What causes AADSTS90119?

Client application sends an empty or null `device_code` parameter to the `/oauth2/v2.0/token` endpoint during device code flow. Token polling logic starts before the `device_code` from `/devicecode` response has been stored. Variable holding the device code is overwritten or cleared before the token request is built (common in retry loops). Wrong grant_type used — `urn:ietf:params:oauth:grant-type:device_code` requires `device_code`, but client sends form fields for a different flow. Custom Power BI / Fabric / ADF connector or PowerShell script using device code authentication has a bug in its request serialization

How do I fix AADSTS90119?

Inspect the HTTP request body sent to `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token` and confirm `device_code= ` is present and URL-encoded. Verify your client first calls `/devicecode` and stores the returned `device_code` (not `user_code`, which is shown to the user) before polling `/token`. Confirm `grant_type=urn:ietf:params:oauth:grant-type:device_code` is set — wrong grant_type can make Entra ID look for a device_code that wasn't sent. If using MSAL (Python/.NET/JS), upgrade to the latest version and use `acquire_token_by_device_flow()` rather than building requests manually. For Power BI Desktop / gateway sign-ins, clear cached credentials (File → Options → Data source settings → Clear permissions) and re-authenticate to force a fresh device code exchange

Low severityauthentication

Power BI Error:
AADSTS90119, User code is null or empty in device code flow

What does this error mean?

The device code submitted during OAuth 2.0 device authorization flow is missing or empty when validated by Entra ID (Azure AD).

Common causes

1Client application sends an empty or null `device_code` parameter to the `/oauth2/v2.0/token` endpoint during device code flow
2Token polling logic starts before the `device_code` from `/devicecode` response has been stored
3Variable holding the device code is overwritten or cleared before the token request is built (common in retry loops)
4Wrong grant_type used — `urn:ietf:params:oauth:grant-type:device_code` requires `device_code`, but client sends form fields for a different flow
5Custom Power BI / Fabric / ADF connector or PowerShell script using device code authentication has a bug in its request serialization

How to fix it

1Inspect the HTTP request body sent to `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token` and confirm `device_code=<non-empty value>` is present and URL-encoded
2Verify your client first calls `/devicecode` and stores the returned `device_code` (not `user_code`, which is shown to the user) before polling `/token`
3Confirm `grant_type=urn:ietf:params:oauth:grant-type:device_code` is set — wrong grant_type can make Entra ID look for a device_code that wasn't sent
4If using MSAL (Python/.NET/JS), upgrade to the latest version and use `acquire_token_by_device_flow()` rather than building requests manually
5For Power BI Desktop / gateway sign-ins, clear cached credentials (File → Options → Data source settings → Clear permissions) and re-authenticate to force a fresh device code exchange

Frequently asked questions

What does AADSTS90119 mean?

The user code is null or empty.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes