode the JWT client_assertion at jwt.ms and confirm the x5t header matches a thumbprint on the app registration

Low severityauthentication

Power BI Error:
AADSTS700030

What does this error mean?

The certificate's subject name (or SAN) used for authentication isn't registered on the Entra ID app registration.

Common causes

1The certificate used to sign the client_assertion is not (or no longer) uploaded under Certificates & secrets on the Entra ID app registration
2Subject Name Issuer Authentication (SNI) is configured but the cert's Subject/SAN doesn't match any trusted issuer/subject pair on the app
3A renewed or rotated certificate was deployed to the service principal but never registered in Entra ID
4Wrong certificate is being picked up at runtime (e.g. service account loading a stale cert from the Windows cert store or Key Vault)
5Service principal in a federated/multi-tenant scenario presents a cert whose subject isn't whitelisted in the resource tenant

How to fix it

1Open the failing app in Entra ID → App registrations → Certificates & secrets and compare the Thumbprint / Subject listed there against the cert actually being sent (check the {certificateSubjects} value returned in the error)
2If the subject doesn't match, export the public key (.cer) of the certificate your client/gateway is using and upload it to the app registration; wait ~5 minutes for propagation
3For Power BI / Fabric service principal auth or ADF Linked Services with cert-based auth: verify the Key Vault secret version referenced still points to the live, non-expired certificate
4If using SNI auth (trustedCertificateSubjects), confirm the issuer chain and subject DN are added to the app manifest's trustedCertificateSubjects collection
5Re-acquire the token after the cert is registered; if the error persists, decode the JWT client_assertion at jwt.ms and confirm the x5t header matches a thumbprint on the app registration

Frequently asked questions

What does AADSTS700030 mean?

subject name in certificate isn't authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes