Low severityauthentication
Power BI Error:
AADSTS900432
What does this error mean?
Confidential client app authenticated against one Azure cloud (e.g. Public) while requesting tokens for a resource in a different sovereign cloud.
Common causes
- 1App registered in Azure Public cloud but token requested from a sovereign endpoint (e.g. login.microsoftonline.us, login.partner.microsoftonline.cn)
- 2Hardcoded authority URL pointing to a different cloud than the resource (e.g. login.microsoftonline.com used to access a US Gov Power BI tenant)
- 3Service principal / confidential client used in a multi-cloud scenario where only public/native clients are supported
- 4Power BI / Fabric tenant in Gov or China cloud accessed via a Public-cloud Azure AD app registration
- 5Misconfigured `AzureCloudInstance` or `Instance` setting in MSAL/ADAL client configuration
How to fix it
- 1Identify which cloud your target resource (Power BI tenant, Fabric workspace, ADF, Key Vault) lives in — Public, US Gov (GCC/GCC High/DoD), China (21Vianet), or Germany
- 2Re-register the application in the SAME Azure AD / Entra ID cloud as the target resource — confidential client apps cannot span clouds
- 3Update the authority URL in your MSAL/ADAL config to match: `login.microsoftonline.com` (Public), `login.microsoftonline.us` (Gov), `login.partner.microsoftonline.cn` (China)
- 4If cross-cloud access is genuinely required, switch to a public/native client flow (interactive or device code) instead of client_credentials — confidential client is not supported across clouds
- 5Verify the resource/scope URL matches the same cloud (e.g. `https://analysis.windows.net/powerbi/api/.default` for Public vs `https://analysis.usgovcloudapi.net/powerbi/api/.default` for Gov)