What causes AADSTS90086?

The MSA DA token issued during a previous WS-Trust handshake has reached its lifetime limit and cannot be silently refreshed.. A Power BI / Fabric data source uses a personal Microsoft Account (outlook.com, hotmail.com, live.com) instead of a work or school account in Entra ID.. Long-running unattended jobs (scheduled refresh, ADF Linked Service, Databricks job) rely on cached MSA credentials that have aged out.. Conditional Access or MFA policy forced a token revocation, invalidating the existing DA token.. A legacy WS-Trust / username-password authentication path is being used instead of modern OAuth 2.0 with refresh tokens.

How do I fix AADSTS90086?

Sign the affected user out completely and sign back in interactively to mint a new DA token — restart Power BI Desktop / the gateway service after sign-in.. In Power BI Service, open the dataset → Settings → Data source credentials and click 'Edit credentials', then re-authenticate using OAuth2 (not Basic / Windows).. Replace any personal Microsoft Account (MSA) with a work/school account from your Entra ID tenant; MSA accounts are not supported for unattended Power BI refreshes.. For ADF / Synapse / Fabric pipelines: switch the Linked Service from user credentials to a Service Principal or Managed Identity so token refresh is handled automatically.. If the error appears on an on-premises data gateway, restart the gateway service and re-enter the account credentials in the Gateway configuration.

High severityauthentication

Power BI Error:
AADSTS90086

What does this error mean?

The Microsoft Account (MSA) Delegated Authentication token used during WS-Trust sign-in has expired.

Common causes

1The MSA DA token issued during a previous WS-Trust handshake has reached its lifetime limit and cannot be silently refreshed.
2A Power BI / Fabric data source uses a personal Microsoft Account (outlook.com, hotmail.com, live.com) instead of a work or school account in Entra ID.
3Long-running unattended jobs (scheduled refresh, ADF Linked Service, Databricks job) rely on cached MSA credentials that have aged out.
4Conditional Access or MFA policy forced a token revocation, invalidating the existing DA token.
5A legacy WS-Trust / username-password authentication path is being used instead of modern OAuth 2.0 with refresh tokens.

How to fix it

1Sign the affected user out completely and sign back in interactively to mint a new DA token — restart Power BI Desktop / the gateway service after sign-in.
2In Power BI Service, open the dataset → Settings → Data source credentials and click 'Edit credentials', then re-authenticate using OAuth2 (not Basic / Windows).
3Replace any personal Microsoft Account (MSA) with a work/school account from your Entra ID tenant; MSA accounts are not supported for unattended Power BI refreshes.
4For ADF / Synapse / Fabric pipelines: switch the Linked Service from user credentials to a Service Principal or Managed Identity so token refresh is handled automatically.
5If the error appears on an on-premises data gateway, restart the gateway service and re-enter the account credentials in the Gateway configuration.

Frequently asked questions

What does AADSTS90086 mean?

The user DA token is expired.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes