Skip to content

Instantly share code, notes, and snippets.

@rezamt

rezamt/errorcodes.md

Created May 26, 2025 12:33
Show Gist options
  • Save rezamt/683bf024f30b2d1f377dea0244e00ea8 to your computer and use it in GitHub Desktop.
Save rezamt/683bf024f30b2d1f377dea0244e00ea8 to your computer and use it in GitHub Desktop.
Download ZIP
Entra Error Codes
Raw
errorcodes.md

AADSTS Error Codes Categorized

User Account & Identity Issues

  • AADSTS16000: User account doesn't exist in tenant and can't access the application. [cite: 1]
  • AADSTS16003: User hasn't been explicitly added to the tenant. [cite: 9]
  • AADSTS50014: User account doesn’t exist in the directory (Guest user in pending state). [cite: 59]
  • AADSTS50015: User requires legal age group consent. [cite: 62]
  • AADSTS50020: User account from identity provider does not exist in tenant and cannot access the application. [cite: 66]
  • AADSTS50034: User account not found; account must be added to the directory. [cite: 79]
  • AADSTS50053: Account is locked (too many incorrect sign-in attempts) or sign-in blocked from malicious IP. [cite: 86, 87]
  • AADSTS50057: User account is disabled. [cite: 95]
  • AADSTS50105: Signed in user isn't assigned to a role for the signed in app. [cite: 118]
  • AADSTS50197: User could not be found. [cite: 191]
  • AADSTS51004: User account doesn’t exist in the directory. [cite: 201]
  • AADSTS54000: Minor user blocked due to legal age group rule.
  • AADSTS90072: External account doesn't exist on the tenant; MFA requirements can't be satisfied or ImmutableID mismatch. [cite: 345, 346]
  • AADSTS1000000: User not bound; Bind API requires the Microsoft Entra user to also authenticate with an external IDP, which hasn't happened yet. [cite: 394]

Authentication & Credential Errors

  • AADSTS17003: Microsoft Entra ID can't provision the user key. [cite: 10]
  • AADSTS50003: Missing signing key or certificate for sign-in. [cite: 39]
  • AADSTS50006: Invalid signature; signature verification failed. [cite: 44]
  • AADSTS50008: SAML assertion is missing or misconfigured in the token. [cite: 47]
  • AADSTS5000819: SAML Assertion is invalid; email address claim missing or doesn't match. [cite: 50]
  • AADSTS50012: Authentication failed due to various certificate or policy issues.
  • AADSTS50013: Assertion is invalid (issuer mismatch, expired, malformed, not primary refresh token). [cite: 56]
  • AADSTS500133: Assertion isn't within its valid time range. [cite: 57]
  • AADSTS50017: Certificate validation failed for various reasons. [cite: 63]
  • AADSTS50027: Invalid JWT token (nonce/sub claim issues, subject mismatch, duplicate claim, unexpected issuer/audience, expired, bad format, external ID token signature failure). [cite: 75]
  • AADSTS50032: Erroneous user attempt to use a weak RSA key. [cite: 77]
  • AADSTS50055: Password is expired. [cite: 91]
  • AADSTS50056: Invalid or null password; password doesn't exist in the directory for this user. [cite: 93]
  • AADSTS50064: Credential validation on username or password has failed.
  • AADSTS50072: User needs to enroll for second factor authentication (interactive). [cite: 105]
  • AADSTS50074: Strong authentication is required and the user did not pass the MFA challenge. [cite: 106]
  • AADSTS50076: User must use multifactor authentication due to configuration change or new location. [cite: 107]
  • AADSTS50078: Presented multifactor authentication has expired. [cite: 108]
  • AADSTS50079: User required to use multifactor authentication due to configuration change or new location. [cite: 109]
  • AADSTS50088: Limit on telecom MFA calls reached. [cite: 112]
  • AADSTS50089: Authentication failed due to flow token expired. [cite: 113]
  • AADSTS50099: PKeyAuthInvalidJwtUnauthorized - The JWT signature is invalid. [cite: 115]
  • AADSTS50120: Unknown credential type, issue with the JWT header. [cite: 123]
  • AADSTS50126: InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. [cite: 132]
  • AADSTS50130: The claim value(s) '{value}' cannot be interpreted as known auth method(s). [cite: 137]
  • AADSTS50135: Password change is required due to account risk.
  • AADSTS50137: Password needs to be changed due to security policy rule.
  • AADSTS50142: Password change is required due to a conditional access policy. [cite: 149]
  • AADSTS50192: RawCredentialExpectedNotFound - No Credential was included in the sign-in request. [cite: 185]
  • AADSTS70002: InvalidClient - Error validating the credentials. The specified client_secret does not match the expected value for this client. [cite: 246]
  • AADSTS700027: Client assertion failed signature validation. [cite: 248]
  • AADSTS700030: Invalid certificate - subject name in certificate isn't authorized. [cite: 250]
  • AADSTS80010: OnPremisePasswordValidationEncryptionException - The Authentication Agent is unable to decrypt password. [cite: 289]
  • AADSTS80012: OnPremisePasswordValidationAccountLogonInvalidHours - The users attempted to log on outside of the allowed hours (this is specified in AD). [cite: 290]
  • AADSTS80013: OnPremisePasswordValidationTimeSkew - The authentication attempt couldn't be completed due to time skew between the machine running the authentication agent and AD. [cite: 291]
  • AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user. [cite: 316]
  • AADSTS90022: AuthenticatedInvalidPrincipalNameFormat - The principal name format isn't valid, or doesn't meet the expected name[/host][@realm] format. [cite: 318]
  • AADSTS900384: JWT token failed signature validation. [cite: 331]
  • AADSTS120000: PasswordChangeIncorrectCurrentPassword
  • AADSTS120002: PasswordChangeInvalidNewPasswordWeak
  • AADSTS120003: PasswordChangeInvalidNewPasswordContainsMemberName
  • AADSTS120004: PasswordChangeOnPremComplexity
  • AADSTS120005: PasswordChangeOnPremSuccessCloudFail
  • AADSTS120012: PasswordChangeNeedsToHappenOnPrem
  • AADSTS120014: PasswordChangeOnPremUserAccountLockedOutOrDisabled
  • AADSTS120018: PasswordChangePasswordDoesnotComplyFuzzyPolicy
  • AADSTS120020: PasswordChangeFailure
  • AADSTS7000215: Invalid client secret is provided. [cite: 389]
  • AADSTS7000222: The provided client secret keys are expired. [cite: 390]

Application & Service Principal Configuration/Issues

  • AADSTS16002: AppSessionSelectionInvalid - The app-specified SID requirement wasn't met.
  • AADSTS160021: AppSessionSelectionInvalidSessionNotExist - Application requested a user session that doesn't exist. [cite: 8]
  • AADSTS28002: Provided value for the input parameter scope '{scope}' isn't valid when requesting an access token. [cite: 15]
  • AADSTS28003: Provided value for the input parameter scope can't be empty when requesting an access token using the provided authorization code. [cite: 16]
  • AADSTS50001: InvalidResource - The resource is disabled or doesn't exist. [cite: 24]
  • AADSTS500011: InvalidResourceServicePrincipalNotFound - The resource principal named {name} wasn't found in the tenant named {tenant}. [cite: 27]
  • AADSTS500014: InvalidResourceServicePrincipalDisabled - The service principal for resource '{identifier}' is disabled. [cite: 32]
  • AADSTS50007: PartnerEncryptionCertificateMissing - The partner encryption certificate wasn't found for this app. [cite: 45]
  • AADSTS50010: AudienceUriValidationFailed - Audience URI validation for the app failed since no token audiences were configured. [cite: 51]
  • AADSTS50011: InvalidReplyTo - The reply address is missing, misconfigured, or doesn't match reply addresses configured for the app. [cite: 52]
  • AADSTS50146: MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. [cite: 156]
  • AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. [cite: 158]
  • AADSTS50194: Application '{appId}'({appName}) isn't configured as a multitenant application. [cite: 187]
  • AADSTS65005: MisconfiguredApplication - The app required resource access list doesn't contain apps discoverable by the resource, or the client app has requested access to resource, which wasn't specified in its required resource access list or Graph service returned bad request or resource not found. [cite: 227]
  • AADSTS650052: The app needs access to a service ("{name}") that your organization "{organization}" hasn't subscribed to or enabled. [cite: 230]
  • AADSTS650054: The application asked for permissions to access a resource that has been removed or is no longer available. [cite: 232]
  • AADSTS650056: Misconfigured application. [cite: 233] This could be due to one of the following: the client has not listed any permissions for '{name}' in the requested permissions in the client's application registration. [cite: 233] Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. [cite: 234, 235]
  • AADSTS650057: Invalid resource. [cite: 238] The client has requested access to a resource which isn't listed in the requested permissions in the client's application registration. [cite: 238]
  • AADSTS650059: The application is not configured for use in the tenant. The value AzureADMyOrg set for application property signInAudience is limiting its use in the tenant. [cite: 403]
  • AADSTS70001: UnauthorizedClient - The application is disabled. [cite: 242]
  • AADSTS700011: UnauthorizedClientAppNotFoundInOrgIdTenant - Application with identifier {appIdentifier} was not found in the directory. [cite: 244]
  • AADSTS700025: InvalidClientPublicClientWithCredential - Client is public so neither 'client_assertion' nor 'client_secret' should be presented.
  • AADSTS70004: InvalidRedirectUri - The app returned an invalid redirect URI. [cite: 251]
  • AADSTS70005: UnsupportedResponseType - The app returned an unsupported response type due to the following reasons: response type 'token' isn't enabled for the app response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx.
  • AADSTS700054: Response_type 'id_token' isn't enabled for the application. [cite: 253]
  • AADSTS70011: InvalidScope - The scope requested by the app is invalid. [cite: 265]
  • AADSTS75005: Saml2MessageInvalid - Microsoft Entra doesn’t support the SAML request sent by the app for SSO. [cite: 273]
  • AADSTS7500514: A supported type of SAML response was not found. [cite: 274]
  • AADSTS75008: RequestDeniedError - The request from the app was denied since the SAML request had an unexpected destination. [cite: 278]
  • AADSTS75016: Saml2AuthenticationRequestInvalidNameIDPolicy - SAML2 Authentication Request has invalid NameIdPolicy. [cite: 280]
  • AADSTS76021: ApplicationRequiresSignedRequests - The request sent by client is not signed while the application requires signed requests.
  • AADSTS90009: TokenForItselfMissingIdenticalAppIdentifier - The application is requesting a token for itself. [cite: 308] This scenario is supported only if the resource that's specified is using the GUID-based application ID. [cite: 308]
  • AADSTS9002332: Application '{principalId}'({principalName}) is configured for use by Microsoft Entra users only. [cite: 323] Please do not use the /consumers endpoint to serve this request. [cite: 323]
  • AADSTS90099: The application '{appId}' ({appName}) has not been authorized in the tenant '{tenant}'. [cite: 357] Applications must be authorized to access the external tenant before partner delegated administrators can use them. [cite: 357]
  • AADSTS901002: AADSTS901002: The 'resource' request parameter isn't supported. [cite: 360]
  • AADSTS90112: Application identifier is expected to be a GUID. [cite: 363]
  • AADSTS90130: NonConvergedAppV2GlobalEndpointNotSupported - The application isn't supported over the /common or /consumers endpoints. [cite: 371] Use the /organizations or tenant-specific endpoint instead. [cite: 371]
  • AADSTS700016: UnauthorizedClient_DoesNotMatchRequest - The application wasn't found in the directory/tenant. [cite: 385] This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. [cite: 385]
  • AADSTS700022: InvalidMultipleResourcesScope - The provided value for the input parameter scope isn't valid because it contains more than one resource. [cite: 387]
  • AADSTS700023: InvalidResourcelessScope - The provided value for the input parameter scope isn't valid when requesting an access token. [cite: 388]
  • AADSTS7000112: UnauthorizedClientApplicationDisabled - The application is disabled. [cite: 397]
  • AADSTS7000114: Application 'appIdentifier' isn't allowed to make application on-behalf-of calls.
  • AADSTS7500529: The value ‘SAMLId-Guid’ isn't a valid SAML ID - Microsoft Entra ID uses this attribute to populate the InResponseTo attribute of the returned response. [cite: 398] ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. [cite: 399]
  • AADSTS1000031: Application {appDisplayName} can't be accessed at this time.

Tenant & Directory Issues

  • AADSTS50002: NotAllowedTenant - Sign-in failed because of a restricted proxy access on the tenant. [cite: 25]
  • AADSTS500021: Access to '{tenant}' tenant is denied. [cite: 35] AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header Restrict-Access-To-Tenant. [cite: 35]
  • AADSTS500022: Access to '{tenant}' tenant is denied. [cite: 37] AADSTS500022 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header Restrict-Access-To-Tenant. [cite: 37]
  • AADSTS5000224: NotAllowedTenantBlockedTenantFraud - We are sorry, this resource is not available. [cite: 48]
  • AADSTS500208: The domain is not a valid login domain for the account type - This situation occurs when the user's account does not match the expected account type for the given tenant. [cite: 72]
  • AADSTS500212: NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant. [cite: 74]
  • AADSTS500213: NotAllowedByInboundPolicyTenant - The resource tenant's cross-tenant access policy doesn't allow this user to access this tenant. [cite: 75]
  • AADSTS50029: Invalid URI - domain name contains invalid characters. [cite: 77]
  • AADSTS50042: UnableToGeneratePairwiseIdentifierWithMissingSalt - The salt required to generate a pairwise identifier is missing in principle. [cite: 84]
  • AADSTS50043: UnableToGeneratePairwiseIdentifierWithMultipleSalts
  • AADSTS50049: NoSuchInstanceForDiscovery - Unknown or invalid instance. [cite: 85]
  • AADSTS50059: MissingTenantRealmAndNoUserInformationProvided - Tenant-identifying information wasn't found in either the request or implied by any provided credentials. [cite: 100]
  • AADSTS50107: The requested federation realm object '{name}' doesn't exist. [cite: 120]
  • AADSTS50128: Invalid domain name - No tenant-identifying information found in either the request or implied by any provided credentials. [cite: 135]
  • AADSTS51001: DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. [cite: 198]
  • AADSTS90002: InvalidTenantName - The tenant name wasn't found in the data store. [cite: 299]
  • AADSTS90019: MissingTenantRealm - Microsoft Entra ID was unable to determine the tenant identifier from the request. [cite: 315]
  • AADSTS90125: DebugModeEnrollTenantNotFound - The user isn't in the system. [cite: 368]
  • AADSTS90126: DebugModeEnrollTenantNotInferred - The user type isn't supported on this endpoint. [cite: 369] The system can't infer the user's tenant from the user name. [cite: 370]

Federation & Identity Provider (IDP) Errors

  • AADSTS20001: WsFedSignInResponseError - There's an issue with your federated Identity Provider. [cite: 11]
  • AADSTS20012: WsFedMessageInvalid - There's an issue with your federated Identity Provider. [cite: 12]
  • AADSTS20033: FedMetadataInvalidTenantName - There's an issue with your federated Identity Provider. [cite: 13]
  • AADSTS399284: InboundIdTokenIssuerInvalid - The inbound ID token received in the federation has an invalid issuer. [cite: 18]
  • AADSTS40008: OAuth2IdPUnretryableServerError - There's an issue with your federated Identity Provider. [cite: 19]
  • AADSTS40009: OAuth2IdPRefreshTokenRedemptionUserError - There's an issue with your federated Identity Provider. [cite: 20]
  • AADSTS40010: OAuth2IdPRetryableServerError - There's an issue with your federated Identity Provider. [cite: 21]
  • AADSTS40015: OAuth2IdPAuthCodeRedemptionUserError - There's an issue with your federated Identity Provider. [cite: 22]
  • AADSTS5001256: Failed to complete authentication with external provider due to invalid id_token. [cite: 65]
  • AADSTS50158: External security challenge not satisfied. [cite: 164]
  • AADSTS50159: Claims sent by external provider are not enough.
  • AADSTS50161: Failed to validate authorization url of external claims provider.
  • AADSTS50166: Request to External OIDC endpoint failed.
  • AADSTS50172: External claims provider {provider} isn't approved.
  • AADSTS50177: ExternalChallengeNotSupportedForPassthroughUsers - External challenge isn't supported for passthrough users.
  • AADSTS90081: OrgIdWsFederationMessageInvalid - An error occurred when the service tried to process a WS-Federation message. [cite: 350] The message isn't valid. [cite: 350]
  • AADSTS90082: OrgIdWsFederationNotSupported - The selected authentication policy for the request isn't currently supported. [cite: 351]
  • AADSTS90084: OrgIdWsFederationGuestNotAllowed - Guest accounts aren't allowed for this site.
  • AADSTS90085: OrgIdWsFederationSltRedemptionFailed - The service is unable to issue a token because the company object hasn't been provisioned yet. [cite: 352]
  • AADSTS90087: OrgIdWsFederationMessageCreationFromUriFailed - An error occurred while creating the WS-Federation message from the URI. [cite: 353]
  • AADSTS901011: NoEmailAddressCollectedFromExternalOidcIDP - No email address was obtained from the external OpenID Connect (OIDC) identity provider.
  • AADSTS901012: EmailAddressCollectedFromExternalOidcIDPNotVerified - No verified email address was obtained from the identity provider.
  • AADSTS901014: NoExternalIdentifierCollectedFromExternalOidcIDP - The external identifier does not exist in the ID token from the external OIDC identity provider.

Conditional Access & Security Policy Errors

  • AADSTS50005: DevicePolicyError - User tried to sign in to a device from a platform not currently supported through Conditional Access policy. [cite: 43]
  • AADSTS50131: ConditionalAccessFailed - Indicates various Conditional Access errors such as bad Windows device state, request blocked due to suspicious activity, access policy, or security policy decisions. [cite: 138]
  • AADSTS53000: DeviceNotCompliant - Conditional Access policy requires a compliant device, and the device isn't compliant. [cite: 209]
  • AADSTS53001: DeviceNotDomainJoined - Conditional Access policy requires a domain joined device, and the device isn't domain joined. [cite: 211]
  • AADSTS53002: ApplicationUsedIsNotAnApprovedApp - The app used isn't an approved app for Conditional Access. [cite: 212]
  • AADSTS53003: BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. [cite: 214] The access policy does not allow token issuance. [cite: 214]
  • AADSTS530032: BlockedByConditionalAccessOnSecurityPolicy - The tenant admin has configured a security policy that blocks this request. [cite: 383]
  • AADSTS530035: BlockedBySecurityDefaults - Access has been blocked by security defaults. [cite: 216] This is due to the request using legacy auth or being deemed unsafe by security defaults policies. [cite: 216]
  • AADSTS53004: ProofUpBlockedDueToRisk - User needs to complete the multifactor authentication registration process before accessing this content. [cite: 218]
  • AADSTS53010: ProofUpBlockedDueToSecurityInfoAcr - Cannot configure multifactor authentication methods because the organization requires this information to be set from specific locations or devices. [cite: 219]
  • AADSTS53011: User blocked due to risk on home tenant.
  • AADSTS530034: DelegatedAdminBlockedDueToSuspiciousActivity - A delegated administrator was blocked from accessing the tenant due to account risk in their home tenant. [cite: 220]

Token Issuance, Validation & Lifetime

  • AADSTS50000: TokenIssuanceError - There's an issue with the sign-in service. [cite: 23]
  • AADSTS50048: SubjectMismatchesIssuer - Subject mismatches Issuer claim in the client assertion.
  • AADSTS50100: There was an error transforming the claims for the token.
  • AADSTS50101: Unknown claims transformer '{name}' was specified for principal '{principalId}'. [cite: 116]
  • AADSTS50102: Unable to load CustomClaimsTransformer '{type}' was specified for principal '{principalId}'. [cite: 117]
  • AADSTS50103: There was an error transforming the claims for the token: {errorMessage}.
  • AADSTS50108: Claims transformation configuration could not be retrieved.
  • AADSTS50109: Claim transformation is unknown from configuration. [cite: 121]
  • AADSTS50111: Unknown claim transformation was asked to be applied.
  • AADSTS50123: Unknown claims transformation method '{method}' was specified for principal '{principalId}'.
  • AADSTS50124: Invalid regular expression configured for claims transformation for this application. [cite: 124]
  • AADSTS501241: Mandatory Input '{paramName}' missing from transformation ID '{transformId}'. [cite: 126] This error is returned while Microsoft Entra ID is trying to build a SAML response to the application. [cite: 126]
  • AADSTS50162: Claims transformation has timed out. [cite: 169]
  • AADSTS501621: ClaimsTransformationTimeoutRegularExpressionTimeout - Regular expression replacement for claims transformation has timed out. [cite: 380]
  • AADSTS50163: Regular expression replacement for claims transformation has resulted in a claim which exceeds the size limit. [cite: 172]
  • AADSTS50164: The supplied access token was not issued for the purpose for which it is being used. [cite: 173]
  • AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. [cite: 180] The user might have changed or reset their password. [cite: 180]
  • AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. [cite: 221]
  • AADSTS70000: InvalidGrant - Authentication failed. The refresh token isn't valid. [cite: 241]
  • AADSTS70008: ExpiredOrRevokedGrant - The refresh token has expired due to inactivity. [cite: 258]
  • AADSTS700082: ExpiredOrRevokedGrantInactiveToken - The refresh token has expired due to inactivity. [cite: 260]
  • AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which can't be extended. [cite: 263]
  • AADSTS70043: BadTokenDueToSignInFrequency - The refresh token has expired or is invalid due to sign-in frequency checks by Conditional Access. [cite: 270]
  • AADSTS90016: MissingRequiredClaim - The access token isn't valid. [cite: 314] The required claim is missing. [cite: 314]
  • AADSTS90086: OrgIdWsTrustDaTokenExpired - The user DA token is expired.
  • AADSTS700005: InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. [cite: 393]
  • AADSTS700229: ForbiddenTokenType- Only app-only tokens can be used as Federated Identity Credentials for Microsoft Entra issuer. [cite: 391]

Request & Response Formatting/Parameters

  • AADSTS230109: CachedCredentialNonGWAuthNRequestsNotSupported - Backup Auth Service only allows AuthN requests from Microsoft Entra Gateway. [cite: 14]
  • AADSTS50050: MalformedDiscoveryRequest - The request is malformed.
  • AADSTS50098: JWT body must contain '{field}'.
  • AADSTS50117: Failed to deserialize policy specified in the request's claim parameter. [cite: 122]
  • AADSTS50147: Invalid size of the code challenge parameter. [cite: 153] OR MissingCodeChallenge - The size of the code challenge parameter isn't valid. [cite: 160]
  • AADSTS50148: The code_verifier doesn't match the code_challenge supplied in the authorization request for PKCE. [cite: 154]
  • AADSTS50149: Invalid Code_Challenge_method parameter. [cite: 161]
  • AADSTS501491: InvalidCodeChallengeMethodInvalidSize - Invalid size of Code_Challenge parameter.
  • AADSTS50169: InvalidRequestBadRealm - The realm isn't a configured realm of the current service namespace. [cite: 178]
  • AADSTS70007: UnsupportedResponseMode - The app returned an unsupported value of response_mode when requesting a token. [cite: 257]
  • AADSTS75001: BindingSerializationError - An error occurred during SAML message binding.
  • AADSTS75003: UnsupportedBindingError - The app returned an error related to unsupported binding (SAML protocol response can't be sent via bindings other than HTTP POST). [cite: 272]
  • AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding. [cite: 276]
  • AADSTS76026: RequestIssueTimeExpired - IssueTime in an SAML2 Authentication Request is expired. [cite: 281]
  • AADSTS90004: InvalidRequestFormat - The request isn't properly formatted.
  • AADSTS90005: InvalidRequestWithMultipleRequirements - Unable to complete the request. [cite: 303] The request isn't valid because the identifier and login hint can't be used together. [cite: 303]
  • AADSTS90007: InvalidSessionId - Bad request. [cite: 305] The passed session ID can't be parsed. [cite: 305]
  • AADSTS90013: InvalidUserInput - The input from the user isn't valid.
  • AADSTS90014: MissingRequiredField - This error code might appear in various cases when an expected field isn't present in the credential. [cite: 312]
  • AADSTS900144: The request body must contain the following parameter: '{name}'. [cite: 313]
  • AADSTS90015: QueryStringTooLong - The query string is too long.
  • AADSTS90023: InvalidRequest - The authentication service request isn't valid.
  • AADSTS900236: InvalidRequestSamlPropertyUnsupported- The SAML authentication request property '{propertyName}' isn't supported and must not be set. [cite: 320]
  • AADSTS9002313: InvalidRequest - Request is malformed or invalid. [cite: 321]
  • AADSTS90056: BadResourceRequest - To redeem the code for an access token, the app should send a POST request to the /token endpoint. [cite: 336]
  • AADSTS900561: BadResourceRequestInvalidRequest - The endpoint only accepts {valid_verbs} requests. [cite: 342] Received a {invalid_verb} request. [cite: 342]
  • AADSTS90100: InvalidRequestParameter - The parameter is empty or not valid.
  • AADSTS90101: InvalidEmailAddress - The supplied data isn't a valid email address. [cite: 361]
  • AADSTS90102: InvalidUriParameter - The value must be a valid absolute URI.
  • AADSTS90107: InvalidXml - The request isn't valid. [cite: 362]
  • AADSTS90117: InvalidRequestInput
  • AADSTS90119: InvalidUserCode - The user code is null or empty.
  • AADSTS90121: InvalidEmptyRequest - Invalid empty request.
  • AADSTS140000: InvalidRequestNonce - Request nonce isn't provided.
  • AADSTS165900: InvalidApiRequest - Invalid request. [cite: 376]
  • AADSTS240002: RequiredClaimIsMissing - The id_token can't be used as urn:ietf:params:oauth:grant-type:jwt-bearer grant. [cite: 379]
  • AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
  • AADSTS900971: No reply address provided. [cite: 359]

Device Related Errors

  • AADSTS50097: DeviceAuthenticationRequired - Device authentication is required. [cite: 114]
  • AADSTS50129: DeviceIsNotWorkplaceJoined - Workplace join is required to register the device. [cite: 136]
  • AADSTS50134: DeviceFlowAuthorizeWrongDatacenter - Wrong data center. [cite: 140]
  • AADSTS50155: DeviceAuthenticationFailed - Device authentication failed for this user.
  • AADSTS50156: Device tokens are not supported for V2 resource. [cite: 163]
  • AADSTS50187: DeviceInformationNotProvided - The service failed to perform device authentication.
  • AADSTS130004: NgcKeyNotFound - The user principal doesn't have the NGC ID key configured. [cite: 372]
  • AADSTS130005: NgcInvalidSignature - NGC key signature verified failed.
  • AADSTS130006: NgcTransportKeyNotFound - The NGC transport key isn't configured on the device. [cite: 373]
  • AADSTS130007: NgcDeviceIsDisabled - The device is disabled.
  • AADSTS130008: NgcDeviceIsNotFound - The device referenced by the NGC key wasn't found. [cite: 374]
  • AADSTS135010: KeyNotFound
  • AADSTS135011: Device used during the authentication is disabled.
  • AADSTS220450: UnsupportedAndroidWebViewVersion - The Chrome WebView version isn't supported.
  • AADSTS221000: DeviceOnlyTokensNotSupportedByResource - The resource isn't configured to accept device-only tokens. [cite: 377]
  • AADSTS240001: BulkAADJTokenUnauthorized - The user isn't authorized to register devices in Microsoft Entra ID. [cite: 378]

Session & Sign-out / SSO Issues

  • AADSTS16001: UserAccountSelectionInvalid - You see this error if the user selects on a tile that the session select logic has rejected. [cite: 5]
  • AADSTS50058: UserInformationNotProvided - Session information isn't sufficient for single-sign-on. [cite: 97]
  • AADSTS50061: SignoutInvalidRequest - Unable to complete sign out. [cite: 101]
  • AADSTS50068: SignoutInitiatorNotParticipant - Sign out has failed. [cite: 102] The app that initiated sign out isn't a participant in the current session. [cite: 102]
  • AADSTS50070: SignoutUnknownSessionIdentifier - Sign out has failed. [cite: 103] The sign out request specified a name identifier that didn't match the existing session(s). [cite: 103]
  • AADSTS50071: SignoutMessageExpired - The logout request has expired. [cite: 104]
  • AADSTS50132: SsoArtifactInvalidOrExpired - The session isn't valid due to password expiration or recent password change. [cite: 139]
  • AADSTS50133: SsoArtifactRevoked - The session isn't valid due to password expiration or recent password change.
  • AADSTS50136: RedirectMsaSessionToApp - Single MSA session detected. [cite: 142]
  • AADSTS50139: SessionMissingMsaOAuth2RefreshToken - The session is invalid due to a missing external refresh token. [cite: 144]
  • AADSTS50140: KmsiInterrupt - This error occurred due to "Keep me signed in" interrupt when the user was signing-in. [cite: 145]
  • AADSTS50143: Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [cite: 150]
  • AADSTS50168: The client is capable of utilizing the Windows 10 Accounts extension to perform SSO but no SSO token was found in the request or the token was expired. [cite: 176]
  • AADSTS50180: WindowsIntegratedAuthMissing - Integrated Windows authentication is needed. [cite: 184] Enable the tenant for Seamless SSO. [cite: 184]
  • AADSTS50199: CmsiInterrupt - For security reasons, user confirmation is required for this request. [cite: 192]
  • AADSTS51006: ForceReauthDueToInsufficientAuth - Integrated Windows authentication is needed. [cite: 207] User logged in using a session token that is missing the integrated Windows authentication claim. [cite: 207]
  • AADSTS81004: DesktopSsoIdentityInTicketIsNotAuthenticated - Kerberos authentication attempt failed.
  • AADSTS81005: DesktopSsoAuthenticationPackageNotSupported - The authentication package isn't supported.
  • AADSTS81006: DesktopSsoNoAuthorizationHeader - No authorization header was found. [cite: 294]
  • AADSTS81007: DesktopSsoTenantIsNotOptIn - The tenant isn't enabled for Seamless SSO.
  • AADSTS81009: DesktopSsoAuthorizationHeaderValueWithBadFormat - Unable to validate user's Kerberos ticket. [cite: 295]
  • AADSTS81010: DesktopSsoAuthTokenInvalid - Seamless SSO failed because the user's Kerberos ticket has expired or is invalid. [cite: 296]
  • AADSTS81011: DesktopSsoLookupUserBySidFailed - Unable to find user object based on information in the user's Kerberos ticket. [cite: 297]
  • AADSTS81012: DesktopSsoMismatchBetweenTokenUpnAndChosenUpn - The user trying to sign in to Microsoft Entra ID is different from the user signed into the device. [cite: 298]
  • AADSTS9002341: V2Error: invalid_grant - The user is required to permit single sign-On (SSO). [cite: 400]

On-Premise Authentication (PTA/SSO)

  • AADSTS80001: OnPremiseStoreIsNotAvailable - The Authentication Agent is unable to connect to Active Directory. [cite: 282]
  • AADSTS80002: OnPremisePasswordValidatorRequestTimedout - Password validation request timed out. [cite: 284]
  • AADSTS80005: OnPremisePasswordValidatorUnpredictableWebException - An unknown error occurred while processing the response from the Authentication Agent. [cite: 285]
  • AADSTS80007: OnPremisePasswordValidatorErrorOccurredOnPrem - The Authentication Agent is unable to validate user's password. [cite: 287]
  • AADSTS80014: OnPremisePasswordValidationAuthenticationAgentTimeout - Validation request responded after maximum elapsed time exceeded. [cite: 292]
  • AADSTS120013: PasswordChangeOnPremisesConnectivityFailure

Consent & Permissions

  • AADSTS50150: The provided credentials does not have a valid user consent approval information. [cite: 162]
  • AADSTS52004: DelegationDoesNotExistForLinkedIn - The user has not provided consent for access to LinkedIn resources. [cite: 208]
  • AADSTS65001: DelegationDoesNotExist - The user or administrator hasn't consented to use the application with ID X. [cite: 222]
  • AADSTS65002: Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. [cite: 223]
  • AADSTS65004: UserDeclinedConsent - User declined to consent to access the app. [cite: 226]
  • AADSTS90008: TokenForItselfRequiresGraphPermission - The user or administrator hasn't consented to use the application. [cite: 306]
  • AADSTS90094: AdminConsentRequired - Administrator consent is required.
  • AADSTS90095: AdminConsentRequiredRequestAccess- In the Admin Consent Workflow experience, an interrupt that appears when the user is told they need to ask the admin for consent. [cite: 356]

Development, API & Integration Errors

  • AADSTS500207: The account type can't be used for the resource you're trying to access. [cite: 71]
  • AADSTS50141: Protected key isn't intended for the authenticated user.
  • AADSTS50165: The token encrypting algorithm '{algorithm}' requested by the application isn't supported for this type of token. [cite: 174]
  • AADSTS50167: Invalid pop_jwk key. [cite: 175]
  • AADSTS50170: MissingExternalClaimsProviderMapping - The external controls mapping is missing.
  • AADSTS50171: The given audience can only be used in Mutual-TLS token calls. [cite: 179]
  • AADSTS50176: Missing definition of external control: {controlId}. [cite: 182]
  • AADSTS51000: RequiredFeatureNotEnabled - The feature is disabled. [cite: 197]
  • AADSTS67003: ActorNotValidServiceIdentity
  • AADSTS70003: UnsupportedGrantType - The app returned an unsupported grant type.
  • AADSTS70016: AuthorizationPending - OAuth 2.0 device flow error. [cite: 267] Authorization is pending. [cite: 267]
  • AADSTS70018: BadVerificationCode - Invalid verification code due to User typing in wrong user code for device code flow. [cite: 268]
  • AADSTS70019: CodeExpired - Verification code expired. [cite: 269]
  • AADSTS90010: NotSupported - Unable to create the algorithm.
  • AADSTS9001023: The grant type isn't supported over the /common or /consumers endpoints. [cite: 310]
  • AADSTS90027: We are unable to issue tokens from this API version on the MSA tenant. [cite: 325]
  • AADSTS90120: InvalidDeviceFlowRequest - The request was already authorized or declined. [cite: 365]
  • AADSTS90123: IdentityProviderAccessDenied - The token can't be issued because the identity or claim issuance provider denied the request. [cite: 366]
  • AADSTS90124: V1ResourceV2GlobalEndpointNotSupported - The resource isn't supported over the /common or /consumers endpoints. [cite: 367] Use the /organizations or tenant-specific endpoint instead. [cite: 367]
  • AADSTS700020: InteractionRequired - The access grant requires interaction.

Internal Service, Transient & Throttling Errors

  • AADSTS50033: RetryableError - Indicates a transient error not related to the database operations. [cite: 79]
  • AADSTS50086: SasNonRetryableError
  • AADSTS50087: SasRetryableError - A transient error has occurred during strong authentication. [cite: 111]
  • AADSTS50157: User redirection required for routing.
  • AADSTS50160: Different target tenant is preferred. [cite: 168]
  • AADSTS51005: TemporaryRedirect - Equivalent to HTTP status 307, which indicates that the requested information is located at the URI specified in the location header. [cite: 204]
  • AADSTS70012: MsaServerError - A server error occurred while authenticating an MSA (consumer) user. [cite: 266]
  • AADSTS90006: ExternalServerRetryableError - The service is temporarily unavailable.
  • AADSTS90012: RequestTimeout - The requested has timed out. [cite: 311]
  • AADSTS90024: RequestBudgetExceededError - A transient error has occurred. [cite: 324]
  • AADSTS90033: MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) isn't available. [cite: 327]
  • AADSTS90036: MsodsServiceUnretryableFailure - An unexpected, non-retryable error from the WCF service hosted by MSODS has occurred. [cite: 328]
  • AADSTS90055: TenantThrottlingError - There are too many incoming requests. [cite: 335] This exception is thrown for blocked tenants. [cite: 335]
  • AADSTS90090: GraphRetryableError - The service is temporarily unavailable.
  • AADSTS90091: GraphServiceUnreachable
  • AADSTS90092: GraphNonRetryableError
  • AADSTS90093: GraphUserUnauthorized - Graph returned with a forbidden error code for the request. [cite: 354]
  • AADSTS120008: PasswordChangeAsyncJobStateTerminated - A non-retryable error has occurred.
  • AADSTS120011: PasswordChangeAsyncUpnInferenceFailed
  • AADSTS120015: PasswordChangeADAdminActionRequired
  • AADSTS165004: Actual message content is runtime specific.

Cross-Cloud & Regional Issues

  • AADSTS230109: CachedCredentialNonGWAuthNRequestsNotSupported - Backup Auth Service only allows AuthN requests from Microsoft Entra Gateway. [cite: 14] This error is returned when traffic targets the backup auth service directly instead of going through the reverse proxy. [cite: 14]
  • AADSTS1000104: XCB2BResourceCloudNotAllowedOnIdentityTenant - Resource cloud {resourceCloud} isn't allowed on identity tenant {identityTenant}. [cite: 199]
  • AADSTS50178: SessionControlNotSupportedForPassthroughUsers - Session control isn't supported for passthrough users. [cite: 183]
  • AADSTS90038: NationalCloudTenantRedirection - The specified tenant 'Y' belongs to the National Cloud 'X'. [cite: 330] Current cloud instance 'Z' does not federate with X. [cite: 330]
  • AADSTS900382: Confidential Client isn't supported in Cross Cloud request. [cite: 355]
  • AADSTS90043: NationalCloudAuthCodeRedirection - The feature is disabled. [cite: 333]
  • AADSTS900432: Confidential Client isn't supported in Cross Cloud request.
  • AADSTS90051: InvalidNationalCloudId - The national cloud identifier contains an invalid cloud identifier. [cite: 334]
  • AADSTS100007: Microsoft Entra Regional ONLY supports auth either for MSIs OR for requests from MSAL using SN+I for 1P apps or 3P apps in Microsoft infrastructure tenants. [cite: 396]

Specific Flow / Protocol / System Logic

  • AADSTS50085: Refresh token needs social IDP login. Have user try signing-in again with username -password.
  • AADSTS501481: The Code_Verifier doesn't match the code_challenge supplied in the authorization request.
  • AADSTS50196: LoopDetected - A client loop has been detected. [cite: 188] Check the app’s logic to ensure that token caching is implemented, and that error conditions are handled correctly. [cite: 188]
  • AADSTS1000002: BindCompleteInterruptError - The bind completed successfully, but the user must be informed. [cite: 395]

Self-Service Password Reset (SSPR) Errors

  • AADSTS50125: PasswordResetRegistrationRequiredInterrupt - Sign-in was interrupted because of a password reset or password registration entry. [cite: 131]
  • AADSTS50144: InvalidPasswordExpiredOnPremPassword - User's Active Directory password has expired. [cite: 152] Generate a new password for the user or have the user use the self-service reset tool to reset their password. [cite: 152]
  • AADSTS120016: PasswordChangeUserNotFoundBySspr
  • AADSTS120021: PartnerServiceSsprInternalServiceError
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment