What causes AADSTS20001?

Federated IdP (ADFS, Okta, Ping, etc.) returned a malformed or unsigned WS-Federation response. Token-signing certificate on the IdP expired or was rolled over without updating the federation trust in Entra ID. Mismatch between the IssuerUri / EntityID configured in Entra ID (Get-MsolDomainFederationSettings / Get-MgDomainFederationConfiguration) and the issuer in the token. ImmutableID / SourceAnchor claim missing or not matching the synced user in Entra ID. IdP outage, clock skew, or audience URI (urn:federation:MicrosoftOnline) misconfiguration

How do I fix AADSTS20001?

Reproduce the sign-in and capture the SAML/WS-Fed response with Fiddler or the browser's network trace — inspect the Issuer, NameID, and signing certificate. On the federated IdP (ADFS: Get-AdfsRelyingPartyTrust 'Microsoft Office 365 Identity Platform'), verify the token-signing certificate is valid and matches what Entra ID expects via Get-MgDomainFederationConfiguration. If the IdP signing cert was rolled, refresh the federation trust: Update-MgDomainFederationConfiguration (or the legacy Update-MsolFederatedDomain -SupportMultipleDomain). Confirm the IssuerUri and the user's ImmutableID claim match the on-prem objectGUID synced via Entra Connect — fix the claim rule on the IdP if not. If the IdP is healthy, open a ticket with the IdP vendor (Microsoft for ADFS, Okta/Ping support) and provide the captured response plus the correlation ID from the Entra sign-in logs

Low severityauthentication

Power BI Error:
AADSTS20001

What does this error mean?

Microsoft Entra ID (Azure AD) received an invalid or unparseable WS-Federation sign-in response from your federated identity provider.

Common causes

1Federated IdP (ADFS, Okta, Ping, etc.) returned a malformed or unsigned WS-Federation response
2Token-signing certificate on the IdP expired or was rolled over without updating the federation trust in Entra ID
3Mismatch between the IssuerUri / EntityID configured in Entra ID (Get-MsolDomainFederationSettings / Get-MgDomainFederationConfiguration) and the issuer in the token
4ImmutableID / SourceAnchor claim missing or not matching the synced user in Entra ID
5IdP outage, clock skew, or audience URI (urn:federation:MicrosoftOnline) misconfiguration

How to fix it

1Reproduce the sign-in and capture the SAML/WS-Fed response with Fiddler or the browser's network trace — inspect the Issuer, NameID, and signing certificate
2On the federated IdP (ADFS: Get-AdfsRelyingPartyTrust 'Microsoft Office 365 Identity Platform'), verify the token-signing certificate is valid and matches what Entra ID expects via Get-MgDomainFederationConfiguration
3If the IdP signing cert was rolled, refresh the federation trust: Update-MgDomainFederationConfiguration (or the legacy Update-MsolFederatedDomain -SupportMultipleDomain)
4Confirm the IssuerUri and the user's ImmutableID claim match the on-prem objectGUID synced via Entra Connect — fix the claim rule on the IdP if not
5If the IdP is healthy, open a ticket with the IdP vendor (Microsoft for ADFS, Okta/Ping support) and provide the captured response plus the correlation ID from the Entra sign-in logs

Frequently asked questions

What does AADSTS20001 mean?

There's an issue with your federated Identity Provider. Contact your IDP to resolve this

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes