What causes AADSTS81006?

The URL https://autologon.microsoftazuread-sso.com is not added to the Intranet Zone (or Trusted Sites) via Group Policy, so the browser strips the Kerberos Authorization header. Device is not domain-joined or Hybrid Azure AD-joined, meaning no Kerberos TGT is available to forward to Entra ID. User is off the corporate network/VPN and can't reach a domain controller to obtain a Kerberos ticket. Browser (Chrome/Edge/Firefox) lacks the AuthServerAllowlist / AuthNegotiateDelegateAllowlist policy for the autologon endpoint. Seamless SSO computer account AZUREADSSOACC password is stale (>30 days) or the feature was disabled in Microsoft Entra Connect

How do I fix AADSTS81006?

Add https://autologon.microsoftazuread-sso.com to the Intranet Zone via GPO (User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Site to Zone Assignment List), then run gpupdate /force on the client. Confirm the device is domain-joined and on the corporate network/VPN with line-of-sight to a domain controller; run klist to verify a TGT is present. In Microsoft Entra Connect, open the Seamless SSO wizard and roll over the Kerberos decryption key of the AZUREADSSOACC computer account (Microsoft recommends every 30 days). For Chrome/Edge, push the AuthNegotiateDelegateAllowlist and AuthServerAllowlist policies with value autologon.microsoftazuread-sso.com; for Firefox set network.negotiate-auth.trusted-uris. Test with the Seamless SSO troubleshooter at testconnectivity.microsoft.com or fall back to password/MFA sign-in to unblock the user while the Kerberos path is fixed

Low severityauthentication

Power BI Error:
AADSTS81006

What does this error mean?

Seamless SSO request reached Entra ID without an Authorization header, so Kerberos authentication can't proceed.

Common causes

1The URL https://autologon.microsoftazuread-sso.com is not added to the Intranet Zone (or Trusted Sites) via Group Policy, so the browser strips the Kerberos Authorization header
2Device is not domain-joined or Hybrid Azure AD-joined, meaning no Kerberos TGT is available to forward to Entra ID
3User is off the corporate network/VPN and can't reach a domain controller to obtain a Kerberos ticket
4Browser (Chrome/Edge/Firefox) lacks the AuthServerAllowlist / AuthNegotiateDelegateAllowlist policy for the autologon endpoint
5Seamless SSO computer account AZUREADSSOACC password is stale (>30 days) or the feature was disabled in Microsoft Entra Connect

How to fix it

1Add https://autologon.microsoftazuread-sso.com to the Intranet Zone via GPO (User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Site to Zone Assignment List), then run gpupdate /force on the client
2Confirm the device is domain-joined and on the corporate network/VPN with line-of-sight to a domain controller; run klist to verify a TGT is present
3In Microsoft Entra Connect, open the Seamless SSO wizard and roll over the Kerberos decryption key of the AZUREADSSOACC computer account (Microsoft recommends every 30 days)
4For Chrome/Edge, push the AuthNegotiateDelegateAllowlist and AuthServerAllowlist policies with value autologon.microsoftazuread-sso.com; for Firefox set network.negotiate-auth.trusted-uris
5Test with the Seamless SSO troubleshooter at testconnectivity.microsoft.com or fall back to password/MFA sign-in to unblock the user while the Kerberos path is fixed

Frequently asked questions

What does AADSTS81006 mean?

No authorization header was found.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes