US English (US)
GB English (UK)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Create ticket
English (US)
US English (US)
GB English (UK)
  • Home
  • Install and Configure

AADSTS135010 UserPrincipal doesn't have the key ID configured

Learn how to configure the key ID for UserPrincipal to resolve the AADSTS135010 error in your system.

Written by Neil Langston

Updated at June 3rd, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Getting Started
  • FAQs
  • API Documentation
  • Integrations
  • Migration Agent
  • Directory Synchronisation
  • Remote DC agent
  • Remote Password Sync Agent
  • Install and Configure
  • Support
  • Complex Expressions
+ More

The other error related to this is: Authorisation code not received from authorize endpoint call.

 

We have seen this error when the organisation has a restriction on “Users may join devices to Microsoft Entra” and they come to generate the bulk enrolment token (BPRT) for Entra Joining devices within the PowerSyncPro directory setup for Entra ID.

 

The organisation had only just added the Global Admin account into the inclusion (the ability to join devices) to allow PowerSyncPro to create the Bulk Enrolment account, therefore there was a caching issue in the Edge browser.

 

As the Global Admin was cached in the browser, they needed to forcibly log out of all sessions and clear their refresh token so that they could be fully reauthenticated with their new permission to join devices. This did take 2 hours before Entra ID served the correct authorisation codes.

 

One way to circumvent this is to add a different Global Admin into the Entra ID permission “Users may join devices to Microsoft Entra” who has not yet tried to use the PowerSyncPro server, and use their credentials when generating the BPRT so there is no caching. 

 

We have also seen AADSTS240004 error. This appeared to be related to using password-less sign-in when generating the BPRT. If you try username and password with standard MFA then this error disappeared. Also remember the GA account you use should NOT be from a federated domain.

 

For error AADSTS50079, it is very important for the account to be MFA enabled. But we have also seen issues where the BPRT account (where UPN begins package_) was created successfully however, it then subsequently failed conditional access because the package_ account was not listed as excluded by this CA policy. Because each time we try to generate the BPRT token a fresh package_ account was created, the accounts could not be put into the CA policy in advance of the process. We ultimately make the CA policy “report-only” briefly to allow the process to complete.

 


 

unnamed piece nameless blog

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Workgroup workstation migration process
  • Add Users as Local Administrators to Entra Joined Devices
  • Office Applications or Outlook failing to log in after migration

Subscribe to Newsletter

Drop your email in the box below to sign up. We promise to keep our updates relevant and useful – and we’ll never share your details.

PowerSyncPro is the ultimate product for easing the pain and frustration during mergers, acquisitions, divestitures, and consolidations.

Terms & Conditions

  • FAQs
  • Privacy Policy
  • Cookies
  • Anti Slavery Notice

PowerSyncPro

  • Case Studies
  • Contact sales
  • Meet the Team
  • EULA

Get Connected

Room 73, Wrest House, Wrest Park, Silsoe, Bedford, England, MK45 4HR
info@powersyncpro.com

Twitter Youtube Linkedin

Knowledge Base Software powered by Helpjuice

Expand