What causes AADSTS40009?

Federated Identity Provider (ADFS / third-party IdP) refused the refresh token redemption request. Expired or rotated token-signing certificate on the federation server, breaking the trust with Entra ID. Federation trust between Entra ID and the on-prem IdP is misconfigured, partially broken, or the IdP endpoint is unreachable. Refresh token lifetime / SSO session policy on the IdP is shorter than what Entra ID expects, causing premature redemption failure. User account is sourced from a federated domain whose IdP is currently degraded or returning a SAML/WS-Fed error

How do I fix AADSTS40009?

Confirm the user's UPN domain is federated (Get-MgDomain or Get-MsolDomain) — AADSTS40009 only applies to federated identities; cloud-only users won't hit this.. Check the health and reachability of the federated IdP (ADFS farm, Okta, Ping) — verify the federation metadata endpoint responds and the token-signing certificate is valid and trusted by Entra ID.. Re-sync the federation trust: on ADFS run Update-MsolFederatedDomain -DomainName (or the equivalent for third-party IdPs) to refresh the signing cert and endpoints in Entra ID.. Review the IdP's refresh token / SSO lifetime policy and align it with Entra ID expectations; reset the user's Entra ID sessions with Revoke-MgUserSignInSession if stale tokens persist.. If the failure is for a Power BI / Fabric scheduled refresh or ADF linked service, re-authenticate the data source credential after the IdP is healthy — cached refresh tokens won't recover on their own.

Low severityauthentication

Power BI Error:
AADSTS40009

What does this error mean?

Microsoft Entra ID (Azure AD) could not redeem a refresh token at your federated Identity Provider (IdP) during sign-in.

Common causes

1Federated Identity Provider (ADFS / third-party IdP) refused the refresh token redemption request
2Expired or rotated token-signing certificate on the federation server, breaking the trust with Entra ID
3Federation trust between Entra ID and the on-prem IdP is misconfigured, partially broken, or the IdP endpoint is unreachable
4Refresh token lifetime / SSO session policy on the IdP is shorter than what Entra ID expects, causing premature redemption failure
5User account is sourced from a federated domain whose IdP is currently degraded or returning a SAML/WS-Fed error

How to fix it

1Confirm the user's UPN domain is federated (Get-MgDomain or Get-MsolDomain) — AADSTS40009 only applies to federated identities; cloud-only users won't hit this.
2Check the health and reachability of the federated IdP (ADFS farm, Okta, Ping) — verify the federation metadata endpoint responds and the token-signing certificate is valid and trusted by Entra ID.
3Re-sync the federation trust: on ADFS run Update-MsolFederatedDomain -DomainName <domain> (or the equivalent for third-party IdPs) to refresh the signing cert and endpoints in Entra ID.
4Review the IdP's refresh token / SSO lifetime policy and align it with Entra ID expectations; reset the user's Entra ID sessions with Revoke-MgUserSignInSession if stale tokens persist.
5If the failure is for a Power BI / Fabric scheduled refresh or ADF linked service, re-authenticate the data source credential after the IdP is healthy — cached refresh tokens won't recover on their own.

Frequently asked questions

What does AADSTS40009 mean?

There's an issue with your federated Identity Provider. Contact

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes