What causes AADSTS90027?

App is calling the v1.0 endpoint (login.microsoftonline.com/common/oauth2/authorize) while the user signs in with a personal Microsoft Account. App registration in Azure AD / Entra ID is configured for 'Accounts in this organizational directory only' or v1.0, instead of 'Accounts in any organizational directory and personal Microsoft accounts'. Legacy ADAL library is still in use; ADAL only supports v1.0 and cannot issue tokens to MSA users. Power BI / Fabric / ADF connector or custom embedded scenario uses a v1.0 token request flow against a personal-account user. Manifest setting 'accessTokenAcceptedVersion' is null/1 while signInAudience includes personal accounts — mismatch between supported audiences and token version

How do I fix AADSTS90027?

Switch the app to the v2.0 endpoint: replace /oauth2/authorize and /oauth2/token with /oauth2/v2.0/authorize and /oauth2/v2.0/token in your auth requests. In the Azure portal → Entra ID → App registrations → your app → Authentication, set 'Supported account types' to 'Accounts in any organizational directory and personal Microsoft accounts (multitenant + MSA)'. Migrate from ADAL to MSAL (Microsoft Authentication Library) — ADAL is deprecated and does not support v2.0/MSA scenarios. In the app manifest, set 'accessTokenAcceptedVersion': 2 and verify 'signInAudience' is 'AzureADandPersonalMicrosoftAccount'. If the user does not need to sign in with a personal account, route them to a work/school account instead, or restrict the sign-in audience so MSA users never reach this flow

Low severityauthentication

Power BI Error:
AADSTS90027

What does this error mean?

The app is using OAuth/Azure AD v1.0 endpoint, which cannot issue tokens for personal Microsoft Accounts (MSA).

Common causes

1App is calling the v1.0 endpoint (login.microsoftonline.com/common/oauth2/authorize) while the user signs in with a personal Microsoft Account
2App registration in Azure AD / Entra ID is configured for 'Accounts in this organizational directory only' or v1.0, instead of 'Accounts in any organizational directory and personal Microsoft accounts'
3Legacy ADAL library is still in use; ADAL only supports v1.0 and cannot issue tokens to MSA users
4Power BI / Fabric / ADF connector or custom embedded scenario uses a v1.0 token request flow against a personal-account user
5Manifest setting 'accessTokenAcceptedVersion' is null/1 while signInAudience includes personal accounts — mismatch between supported audiences and token version

How to fix it

1Switch the app to the v2.0 endpoint: replace /oauth2/authorize and /oauth2/token with /oauth2/v2.0/authorize and /oauth2/v2.0/token in your auth requests
2In the Azure portal → Entra ID → App registrations → your app → Authentication, set 'Supported account types' to 'Accounts in any organizational directory and personal Microsoft accounts (multitenant + MSA)'
3Migrate from ADAL to MSAL (Microsoft Authentication Library) — ADAL is deprecated and does not support v2.0/MSA scenarios
4In the app manifest, set 'accessTokenAcceptedVersion': 2 and verify 'signInAudience' is 'AzureADandPersonalMicrosoftAccount'
5If the user does not need to sign in with a personal account, route them to a work/school account instead, or restrict the sign-in audience so MSA users never reach this flow

Frequently asked questions

What does AADSTS90027 mean?

We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes