What causes AADSTS81005?

Browser or client sent NTLM (or another non-Kerberos package) instead of Negotiate/Kerberos during the Seamless SSO challenge. Browser zone settings don't include autologon.microsoftazuread-sso.com in the Intranet/Trusted sites zone, so Integrated Windows Authentication isn't triggered. The AZUREADSSO computer account in on-prem AD is missing, disabled, or its Kerberos decryption key is out of sync with Azure AD Connect. Device is not domain-joined or off-corpnet without line-of-sight to a domain controller, so Kerberos ticket acquisition fails. Power BI Desktop / Gateway / ADF linked service uses a legacy auth flow or stale MSAL/ADAL library that doesn't negotiate Kerberos correctly

How do I fix AADSTS81005?

Add https://autologon.microsoftazuread-sso.com to the user's Intranet zone (via GPO: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List) and enable 'Allow updates to status bar via script'. In Azure AD Connect, run Get-AzureADSSOStatus and re-roll the Kerberos decryption key with Update-AzureADSSOForest to make sure the AZUREADSSO computer account is healthy and in sync. Verify the user signs in from a domain-joined device with line-of-sight to a domain controller; if not, disable Seamless SSO for that scenario and let the user fall back to interactive sign-in or Windows Hello / PRT. Update Power BI Desktop, the on-premises data gateway, and any custom apps to the latest MSAL build so they negotiate Kerberos/Negotiate instead of NTLM, and clear cached credentials in Credential Manager. If the error persists for a single user, run klist purge, restart the workstation, and capture a Fiddler trace of the call to autologon.microsoftazuread-sso.com to confirm which auth package the client is offering

Low severityauthentication

Power BI Error:
AADSTS81005

What does this error mean?

Seamless SSO failed because the client requested an authentication package (not Kerberos/Negotiate) that Azure AD / Entra ID doesn't support.

Common causes

1Browser or client sent NTLM (or another non-Kerberos package) instead of Negotiate/Kerberos during the Seamless SSO challenge
2Browser zone settings don't include autologon.microsoftazuread-sso.com in the Intranet/Trusted sites zone, so Integrated Windows Authentication isn't triggered
3The AZUREADSSO computer account in on-prem AD is missing, disabled, or its Kerberos decryption key is out of sync with Azure AD Connect
4Device is not domain-joined or off-corpnet without line-of-sight to a domain controller, so Kerberos ticket acquisition fails
5Power BI Desktop / Gateway / ADF linked service uses a legacy auth flow or stale MSAL/ADAL library that doesn't negotiate Kerberos correctly

How to fix it

1Add https://autologon.microsoftazuread-sso.com to the user's Intranet zone (via GPO: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List) and enable 'Allow updates to status bar via script'
2In Azure AD Connect, run Get-AzureADSSOStatus and re-roll the Kerberos decryption key with Update-AzureADSSOForest to make sure the AZUREADSSO computer account is healthy and in sync
3Verify the user signs in from a domain-joined device with line-of-sight to a domain controller; if not, disable Seamless SSO for that scenario and let the user fall back to interactive sign-in or Windows Hello / PRT
4Update Power BI Desktop, the on-premises data gateway, and any custom apps to the latest MSAL build so they negotiate Kerberos/Negotiate instead of NTLM, and clear cached credentials in Credential Manager
5If the error persists for a single user, run klist purge, restart the workstation, and capture a Fiddler trace of the call to autologon.microsoftazuread-sso.com to confirm which auth package the client is offering

Frequently asked questions

What does AADSTS81005 mean?

The au

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes