What causes AADSTS140000?

Application sends an OIDC id_token / hybrid flow request without the required nonce parameter. Custom or outdated authentication middleware that doesn't generate a nonce per sign-in request. response_type includes id_token (e.g. 'code id_token' or 'id_token token') but the client omits nonce, which is mandatory for implicit/hybrid flows. Cached or replayed authorization URL where the nonce was stripped by a proxy, redirect, or URL rewrite. Single-Page App using MSAL with a misconfigured or overridden authority/request that drops the nonce

How do I fix AADSTS140000?

Inspect the failing /authorize request in browser DevTools (Network tab) and confirm whether the 'nonce' query parameter is present — if missing, the client is the culprit. If you use MSAL.js, MSAL.NET, or Microsoft.Identity.Web, upgrade to the latest version and let the library generate the nonce; do not hand-build authorize URLs. For custom OIDC clients, generate a cryptographically random nonce per sign-in, include it in the /authorize request, and validate it against the id_token's nonce claim on callback. Check reverse proxies, WAFs, or URL-rewrite rules (App Gateway, Cloudflare, IIS rewrite) that may strip query parameters from the /authorize redirect. If the error appears on Power BI Service or embedded scenarios, clear browser cache/cookies for login.microsoftonline.com and retry; for embedded analytics, ensure the embed token flow uses a current MSAL SDK

Low severityauthentication

Power BI Error:
AADSTS140000, missing nonce in OIDC request

What does this error mean?

The OpenID Connect authorization request to Entra ID (Azure AD) is missing the required nonce parameter.

Common causes

1Application sends an OIDC id_token / hybrid flow request without the required nonce parameter
2Custom or outdated authentication middleware that doesn't generate a nonce per sign-in request
3response_type includes id_token (e.g. 'code id_token' or 'id_token token') but the client omits nonce, which is mandatory for implicit/hybrid flows
4Cached or replayed authorization URL where the nonce was stripped by a proxy, redirect, or URL rewrite
5Single-Page App using MSAL with a misconfigured or overridden authority/request that drops the nonce

How to fix it

1Inspect the failing /authorize request in browser DevTools (Network tab) and confirm whether the 'nonce' query parameter is present — if missing, the client is the culprit
2If you use MSAL.js, MSAL.NET, or Microsoft.Identity.Web, upgrade to the latest version and let the library generate the nonce; do not hand-build authorize URLs
3For custom OIDC clients, generate a cryptographically random nonce per sign-in, include it in the /authorize request, and validate it against the id_token's nonce claim on callback
4Check reverse proxies, WAFs, or URL-rewrite rules (App Gateway, Cloudflare, IIS rewrite) that may strip query parameters from the /authorize redirect
5If the error appears on Power BI Service or embedded scenarios, clear browser cache/cookies for login.microsoftonline.com and retry; for embedded analytics, ensure the embed token flow uses a current MSAL SDK

Frequently asked questions

What does AADSTS140000 mean?

Request nonce isn't pr

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes