What causes AADSTS81012?

The user typed a different UPN on the Entra ID sign-in page than the account they are logged into Windows with. Multiple work/school accounts on the same device causing the wrong Kerberos ticket to be presented. On-prem UPN suffix differs from the Entra ID UPN (alternate login ID / non-routable .local domain not synced correctly). Shared/kiosk machine where the Windows session belongs to another user. Stale Kerberos ticket from a previous user still cached (klist) on the device

How do I fix AADSTS81012?

Sign in on the Entra ID page with the exact same UPN as the Windows logged-in account, or sign out of Windows and back in as the intended user. On the device, run `klist purge` to clear cached Kerberos tickets, then retry sign-in. Verify the on-prem UPN suffix matches the Entra ID UPN — in Microsoft Entra Connect, ensure UPN suffixes are added as verified domains and synced. If users must sign in as a different account than the device user, disable Seamless SSO for that flow or instruct them to use an InPrivate/incognito window. Admin: confirm the `AZUREADSSOACC` computer object exists in AD and that the Seamless SSO Kerberos decryption key has been rolled within the last 30 days

Low severityauthentication

Power BI Error:
AADSTS81012

What does this error mean?

Seamless SSO failed because the UPN in the Kerberos ticket differs from the UPN entered on the Entra ID sign-in page.

Common causes

1The user typed a different UPN on the Entra ID sign-in page than the account they are logged into Windows with
2Multiple work/school accounts on the same device causing the wrong Kerberos ticket to be presented
3On-prem UPN suffix differs from the Entra ID UPN (alternate login ID / non-routable .local domain not synced correctly)
4Shared/kiosk machine where the Windows session belongs to another user
5Stale Kerberos ticket from a previous user still cached (klist) on the device

How to fix it

1Sign in on the Entra ID page with the exact same UPN as the Windows logged-in account, or sign out of Windows and back in as the intended user
2On the device, run `klist purge` to clear cached Kerberos tickets, then retry sign-in
3Verify the on-prem UPN suffix matches the Entra ID UPN — in Microsoft Entra Connect, ensure UPN suffixes are added as verified domains and synced
4If users must sign in as a different account than the device user, disable Seamless SSO for that flow or instruct them to use an InPrivate/incognito window
5Admin: confirm the `AZUREADSSOACC` computer object exists in AD and that the Seamless SSO Kerberos decryption key has been rolled within the last 30 days

Frequently asked questions

What does AADSTS81012 mean?

The user trying to sig

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes