What causes AADSTS80012?

The user's on-premises AD account has restricted 'Logon Hours' set on the Account tab in Active Directory Users and Computers (ADUC). A Group Policy or AD security baseline applies time-of-day logon restrictions to the user's OU. Time zone mismatch between the domain controller and the user — DC enforces logon hours in its local time, not the user's. Service account or shared account used for a Power BI Gateway / scheduled refresh inherits a logon-hours policy intended for human users. Recent AD account template or bulk import copied logon-hours restrictions to new users unintentionally

How do I fix AADSTS80012?

Open Active Directory Users and Computers (ADUC), find the user, open Properties → Account → 'Logon Hours…' and verify the allowed window covers the time the sign-in was attempted. Check the domain controller's time zone and confirm the user understands logon hours are evaluated in DC local time — adjust the window if users work across time zones. For Power BI Gateway, ADF Self-hosted IR, or scheduled refresh service accounts: remove logon-hours restrictions entirely — they need 24/7 access. Run `Get-ADUser -Properties LogonHours` in PowerShell to inspect the raw byte mask if the GUI shows unexpected behavior, and reset with `Set-ADUser -Replace @{logonHours=...}`. Force an Entra Connect / AAD Connect sync (`Start-ADSyncSyncCycle -PolicyType Delta`) after changing AD, then have the user retry sign-in

Low severityauthentication

Power BI Error:
AADSTS80012, Logon Outside Allowed Hours

What does this error mean?

User attempted to sign in outside the logon hours configured on their on-premises Active Directory account.

Common causes

1The user's on-premises AD account has restricted 'Logon Hours' set on the Account tab in Active Directory Users and Computers (ADUC)
2A Group Policy or AD security baseline applies time-of-day logon restrictions to the user's OU
3Time zone mismatch between the domain controller and the user — DC enforces logon hours in its local time, not the user's
4Service account or shared account used for a Power BI Gateway / scheduled refresh inherits a logon-hours policy intended for human users
5Recent AD account template or bulk import copied logon-hours restrictions to new users unintentionally

How to fix it

1Open Active Directory Users and Computers (ADUC), find the user, open Properties → Account → 'Logon Hours…' and verify the allowed window covers the time the sign-in was attempted
2Check the domain controller's time zone and confirm the user understands logon hours are evaluated in DC local time — adjust the window if users work across time zones
3For Power BI Gateway, ADF Self-hosted IR, or scheduled refresh service accounts: remove logon-hours restrictions entirely — they need 24/7 access
4Run `Get-ADUser <user> -Properties LogonHours` in PowerShell to inspect the raw byte mask if the GUI shows unexpected behavior, and reset with `Set-ADUser <user> -Replace @{logonHours=...}`
5Force an Entra Connect / AAD Connect sync (`Start-ADSyncSyncCycle -PolicyType Delta`) after changing AD, then have the user retry sign-in

Frequently asked questions

What does AADSTS80012 mean?

The users attempted to log on outside of the allowed hours (this is specified in AD).

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes