What causes AADSTS90016?

accessTokenAcceptedVersion in the app manifest mismatches the token version the resource expects (v1.0 vs v2.0). Token requested for the wrong audience/resource (e.g. Graph token used against the Power BI Service API). Missing or wrong scope in the OAuth request — required delegated/application scope not consented. Optional claims (e.g. tenant_id, oid, upn) not configured in the app registration while the API requires them. Token acquired via the wrong endpoint (common/organizations vs the specific tenant) producing a token without the expected tid/iss claim

How do I fix AADSTS90016?

Decode the failing access token on jwt.ms and compare aud, iss, ver, scp/roles against what the resource API documents as required.. In Entra ID > App registrations > Manifest, set accessTokenAcceptedVersion to match the resource (1 for v1.0 endpoints like Power BI REST, 2 for v2.0-only APIs) and save.. Re-check the scopes/resource in your auth request: for Power BI use https://analysis.windows.net/powerbi/api/.default, for ADF/Fabric use the matching resource URI — not Microsoft Graph.. Under Token configuration, add the optional claims the API requires (e.g. upn, tenant_id, family_name) and grant admin consent so they're issued on next sign-in.. Acquire a fresh token against the tenant-specific endpoint (https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token) and retry — clear any cached MSAL/ADAL tokens first.

Medium severityauthentication

Power BI Error:
AADSTS90016

What does this error mean?

The access token is missing a required claim that the resource API expects, so Entra ID rejects the request.

Common causes

1accessTokenAcceptedVersion in the app manifest mismatches the token version the resource expects (v1.0 vs v2.0)
2Token requested for the wrong audience/resource (e.g. Graph token used against the Power BI Service API)
3Missing or wrong scope in the OAuth request — required delegated/application scope not consented
4Optional claims (e.g. tenant_id, oid, upn) not configured in the app registration while the API requires them
5Token acquired via the wrong endpoint (common/organizations vs the specific tenant) producing a token without the expected tid/iss claim

How to fix it

1Decode the failing access token on jwt.ms and compare aud, iss, ver, scp/roles against what the resource API documents as required.
2In Entra ID > App registrations > Manifest, set accessTokenAcceptedVersion to match the resource (1 for v1.0 endpoints like Power BI REST, 2 for v2.0-only APIs) and save.
3Re-check the scopes/resource in your auth request: for Power BI use https://analysis.windows.net/powerbi/api/.default, for ADF/Fabric use the matching resource URI — not Microsoft Graph.
4Under Token configuration, add the optional claims the API requires (e.g. upn, tenant_id, family_name) and grant admin consent so they're issued on next sign-in.
5Acquire a fresh token against the tenant-specific endpoint (https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token) and retry — clear any cached MSAL/ADAL tokens first.

Frequently asked questions

What does AADSTS90016 mean?

The access token isn't valid. The required claim i

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes