What causes AADSTS70043?

Conditional Access 'Sign-in frequency' policy is configured (e.g. 1h/8h/1d) and the token exceeded that window. Token was issued before a CA policy change that shortened the allowed lifetime. Persistent browser session disabled in CA, forcing reauth on every new session. Power BI Gateway / scheduled refresh using cached delegated credentials that can't satisfy interactive reauth requirement. Service account targeted by a CA policy intended for interactive users (sign-in frequency applies to it as well)

How do I fix AADSTS70043?

Have the affected user sign in interactively to Power BI / Fabric / the Azure portal — this issues a fresh refresh token that resets the sign-in frequency window. For Power BI scheduled refresh or gateway data sources: open the dataset/datasource credentials and re-enter credentials (OAuth2) so a new token is minted. In Microsoft Entra admin center → Protection → Conditional Access, locate the policy with a 'Sign-in frequency' session control and verify whether the configured interval matches your operational reality; exclude service accounts or break-glass accounts where appropriate. For unattended workloads (ADF linked services, Databricks, automation), migrate from delegated user credentials to a Service Principal or Managed Identity — these are not subject to user sign-in frequency. Check Entra ID Sign-in logs (filter on error code 70043) to confirm which CA policy fired under 'Conditional Access' tab, and review the token issue date vs. policy max lifetime

High severityauthentication

Power BI Error:
AADSTS70043

What does this error mean?

Conditional Access sign-in frequency policy forced refresh token expiry; user must reauthenticate interactively.

Common causes

1Conditional Access 'Sign-in frequency' policy is configured (e.g. 1h/8h/1d) and the token exceeded that window
2Token was issued before a CA policy change that shortened the allowed lifetime
3Persistent browser session disabled in CA, forcing reauth on every new session
4Power BI Gateway / scheduled refresh using cached delegated credentials that can't satisfy interactive reauth requirement
5Service account targeted by a CA policy intended for interactive users (sign-in frequency applies to it as well)

How to fix it

1Have the affected user sign in interactively to Power BI / Fabric / the Azure portal — this issues a fresh refresh token that resets the sign-in frequency window
2For Power BI scheduled refresh or gateway data sources: open the dataset/datasource credentials and re-enter credentials (OAuth2) so a new token is minted
3In Microsoft Entra admin center → Protection → Conditional Access, locate the policy with a 'Sign-in frequency' session control and verify whether the configured interval matches your operational reality; exclude service accounts or break-glass accounts where appropriate
4For unattended workloads (ADF linked services, Databricks, automation), migrate from delegated user credentials to a Service Principal or Managed Identity — these are not subject to user sign-in frequency
5Check Entra ID Sign-in logs (filter on error code 70043) to confirm which CA policy fired under 'Conditional Access' tab, and review the token issue date vs. policy max lifetime

Frequently asked questions

What does AADSTS70043 mean?

The refresh token has expired or

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes