Low severityauthentication
Power BI Error:
AADSTS90009
What does this error mean?
An application requested a token for itself, but didn't use its GUID-based application ID as the resource identifier.
Common causes
- 1The resource parameter in the token request uses an App ID URI (e.g. api://contoso) instead of the application's GUID-based Application (client) ID
- 2Client ID and resource ID in the OAuth request reference the same app, but the resource is specified in a non-GUID format
- 3Custom service-to-self token flow where the app authenticates against itself for internal API calls without using its GUID identifier
- 4Misconfigured on-behalf-of (OBO) or client credentials flow where the requesting app and target resource collapse to the same registration
- 5Legacy code paths still using ADAL patterns where the resource was a URI, now broken under MSAL/v2.0 endpoints requiring GUID-based self-token requests
How to fix it
- 1Open the failing token request and replace the `resource` (or `scope`) value with the application's GUID-based Application (client) ID — find this in Entra ID > App registrations > Overview > 'Application (client) ID'
- 2If you're on the v2.0 endpoint with MSAL, request the scope as `<app-guid>/.default` instead of an App ID URI like `api://<app>/.default`
- 3Audit whether the app actually needs to request a token for itself — in most service-to-service flows the resource should be a different downstream API, not the same registration; if so, fix the resource ID to point at the correct target
- 4For Power BI embedded or custom Fabric apps using OBO, confirm the middle-tier app and the resource app are genuinely the same registration; if they are, switch the resource to the GUID, otherwise split into two registrations
- 5Re-run the auth flow and capture the full token request in Fiddler or the Entra ID sign-in logs to verify the resource parameter is now the GUID and the request returns 200