What causes AADSTS90084?

User is a B2B guest in the tenant hosting the Power BI workspace, Fabric capacity or data source, while the app/resource is restricted to member accounts only. External Collaboration / Cross-tenant access settings in Entra ID block guest access to this specific application. Conditional Access policy targets guests/external users and blocks sign-in to Power BI Service or the Fabric workload. Service principal or scheduled refresh runs under a guest identity that the resource tenant doesn't accept. User signed in with their home-tenant account instead of the @resource-tenant guest UPN, hitting a tenant that disallows that federation path

How do I fix AADSTS90084?

Confirm which tenant you're authenticating against — the URL after login.microsoftonline.com/ should be the tenant that owns the Power BI workspace, not your home tenant. Sign out completely (login.microsoftonline.com/logout) and sign back in using the guest UPN issued by the resource tenant (e.g. user_homedomain.com#EXT#@resourcetenant.onmicrosoft.com). Ask the resource-tenant admin to verify in Entra ID → External Identities → Cross-tenant access settings that inbound guest access is allowed for Power BI / Fabric (App ID 00000009-0000-0000-c000-000000000000). Check Conditional Access policies in the resource tenant for rules scoped to 'Guest or external users' that block Power BI Service, and add an exclusion if appropriate. For unattended refreshes: replace the guest account with a service principal or a member account in the resource tenant — guest accounts are not a supported identity for scheduled refresh on gateways

Low severityauthentication

Power BI Error:
AADSTS90084

What does this error mean?

The tenant blocks guest (B2B) accounts from signing in to this application or resource.

Common causes

1User is a B2B guest in the tenant hosting the Power BI workspace, Fabric capacity or data source, while the app/resource is restricted to member accounts only
2External Collaboration / Cross-tenant access settings in Entra ID block guest access to this specific application
3Conditional Access policy targets guests/external users and blocks sign-in to Power BI Service or the Fabric workload
4Service principal or scheduled refresh runs under a guest identity that the resource tenant doesn't accept
5User signed in with their home-tenant account instead of the @resource-tenant guest UPN, hitting a tenant that disallows that federation path

How to fix it

1Confirm which tenant you're authenticating against — the URL after login.microsoftonline.com/ should be the tenant that owns the Power BI workspace, not your home tenant
2Sign out completely (login.microsoftonline.com/logout) and sign back in using the guest UPN issued by the resource tenant (e.g. user_homedomain.com#EXT#@resourcetenant.onmicrosoft.com)
3Ask the resource-tenant admin to verify in Entra ID → External Identities → Cross-tenant access settings that inbound guest access is allowed for Power BI / Fabric (App ID 00000009-0000-0000-c000-000000000000)
4Check Conditional Access policies in the resource tenant for rules scoped to 'Guest or external users' that block Power BI Service, and add an exclusion if appropriate
5For unattended refreshes: replace the guest account with a service principal or a member account in the resource tenant — guest accounts are not a supported identity for scheduled refresh on gateways

Frequently asked questions

What does AADSTS90084 mean?

Guest accounts aren't allowed for this site.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes