High severityauthentication
Power BI Refresh Error:
AADSTS70008
What does this error mean?
The refresh token used to authenticate the data source has expired due to prolonged inactivity and can no longer be redeemed.
Common causes
- 1Power BI dataset or dataflow credentials haven't been used within the 90-day refresh token inactivity window, so Entra ID expired the grant
- 2Conditional Access or token lifetime policy in Entra ID shortened the refresh token lifetime below the dataset's refresh cadence
- 3The user or service principal that authorized the connection had their session revoked (password reset, MFA reset, account disabled, or admin-initiated sign-out)
- 4Scheduled refresh was paused or the gateway was offline long enough for the cached refresh token to age out
- 5The OAuth grant was explicitly revoked in Entra ID (Enterprise Applications → user consent removed) or the app registration's client secret rotated
How to fix it
- 1Open the Power BI Service → dataset/dataflow → Settings → Data source credentials, click 'Edit credentials' and sign in again with OAuth2 to issue a new refresh token
- 2For ADF / Fabric / Synapse linked services: open the linked service, re-enter credentials (or re-authorize the OAuth connection) and test the connection before saving
- 3If a service principal is used, verify the client secret hasn't expired in App registrations → Certificates & secrets, rotate it, and update the secret in Key Vault / linked service
- 4Check Entra ID → Sign-in logs filtered on the affected user/SPN and AADSTS70008 to confirm the grant was revoked, and review Conditional Access + token lifetime policies that may force frequent re-auth
- 5Schedule refreshes to run at least every 60–80 days (or set a heartbeat refresh) so the refresh token stays active and doesn't hit the inactivity cutoff