What causes AADSTS80013?

Clock drift greater than ~5 minutes between the PTA authentication agent server and the on-premises AD domain controller. Windows Time service (w32time) stopped or misconfigured on the agent server or DC. Authentication agent server (or DC) running in a VM with paused/restored state causing time jumps. PDC emulator itself is out of sync with an external NTP source, propagating skew across the domain. Firewall or NTP source blocked, leaving the agent host falling back to inaccurate hardware clock

How do I fix AADSTS80013?

On the server running the Azure AD / Entra ID authentication agent, run `w32tm /query /status` and `w32tm /stripchart /computer: /samples:5 /dataonly` to confirm the skew against the domain controller. Force a resync on the agent server: `net stop w32time && w32tm /unregister && w32tm /register && net start w32time && w32tm /resync /rediscover`. Verify the PDC emulator is syncing to a reliable external NTP source (e.g. `time.windows.com` or an internal stratum-1) — `w32tm /query /source` should not return 'Local CMOS Clock'. Restart the Microsoft Azure AD Connect Authentication Agent service (`AzureADConnectAuthenticationAgentService`) once time is back in sync, then retest sign-in. If running on a VM, disable host-to-guest time synchronization (Hyper-V Integration Services / VMware Tools) so w32time remains authoritative

Low severityauthentication

Power BI Error:
AADSTS80013

What does this error mean?

Time skew between the on-premises Azure AD Connect authentication agent server and the local Active Directory domain controller blocks password validation.

Common causes

1Clock drift greater than ~5 minutes between the PTA authentication agent server and the on-premises AD domain controller
2Windows Time service (w32time) stopped or misconfigured on the agent server or DC
3Authentication agent server (or DC) running in a VM with paused/restored state causing time jumps
4PDC emulator itself is out of sync with an external NTP source, propagating skew across the domain
5Firewall or NTP source blocked, leaving the agent host falling back to inaccurate hardware clock

How to fix it

1On the server running the Azure AD / Entra ID authentication agent, run `w32tm /query /status` and `w32tm /stripchart /computer:<DC-FQDN> /samples:5 /dataonly` to confirm the skew against the domain controller
2Force a resync on the agent server: `net stop w32time && w32tm /unregister && w32tm /register && net start w32time && w32tm /resync /rediscover`
3Verify the PDC emulator is syncing to a reliable external NTP source (e.g. `time.windows.com` or an internal stratum-1) — `w32tm /query /source` should not return 'Local CMOS Clock'
4Restart the Microsoft Azure AD Connect Authentication Agent service (`AzureADConnectAuthenticationAgentService`) once time is back in sync, then retest sign-in
5If running on a VM, disable host-to-guest time synchronization (Hyper-V Integration Services / VMware Tools) so w32time remains authoritative

Frequently asked questions

What does AADSTS80013 mean?

The authentication attempt couldn't be completed due to time skew b

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes