What causes AADSTS900382?

Service principal or app registration lives in Azure Commercial but is calling a sovereign cloud authority (e.g. login.microsoftonline.us, login.partner.microsoftonline.cn, login.microsoftonline.de). Hard-coded authority URL pointing to the wrong cloud instance (login.microsoftonline.com vs. login.microsoftonline.us) in a Power BI embedded, ADF linked service, or Databricks SP config. Guest/B2B confidential client scenario across Commercial ↔ GCC / GCC High / DoD — not supported by design. Multi-tenant app registered as confidential client trying to acquire tokens for a tenant in another sovereign cloud. Token endpoint URL copied from a Commercial sample while the target tenant is in US Government or China cloud

How do I fix AADSTS900382?

Identify which cloud the target tenant lives in (Commercial, US Gov GCC/GCC High, China 21Vianet, Germany) — check the tenant's login URL or ask the tenant admin. Register a separate app registration / service principal directly in the target cloud's Microsoft Entra ID portal — you cannot reuse a Commercial app registration cross-cloud for confidential flows. Update the authority URL in your client (MSAL, ADAL, ADF linked service, Power BI embedded config, Databricks SP) to the matching national cloud endpoint, e.g. https://login.microsoftonline.us/{tenant-id} for GCC High. If you need a public/native client cross-cloud flow instead, switch the app to a public client (no client secret) — confidential client cross-cloud is blocked at the protocol level. Re-issue the client secret/certificate in the new cloud-specific app registration and update your Power BI / ADF / Databricks credential store

Low severityauthentication

Power BI Error:
AADSTS900382

What does this error mean?

A confidential client app tried to authenticate against a different Microsoft cloud (e.g. Commercial → GCC High) which isn't supported.

Common causes

1Service principal or app registration lives in Azure Commercial but is calling a sovereign cloud authority (e.g. login.microsoftonline.us, login.partner.microsoftonline.cn, login.microsoftonline.de)
2Hard-coded authority URL pointing to the wrong cloud instance (login.microsoftonline.com vs. login.microsoftonline.us) in a Power BI embedded, ADF linked service, or Databricks SP config
3Guest/B2B confidential client scenario across Commercial ↔ GCC / GCC High / DoD — not supported by design
4Multi-tenant app registered as confidential client trying to acquire tokens for a tenant in another sovereign cloud
5Token endpoint URL copied from a Commercial sample while the target tenant is in US Government or China cloud

How to fix it

1Identify which cloud the target tenant lives in (Commercial, US Gov GCC/GCC High, China 21Vianet, Germany) — check the tenant's login URL or ask the tenant admin
2Register a separate app registration / service principal directly in the target cloud's Microsoft Entra ID portal — you cannot reuse a Commercial app registration cross-cloud for confidential flows
3Update the authority URL in your client (MSAL, ADAL, ADF linked service, Power BI embedded config, Databricks SP) to the matching national cloud endpoint, e.g. https://login.microsoftonline.us/{tenant-id} for GCC High
4If you need a public/native client cross-cloud flow instead, switch the app to a public client (no client secret) — confidential client cross-cloud is blocked at the protocol level
5Re-issue the client secret/certificate in the new cloud-specific app registration and update your Power BI / ADF / Databricks credential store

Frequently asked questions

What does AADSTS900382 mean?

Confidential Client isn't supported in Cross Cloud request.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes