What causes AADSTS700084?

SPA refresh token reached its hard 24-hour maximum lifetime (cannot be extended via Conditional Access or token lifetime policies). User session was kept open longer than 24h without an interactive sign-in (e.g. Power BI embedded dashboard left open overnight). MSAL.js acquireTokenSilent called after the 24h window — silent renewal is blocked for SPAs by design. App registered as 'Single-page application' platform instead of 'Web' — Web apps get longer-lived refresh tokens. Missing fallback to acquireTokenRedirect / acquireTokenPopup when silent acquisition fails

How do I fix AADSTS700084?

Catch the InteractionRequiredAuthError from MSAL.js and trigger acquireTokenRedirect() or acquireTokenPopup() to prompt re-authentication. If your app is not a true browser SPA, change the app registration platform from 'Single-page application' to 'Web' in Entra ID — Web apps receive standard 90-day refresh tokens. For embedded Power BI scenarios, use a backend service (Web app / daemon) to acquire tokens server-side and pass embed tokens to the browser instead of relying on SPA refresh tokens. Implement a proactive re-auth prompt before the 24h boundary (track token issueDate from the error payload) so users aren't interrupted mid-task. Verify SSO is configured so the forced re-sign-in is silent when the user's Entra ID session is still valid — reduces user friction to a redirect round-trip

Low severityauthentication

Power BI Error:
AADSTS700084

What does this error mean?

The SPA's refresh token hit its fixed 24-hour lifetime and cannot be renewed silently — a new sign-in is required.

Common causes

1SPA refresh token reached its hard 24-hour maximum lifetime (cannot be extended via Conditional Access or token lifetime policies)
2User session was kept open longer than 24h without an interactive sign-in (e.g. Power BI embedded dashboard left open overnight)
3MSAL.js acquireTokenSilent called after the 24h window — silent renewal is blocked for SPAs by design
4App registered as 'Single-page application' platform instead of 'Web' — Web apps get longer-lived refresh tokens
5Missing fallback to acquireTokenRedirect / acquireTokenPopup when silent acquisition fails

How to fix it

1Catch the InteractionRequiredAuthError from MSAL.js and trigger acquireTokenRedirect() or acquireTokenPopup() to prompt re-authentication
2If your app is not a true browser SPA, change the app registration platform from 'Single-page application' to 'Web' in Entra ID — Web apps receive standard 90-day refresh tokens
3For embedded Power BI scenarios, use a backend service (Web app / daemon) to acquire tokens server-side and pass embed tokens to the browser instead of relying on SPA refresh tokens
4Implement a proactive re-auth prompt before the 24h boundary (track token issueDate from the error payload) so users aren't interrupted mid-task
5Verify SSO is configured so the forced re-sign-in is silent when the user's Entra ID session is still valid — reduces user friction to a redirect round-trip

Frequently asked questions

What does AADSTS700084 mean?

The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lif

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes