What causes AADSTS81007?

Seamless SSO was never enabled on the tenant in Azure AD Connect (Entra Connect). Seamless SSO was disabled or removed during an Azure AD Connect upgrade or reconfiguration. The tenant migrated from AD FS or Pass-through Authentication without re-enabling Seamless SSO. Computer policy (e.g. Intranet Zone for autologon.microsoftazuread-sso.com) is pushing Kerberos tickets to a tenant that no longer accepts them. User is signing in to a different tenant than the one where Seamless SSO is configured

How do I fix AADSTS81007?

On the Azure AD Connect server, run the Azure AD Connect wizard → 'Change user sign-in' and tick 'Enable single sign-on' to opt the tenant in to Seamless SSO. Verify with PowerShell: import the Seamless SSO module (`C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1`) and run `Get-AzureADSSOStatus` — the tenant should return Enabled = True. Confirm the AZUREADSSOACC computer account exists in on-prem AD and that its Kerberos decryption key is < 30 days old; if not, rotate it via `Update-AzureADSSOForest`. Push the GPO that adds `https://autologon.microsoftazuread-sso.com` to the Intranet zone and enables 'Allow updates to status bar via script' so browsers send the Kerberos ticket. If Seamless SSO will not be used, remove the autologon URL from the Intranet zone GPO so clients fall back to standard interactive sign-in instead of failing with 81007

Low severityauthentication

Power BI Error:
AADSTS81007

Q: What does AADSTS81007 mean?

The tenant isn't enabled for Seamless

Q: How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

What does this error mean?

Seamless Single Sign-On is not enabled on the Azure AD (Entra ID) tenant, so the desktop SSO flow cannot complete.

Common causes

1Seamless SSO was never enabled on the tenant in Azure AD Connect (Entra Connect)
2Seamless SSO was disabled or removed during an Azure AD Connect upgrade or reconfiguration
3The tenant migrated from AD FS or Pass-through Authentication without re-enabling Seamless SSO
4Computer policy (e.g. Intranet Zone for autologon.microsoftazuread-sso.com) is pushing Kerberos tickets to a tenant that no longer accepts them
5User is signing in to a different tenant than the one where Seamless SSO is configured

How to fix it

1On the Azure AD Connect server, run the Azure AD Connect wizard → 'Change user sign-in' and tick 'Enable single sign-on' to opt the tenant in to Seamless SSO
2Verify with PowerShell: import the Seamless SSO module (`C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1`) and run `Get-AzureADSSOStatus` — the tenant should return Enabled = True
3Confirm the AZUREADSSOACC computer account exists in on-prem AD and that its Kerberos decryption key is < 30 days old; if not, rotate it via `Update-AzureADSSOForest`
4Push the GPO that adds `https://autologon.microsoftazuread-sso.com` to the Intranet zone and enables 'Allow updates to status bar via script' so browsers send the Kerberos ticket
5If Seamless SSO will not be used, remove the autologon URL from the Intranet zone GPO so clients fall back to standard interactive sign-in instead of failing with 81007

Frequently asked questions

What does AADSTS81007 mean?

The tenant isn't enabled for Seamless

How do I fix this error?