Low severityauthentication
Power BI Error:
AADSTS90022
What does this error mean?
Microsoft Entra ID (Azure AD) rejected the sign-in because the principal name doesn't match the required name[/host][@realm] format.
Common causes
- 1UPN sent without an @realm suffix (e.g. 'user' instead of 'user@contoso.com') in a Power BI gateway or linked service credential
- 2Service principal name (SPN) registered with an invalid format — extra slashes, empty host segment, or unsupported characters
- 3Kerberos SSO/constrained delegation passing a principal in the wrong name[/host][@realm] shape from an on-premises gateway
- 4Token request hard-coded with a username variable that wasn't substituted, leaving placeholder text or whitespace
- 5Federated/B2B guest account whose UPN was changed and the cached principal in the data source still uses the old format
How to fix it
- 1Open the failing data source (Power BI gateway, ADF linked service, Fabric connection, or Databricks workspace) and inspect the principal/username field — confirm it follows name@realm (UPN) or name/host@realm (SPN) exactly, with no leading/trailing whitespace.
- 2If using a service principal, verify in Entra ID > App registrations that the SPN's servicePrincipalNames are well-formed (e.g. HTTP/host.contoso.com) and re-enter the application (client) ID — not the object ID — in the connection.
- 3For on-premises Kerberos SSO via the data gateway, check the SPN registration with `setspn -L <serviceaccount>` and ensure the gateway's effective UPN is configured as <user>@<UPN-suffix> matching a verified domain in Entra ID.
- 4Re-test the credential by re-authenticating the data source; if the UPN was recently changed, clear the cached credential and sign in again so the new principal is sent.
- 5If the failure originates from custom code calling MSAL/ADAL, log the exact `username` or `client_id` value being passed and validate it against the name[/host][@realm] grammar before the token request.