What causes AADSTS240003?

Transient issue at the Microsoft Entra ID /authorize endpoint causing a malformed or empty response. Mismatch between the redirect_uri sent in the request and the reply URL registered on the app registration. Unsupported or inconsistent response_type / response_mode combination (e.g. code with form_post but missing state/nonce). Browser session interference: cookies blocked, third-party cookies disabled, or the auth window closed before the redirect completed. PKCE code_challenge or state parameter dropped/altered by a proxy, WAF, or Conditional Access interstitial

How do I fix AADSTS240003?

Retry the sign-in once in a clean browser session (incognito, no extensions) — AADSTS240003 is frequently transient and clears on retry. In the Entra admin center, open App registrations → your app → Authentication, and verify the exact redirect URI (scheme, host, port, trailing slash) matches what the client sends. Confirm the response_type and response_mode in the auth request are valid for the platform type (Web, SPA, Public client) — SPAs must use code + PKCE, not implicit. Capture the full /authorize request and response with browser devtools or Fiddler; check for HTTP 302/200 with missing 'code' or 'state' parameters and any proxy rewriting the query string. Check the Entra ID Sign-in logs (Monitoring → Sign-in logs) filtered on the user and timestamp to see whether the request reached Entra and what correlation ID was returned — include that ID when opening a Microsoft support case

Low severityauthentication

Power BI Error:
AADSTS240003

What does this error mean?

The Microsoft Entra ID (Azure AD) authorize endpoint returned an unexpected response during the OAuth 2.0 sign-in flow.

Common causes

1Transient issue at the Microsoft Entra ID /authorize endpoint causing a malformed or empty response
2Mismatch between the redirect_uri sent in the request and the reply URL registered on the app registration
3Unsupported or inconsistent response_type / response_mode combination (e.g. code with form_post but missing state/nonce)
4Browser session interference: cookies blocked, third-party cookies disabled, or the auth window closed before the redirect completed
5PKCE code_challenge or state parameter dropped/altered by a proxy, WAF, or Conditional Access interstitial

How to fix it

1Retry the sign-in once in a clean browser session (incognito, no extensions) — AADSTS240003 is frequently transient and clears on retry
2In the Entra admin center, open App registrations → your app → Authentication, and verify the exact redirect URI (scheme, host, port, trailing slash) matches what the client sends
3Confirm the response_type and response_mode in the auth request are valid for the platform type (Web, SPA, Public client) — SPAs must use code + PKCE, not implicit
4Capture the full /authorize request and response with browser devtools or Fiddler; check for HTTP 302/200 with missing 'code' or 'state' parameters and any proxy rewriting the query string
5Check the Entra ID Sign-in logs (Monitoring → Sign-in logs) filtered on the user and timestamp to see whether the request reached Entra and what correlation ID was returned — include that ID when opening a Microsoft support case

Frequently asked questions

What does AADSTS240003 mean?

Unexpected result from authorize endpoint call.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes