When you try to use Copilot in Microsoft 365, you might see the error AADSTS50097 with the message Device Authentication Required. This stops Copilot from generating responses and blocks access to your Microsoft Graph data. The error occurs because Azure Active Directory cannot complete the authentication flow when the device is not properly registered or the browser does not support device-level authentication. This article explains why the error appears and provides step-by-step fixes to restore Copilot functionality.
Key Takeaways: Fixing Copilot Device Authentication Error AADSTS50097
- Microsoft Entra admin center > Devices > Device settings: Ensure device registration is enabled for your tenant to allow Copilot to authenticate.
- Windows Settings > Accounts > Access work or school: Reconnect your Microsoft 365 account to refresh the device registration certificate.
- Browser settings > Clear cookies and cached credentials: Remove stale authentication tokens that cause the AADSTS50097 error.
Why Copilot Shows AADSTS50097 Device Authentication Required
The AADSTS50097 error indicates that Azure Active Directory, now called Microsoft Entra ID, requires device-level authentication before granting a token. This happens when the conditional access policy in your tenant mandates device compliance or device registration. Copilot relies on an access token that includes a device claim. If the device is not registered in Microsoft Entra ID, or if the browser does not send the device certificate, the token request fails with this error.
Three common scenarios cause this issue:
Device Not Registered in Microsoft Entra ID
Your Windows device must be either Microsoft Entra joined or Microsoft Entra registered. A personal device that is not joined to the organization will not have the required device certificate. Copilot cannot obtain a token because the identity provider cannot verify the device identity.
Stale Browser Cache or Authentication Cookies
Your browser might store an old authentication cookie that does not include the device claim. When Copilot tries to renew the token, the cached credential triggers the device authentication requirement. Clearing the cache forces a fresh authentication flow that includes the device certificate.
Conditional Access Policy Blocks Non-Compliant Devices
Your tenant admin might have a conditional access policy that requires device compliance. If your device is not marked as compliant in Microsoft Intune or Microsoft Defender for Endpoint, the policy blocks the token. Copilot then returns the AADSTS50097 error instead of the policy message.
Steps to Fix AADSTS50097 Device Authentication Error in Copilot
Follow these steps in order. Test Copilot after each step to confirm the error is resolved.
- Clear browser cache and authentication cookies
Open your browser settings. Go to Privacy and security. Select Clear browsing data. Choose Cookies and other site data and Cached images and files. Set the time range to All time. Click Clear data. Close and reopen the browser. Sign in to Microsoft 365 again. - Sign out of all Microsoft 365 sessions
In your browser, go tohttps://login.microsoftonline.com/logout. This signs out all active sessions. Close all browser tabs. Open a new browser window and sign in to Microsoft 365 again with your work or school account. - Verify device registration in Windows Settings
Press the Windows key and type Access work or school. Select Access work or school. Check if your work or school account is listed under Connected to your organization. If not, click Connect and follow the prompts to register your device in Microsoft Entra ID. - Reconnect your work or school account
In Access work or school settings, select your account and click Disconnect. Confirm the action. Restart your computer. Open Access work or school again and click Connect. Sign in with your Microsoft 365 credentials. This refreshes the device certificate. - Check device compliance in Microsoft Intune
If your organization uses Intune, open the Company Portal app. Go to Devices and select your device. If the status shows Not compliant, click Check Status or Sync. Follow any prompts to update policies or install required updates. A compliant device resolves conditional access blocks. - Run the Microsoft Entra join troubleshooting tool
Download and run the Microsoft Entra join troubleshooting tool from the Microsoft Download Center. The tool checks device registration status, certificate validity, and connectivity. Follow the on-screen recommendations to fix any detected issues. - Reset browser profile or use InPrivate mode
Open a new InPrivate or Incognito window. Sign in to Microsoft 365 and try Copilot. If the error disappears, your browser profile has corrupted data. Reset the browser profile in Settings or create a new profile.
If Copilot Still Shows Device Authentication Error
Copilot Works in One Browser but Not Another
Different browsers handle device authentication certificates differently. Microsoft Edge natively supports device authentication on Windows. If you use Chrome or Firefox, install the Windows Accounts extension. This extension allows the browser to pass the device certificate to Microsoft Entra ID. After installing the extension, restart the browser and sign in again.
Copilot Returns AADSTS50097 on a New Device
When you get a new laptop or desktop, the device is not automatically registered. Go to Windows Settings > Accounts > Access work or school. Click Connect and sign in with your Microsoft 365 credentials. Wait two minutes for the registration to complete. Then try Copilot again.
The Error Appears in the Copilot Mobile App
Mobile apps use a different authentication flow. If the error appears on an iOS or Android device, open the Microsoft Authenticator app. Go to Settings and enable Device registration. Sign out of the Microsoft 365 mobile app and sign in again. This registers the mobile device with Microsoft Entra ID.
Tenant Admin Cannot Remove the Conditional Access Policy
If you are a tenant admin, you can create an exclusion for the Copilot app in the conditional access policy. Go to the Microsoft Entra admin center. Select Protection > Conditional Access. Find the policy that requires device authentication. Under Exclude, select Cloud apps and add Microsoft Copilot. Save the policy. Users must sign out and sign in again for the change to take effect.
| Item | Device Registration Required | No Device Registration Required |
|---|---|---|
| Authentication flow | Token includes device claim | Token uses user credentials only |
| Conditional access policy | Policy requires device compliance | Policy does not check device state |
| Browser support | Edge works natively; Chrome needs extension | All modern browsers work without extension |
| Device management | Device must be Entra joined or registered | No device management needed |
| Mobile app behavior | Authenticator must register device | Authenticator registration not required |
The AADSTS50097 error in Copilot is caused by a missing or invalid device registration in Microsoft Entra ID. By clearing browser cache, reconnecting your work account, and verifying device compliance, you can restore Copilot access. If the error persists after these steps, check with your tenant admin whether a conditional access policy specifically requires device authentication. Use the Windows Accounts extension in non-Edge browsers to pass the device certificate correctly.