What causes AADSTS40008?

Federated IdP (ADFS, Okta, Ping, Google Workspace) is down or returning 5xx errors during the SAML/WS-Fed exchange. Expired or misconfigured token-signing certificate on the federated IdP. Federation trust between Entra ID and the on-prem IdP is broken (metadata out of sync after a cert rollover). ADFS service account locked out, or ADFS proxy (WAP) cannot reach the internal ADFS farm. Clock skew >5 minutes between the federated IdP and Entra ID, causing token validation to fail unrecoverably

How do I fix AADSTS40008?

Identify the federated domain: in Entra admin center → Domain names, check which domain of the failing user is set to Federated and which IdP it points to.. Check the health of that IdP directly — for ADFS run `Get-AdfsProperties` and `Test-FederationTrust`, hit `/adfs/ls/idpinitiatedsignon.aspx`, and review the ADFS event log on the primary server and WAP.. Validate the token-signing certificate: confirm it is not expired and that the thumbprint in Entra ID (`Get-MgDomainFederationConfiguration`) matches the active signing cert on the IdP; if rolled over, run `Update-MgDomainFederationConfiguration` or re-run AAD Connect federation setup.. Verify time sync (<5 min skew) between the IdP and Entra ID, and confirm the IdP endpoints are reachable from the internet (WAP/reverse proxy, firewall, TLS chain).. If the IdP is healthy, capture a Fiddler/browser HAR of the sign-in and open a ticket with the IdP vendor — AADSTS40008 is explicitly flagged by Microsoft as 'contact your IDP'.

Low severityauthentication

Power BI Error:
AADSTS40008

Q: What does AADSTS40008 mean?

There's an issue with your federated Identity Provider. Contact your IDP to reso

Q: How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

What does this error mean?

Federated identity provider returned a non-retryable error during OAuth2 token exchange with Microsoft Entra ID.

Common causes

1Federated IdP (ADFS, Okta, Ping, Google Workspace) is down or returning 5xx errors during the SAML/WS-Fed exchange
2Expired or misconfigured token-signing certificate on the federated IdP
3Federation trust between Entra ID and the on-prem IdP is broken (metadata out of sync after a cert rollover)
4ADFS service account locked out, or ADFS proxy (WAP) cannot reach the internal ADFS farm
5Clock skew >5 minutes between the federated IdP and Entra ID, causing token validation to fail unrecoverably

How to fix it

1Identify the federated domain: in Entra admin center → Domain names, check which domain of the failing user is set to Federated and which IdP it points to.
2Check the health of that IdP directly — for ADFS run `Get-AdfsProperties` and `Test-FederationTrust`, hit `/adfs/ls/idpinitiatedsignon.aspx`, and review the ADFS event log on the primary server and WAP.
3Validate the token-signing certificate: confirm it is not expired and that the thumbprint in Entra ID (`Get-MgDomainFederationConfiguration`) matches the active signing cert on the IdP; if rolled over, run `Update-MgDomainFederationConfiguration` or re-run AAD Connect federation setup.
4Verify time sync (<5 min skew) between the IdP and Entra ID, and confirm the IdP endpoints are reachable from the internet (WAP/reverse proxy, firewall, TLS chain).
5If the IdP is healthy, capture a Fiddler/browser HAR of the sign-in and open a ticket with the IdP vendor — AADSTS40008 is explicitly flagged by Microsoft as 'contact your IDP'.

Frequently asked questions

What does AADSTS40008 mean?

There's an issue with your federated Identity Provider. Contact your IDP to reso

How do I fix this error?