What causes AADSTS81004?

The AZUREADSSOACC$ computer account in on-prem Active Directory is missing, disabled, or its Kerberos decryption key is out of sync with Entra ID. The user's on-prem UPN/sAMAccountName does not match the userPrincipalName in Entra ID (Azure AD), so the ticket maps to no cloud identity. Seamless SSO is not enabled for the user's domain, or the AZUREADSSOACC SPNs (HTTP/autologon.microsoftazuread-sso.com) are missing or duplicated. The client machine is not domain-joined or not on the corporate network, so it cannot obtain a valid Kerberos TGT for AZUREADSSOACC. Clock skew >5 minutes between the client, the domain controller, and Entra ID causes Kerberos ticket validation to fail

How do I fix AADSTS81004?

On the Azure AD Connect server, run Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1' and then New-AzureADSSOAuthenticationContext followed by Update-AzureADSSOForest to re-roll the AZUREADSSOACC Kerberos decryption key (do this twice, 30 days apart, as a hygiene practice). Verify the AZUREADSSOACC$ computer account exists in on-prem AD and that the SPNs HTTP/autologon.microsoftazuread-sso.com and HTTPS/autologon.microsoftazuread-sso.com are registered to it (setspn -L AZUREADSSOACC). Confirm the failing user's on-prem UPN matches their Entra ID UPN exactly — mismatched suffixes (e.g. user@contoso.local vs user@contoso.com) are a frequent root cause; fix via UPN suffix routing or sync rules. Check that the client is domain-joined, on the corporate network (or via VPN that allows DC traffic), and that autologon.microsoftazuread-sso.com is in the Intranet zone in Internet Options / Group Policy so the browser sends the Kerberos ticket. Validate time sync: domain controllers, the client, and the Azure AD Connect server should all be within 5 minutes of UTC — Kerberos refuses tickets outside that window

Low severityauthentication

Power BI Error:
AADSTS81004

What does this error mean?

Seamless SSO failed because the Kerberos ticket presented to Entra ID (Azure AD) could not be authenticated against the tenant.

Common causes

1The AZUREADSSOACC$ computer account in on-prem Active Directory is missing, disabled, or its Kerberos decryption key is out of sync with Entra ID
2The user's on-prem UPN/sAMAccountName does not match the userPrincipalName in Entra ID (Azure AD), so the ticket maps to no cloud identity
3Seamless SSO is not enabled for the user's domain, or the AZUREADSSOACC SPNs (HTTP/autologon.microsoftazuread-sso.com) are missing or duplicated
4The client machine is not domain-joined or not on the corporate network, so it cannot obtain a valid Kerberos TGT for AZUREADSSOACC
5Clock skew >5 minutes between the client, the domain controller, and Entra ID causes Kerberos ticket validation to fail

How to fix it

1On the Azure AD Connect server, run Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1' and then New-AzureADSSOAuthenticationContext followed by Update-AzureADSSOForest to re-roll the AZUREADSSOACC Kerberos decryption key (do this twice, 30 days apart, as a hygiene practice)
2Verify the AZUREADSSOACC$ computer account exists in on-prem AD and that the SPNs HTTP/autologon.microsoftazuread-sso.com and HTTPS/autologon.microsoftazuread-sso.com are registered to it (setspn -L AZUREADSSOACC)
3Confirm the failing user's on-prem UPN matches their Entra ID UPN exactly — mismatched suffixes (e.g. user@contoso.local vs user@contoso.com) are a frequent root cause; fix via UPN suffix routing or sync rules
4Check that the client is domain-joined, on the corporate network (or via VPN that allows DC traffic), and that autologon.microsoftazuread-sso.com is in the Intranet zone in Internet Options / Group Policy so the browser sends the Kerberos ticket
5Validate time sync: domain controllers, the client, and the Azure AD Connect server should all be within 5 minutes of UTC — Kerberos refuses tickets outside that window

Frequently asked questions

What does AADSTS81004 mean?

Kerberos authentication attempt failed.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes