What causes AADSTS240004?

Redirect URI in the /authorize request does not exactly match a redirect URI registered on the app in Entra ID (scheme, host, port, path or trailing slash differs). User cancelled the consent prompt or closed the browser window before the code was returned. Conditional Access, MFA, or session policy blocked the sign-in mid-flow so no code is issued. Wrong response_type or response_mode (e.g. response_type=token instead of code, or form_post expected but query was used). Browser stripped query parameters via tracking-protection, an extension, or a proxy that rewrote the redirect

How do I fix AADSTS240004?

Open the failing sign-in in Microsoft Entra → Sign-in logs and inspect the Authentication Details + Conditional Access tabs for the actual block reason behind 240004. Compare the redirect_uri in your /authorize request byte-for-byte against the Redirect URIs list on the App registration in Entra ID — fix any case, port, or trailing-slash mismatch. Verify the request uses response_type=code and a response_mode (query or form_post) that matches what your app expects to receive. Reproduce the flow in a clean browser profile (no extensions, no tracking-protection) to rule out client-side stripping of the ?code= parameter. If a Conditional Access policy is the cause, work with the Entra admin to either satisfy the policy (compliant device, MFA) or scope the app out of it

Low severityauthentication

Power BI Error:
AADSTS240004

What does this error mean?

The Microsoft Entra ID (Azure AD) authorize endpoint did not return an authorization code to the redirect URI during OAuth sign-in.

Common causes

1Redirect URI in the /authorize request does not exactly match a redirect URI registered on the app in Entra ID (scheme, host, port, path or trailing slash differs)
2User cancelled the consent prompt or closed the browser window before the code was returned
3Conditional Access, MFA, or session policy blocked the sign-in mid-flow so no code is issued
4Wrong response_type or response_mode (e.g. response_type=token instead of code, or form_post expected but query was used)
5Browser stripped query parameters via tracking-protection, an extension, or a proxy that rewrote the redirect

How to fix it

1Open the failing sign-in in Microsoft Entra → Sign-in logs and inspect the Authentication Details + Conditional Access tabs for the actual block reason behind 240004
2Compare the redirect_uri in your /authorize request byte-for-byte against the Redirect URIs list on the App registration in Entra ID — fix any case, port, or trailing-slash mismatch
3Verify the request uses response_type=code and a response_mode (query or form_post) that matches what your app expects to receive
4Reproduce the flow in a clean browser profile (no extensions, no tracking-protection) to rule out client-side stripping of the ?code= parameter
5If a Conditional Access policy is the cause, work with the Entra admin to either satisfy the policy (compliant device, MFA) or scope the app out of it

Frequently asked questions

What does AADSTS240004 mean?

Authorization code not received from authorize endpoint ca

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes