High severityauthentication
Power BI Error:
AADSTS70011
What does this error mean?
Microsoft Entra ID (Azure AD) rejected the sign-in because the requested OAuth scope value is malformed or unrecognized.
Common causes
- 1Scope URI uses an unregistered or misspelled resource (e.g. `https://example.contoso.com/activity.read`) that doesn't exist in the target tenant
- 2Mixing v1.0 resource identifiers with v2.0 scope syntax — v2.0 endpoint requires fully qualified scopes like `<resource-uri>/.default` or `<resource-uri>/<permission>`
- 3Requested permission (delegated or application) isn't exposed by the API app registration in Entra ID
- 4Multiple resource scopes combined in one request — Entra ID only accepts scopes for a single resource per token request
- 5Power BI / Fabric service principal calling with `https://analysis.windows.net/powerbi/api` but missing the `/.default` suffix on the v2.0 (`/oauth2/v2.0/token`) endpoint
How to fix it
- 1Inspect the exact `scope` value your client is sending — capture it from the failing auth request URL or the MSAL/ADAL log; the error message echoes the offending scope
- 2If you're on the v2.0 endpoint, replace resource-only values with the `/.default` form — for Power BI use `https://analysis.windows.net/powerbi/api/.default`, for Fabric `https://api.fabric.microsoft.com/.default`, for Storage `https://storage.azure.com/.default`
- 3In the Entra admin center, open the API's app registration → *Expose an API* and confirm the scope name exists exactly as requested; for delegated/app permissions check *API permissions* on the client app and grant admin consent
- 4Make sure each token request targets one resource only — split multi-resource flows into separate `acquireToken` calls (one per resource audience)
- 5For ADF / Synapse / Databricks linked services using a service principal, re-save the linked service after correcting the scope so the cached token is invalidated, then re-trigger the failing pipeline