What causes AADSTS81010?

Client device is not domain-joined or not on the corporate network / VPN, so no Kerberos ticket is issued to the AZUREADSSOACC$ computer account. The AZUREADSSOACC computer account password in on-prem AD is out of sync with Azure AD / Entra Connect (rolled or stale > 30 days). Browser or Power BI Desktop is not configured to send Kerberos to autologon.microsoftazuread-sso.com (missing Trusted Sites / Intranet zone entry). Time skew between the client and the domain controller exceeds 5 minutes, invalidating the Kerberos ticket. Seamless SSO is disabled or broken in Azure AD Connect after a recent upgrade or topology change

How do I fix AADSTS81010?

On the affected client, run `klist purge` and then `klist` after re-authenticating to confirm a fresh ticket for AZUREADSSOACC is issued by your DC. Add `https://autologon.microsoftazuread-sso.com` to the Local Intranet (or Trusted Sites) zone via GPO and enable 'Allow updates to status bar via script' / Windows Integrated Auth. In Azure AD Connect, run `Update-AzureADSSOForest` (PowerShell module `AzureADSSO.psd1`) to roll the AZUREADSSOACC password and re-sync it with Entra ID — Microsoft recommends every 30 days. Verify Seamless SSO status in Azure AD Connect (`Enable single sign-on` page) and confirm it's enabled for the correct forest; re-enable if it shows disabled. Check client-to-DC time sync (`w32tm /query /status`) and ensure skew is < 5 minutes; for non-domain-joined or off-VPN users, fall back to password or MFA sign-in

High severityauthentication

Power BI Error:
AADSTS81010

Q: What does AADSTS81010 mean?

Seamless SSO failed because the user's Kerberos ticket has expired or is invalid.

Q: How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

What does this error mean?

Seamless SSO failed because the user's Kerberos ticket is missing, expired, or not accepted by Azure AD / Entra ID.

Common causes

1Client device is not domain-joined or not on the corporate network / VPN, so no Kerberos ticket is issued to the AZUREADSSOACC$ computer account
2The AZUREADSSOACC computer account password in on-prem AD is out of sync with Azure AD / Entra Connect (rolled or stale > 30 days)
3Browser or Power BI Desktop is not configured to send Kerberos to autologon.microsoftazuread-sso.com (missing Trusted Sites / Intranet zone entry)
4Time skew between the client and the domain controller exceeds 5 minutes, invalidating the Kerberos ticket
5Seamless SSO is disabled or broken in Azure AD Connect after a recent upgrade or topology change

How to fix it

1On the affected client, run `klist purge` and then `klist` after re-authenticating to confirm a fresh ticket for AZUREADSSOACC is issued by your DC
2Add `https://autologon.microsoftazuread-sso.com` to the Local Intranet (or Trusted Sites) zone via GPO and enable 'Allow updates to status bar via script' / Windows Integrated Auth
3In Azure AD Connect, run `Update-AzureADSSOForest` (PowerShell module `AzureADSSO.psd1`) to roll the AZUREADSSOACC password and re-sync it with Entra ID — Microsoft recommends every 30 days
4Verify Seamless SSO status in Azure AD Connect (`Enable single sign-on` page) and confirm it's enabled for the correct forest; re-enable if it shows disabled
5Check client-to-DC time sync (`w32tm /query /status`) and ensure skew is < 5 minutes; for non-domain-joined or off-VPN users, fall back to password or MFA sign-in

Frequently asked questions

What does AADSTS81010 mean?

Seamless SSO failed because the user's Kerberos ticket has expired or is invalid.

How do I fix this error?