Low severityauthentication
Power BI Error:
AADSTS399284
What does this error mean?
The inbound ID token presented during federation has an empty or mismatched issuer claim versus the configured realm identifier.
Common causes
- 1The `iss` claim in the inbound ID token is empty or missing entirely
- 2The token's issuer URI does not match the IssuerUri configured on the federated domain (Get-MsolDomainFederationSettings) or the federated identity credential
- 3Trailing slash, casing, or http vs https mismatch between the IdP issuer and the value registered in Entra ID
- 4Workload identity federation (GitHub Actions, Azure DevOps, Kubernetes) configured with the wrong `issuer` on the federated credential
- 5External IdP (ADFS, Okta, Ping, Google) was reconfigured or migrated and started emitting a new issuer URL that was never updated in Entra ID
How to fix it
- 1Decode the failing ID token (jwt.ms) and copy the exact `iss` claim — this is the value Entra ID is comparing against
- 2For workload identity federation: in Entra portal → App registration → Certificates & secrets → Federated credentials, confirm the `Issuer` field matches the token's `iss` byte-for-byte (no trailing slash, correct https)
- 3For domain federation: run `Get-MsolDomainFederationSettings -DomainName <domain>` and compare `IssuerUri` with the IdP's actual issuer; update via `Set-MsolDomainFederationSettings -IssuerUri <correct>` if drifted
- 4If the IdP recently rotated metadata, re-import the federation metadata XML or re-run `Update-MgDomainFederationConfiguration` so Entra ID picks up the new issuer
- 5Validate the external IdP is actually populating the `iss` claim on outbound tokens — empty issuer means the IdP-side claim mapping is broken, fix it there before retrying