What causes AADSTS20012?

Expired or rotated token-signing certificate on ADFS / federated IdP not synced to Entra ID. Federation metadata (issuer URI, endpoints) in Entra ID drifted from the actual IdP configuration. Broken or misconfigured claim issuance / transform rules on ADFS producing an invalid WS-Fed assertion. Clock skew between the IdP and Entra ID causing the SAML/WS-Fed token to fall outside its validity window. IdP outage or partial failure (e.g. ADFS service down, WAP proxy returning malformed responses)

How do I fix AADSTS20012?

Run `Get-MsolFederationProperty -DomainName ` (or `Get-MgDomainFederationConfiguration`) and compare the signing certificate + issuer URI against the live ADFS/IdP — mismatches are the #1 cause. If the IdP token-signing certificate was rotated, re-sync federation trust with `Update-MsolFederatedDomain` or run AAD Connect to refresh the federation metadata. Check the ADFS event log (AD FS/Admin) on the federation server for correlated errors at the same timestamp — claim rule failures and certificate issues surface here. Verify time sync (NTP) on the ADFS servers; even ~5 minutes skew can invalidate the WS-Fed message. As a temporary unblock, test the user via `https://login.microsoftonline.com/?whr= ` in a clean session to confirm the failure is consistent, then escalate to your IdP administrator with the correlation ID from the error

Low severityauthentication

Power BI Error:
AADSTS20012

What does this error mean?

WS-Federation message from your federated Identity Provider (ADFS/third-party IdP) failed validation by Entra ID.

Common causes

1Expired or rotated token-signing certificate on ADFS / federated IdP not synced to Entra ID
2Federation metadata (issuer URI, endpoints) in Entra ID drifted from the actual IdP configuration
3Broken or misconfigured claim issuance / transform rules on ADFS producing an invalid WS-Fed assertion
4Clock skew between the IdP and Entra ID causing the SAML/WS-Fed token to fall outside its validity window
5IdP outage or partial failure (e.g. ADFS service down, WAP proxy returning malformed responses)

How to fix it

1Run `Get-MsolFederationProperty -DomainName <domain>` (or `Get-MgDomainFederationConfiguration`) and compare the signing certificate + issuer URI against the live ADFS/IdP — mismatches are the #1 cause
2If the IdP token-signing certificate was rotated, re-sync federation trust with `Update-MsolFederatedDomain` or run AAD Connect to refresh the federation metadata
3Check the ADFS event log (AD FS/Admin) on the federation server for correlated errors at the same timestamp — claim rule failures and certificate issues surface here
4Verify time sync (NTP) on the ADFS servers; even ~5 minutes skew can invalidate the WS-Fed message
5As a temporary unblock, test the user via `https://login.microsoftonline.com/?whr=<federated-domain>` in a clean session to confirm the failure is consistent, then escalate to your IdP administrator with the correlation ID from the error

Frequently asked questions

What does AADSTS20012 mean?

There's an issue with your federated Identity

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes