What causes AADSTS90093?

Required Microsoft Graph delegated/application permission (e.g. User.Read, Directory.Read.All) is missing on the app registration. Admin consent was never granted for the requested Graph scope in the tenant. Conditional Access or a tenant restriction policy is blocking the Graph call for this user or app. The signed-in user lacks a directory role required to read the requested Graph resource (guest user, restricted member). App is calling a Graph endpoint with a token whose audience/scope is for a different resource (e.g. Power BI API token used against Graph)

How do I fix AADSTS90093?

Open the app registration in Microsoft Entra ID → API permissions and verify the exact Microsoft Graph scopes the app requests; add any that are missing (typically User.Read or Directory.Read.All).. Click 'Grant admin consent for ' — AADSTS90093 most often means the permission is listed but not consented.. In Entra ID → Sign-in logs, open the failed sign-in for this user and inspect the 'Additional Details' to see which Graph resource was refused; confirm the user has rights (or role) for that resource.. Check Conditional Access policies and tenant restrictions for rules targeting Microsoft Graph or this app, and exclude the app/user if the policy is the blocker.. Verify the token audience: the call to Graph must use a token issued for https://graph.microsoft.com, not for the Power BI service (https://analysis.windows.net/powerbi/api).

High severityauthentication

Power BI Error:
AADSTS90093, Microsoft Graph permission denied

What does this error mean?

Microsoft Graph returned 403 Forbidden when the app or user tried to read directory data during sign-in or token acquisition.

Common causes

1Required Microsoft Graph delegated/application permission (e.g. User.Read, Directory.Read.All) is missing on the app registration
2Admin consent was never granted for the requested Graph scope in the tenant
3Conditional Access or a tenant restriction policy is blocking the Graph call for this user or app
4The signed-in user lacks a directory role required to read the requested Graph resource (guest user, restricted member)
5App is calling a Graph endpoint with a token whose audience/scope is for a different resource (e.g. Power BI API token used against Graph)

How to fix it

1Open the app registration in Microsoft Entra ID → API permissions and verify the exact Microsoft Graph scopes the app requests; add any that are missing (typically User.Read or Directory.Read.All).
2Click 'Grant admin consent for <tenant>' — AADSTS90093 most often means the permission is listed but not consented.
3In Entra ID → Sign-in logs, open the failed sign-in for this user and inspect the 'Additional Details' to see which Graph resource was refused; confirm the user has rights (or role) for that resource.
4Check Conditional Access policies and tenant restrictions for rules targeting Microsoft Graph or this app, and exclude the app/user if the policy is the blocker.
5Verify the token audience: the call to Graph must use a token issued for https://graph.microsoft.com, not for the Power BI service (https://analysis.windows.net/powerbi/api).

Frequently asked questions

What does AADSTS90093 mean?

Graph returned with a forbidden error code for the request.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes