What causes AADSTS40010?

Federated Identity Provider (ADFS, Okta, PingFederate) is unavailable or returning 5xx errors. Token-signing certificate on the federated IdP has expired or rotated without updating the federation trust in Entra ID. Federation metadata mismatch between Entra ID and the IdP (issuer URI, endpoints, or signing thumbprint out of sync). ADFS proxy/Web Application Proxy (WAP) is unreachable from the internet (DNS, firewall, or TLS issue). Transient load or throttling at the IdP — especially during peak sign-in or after a failover

How do I fix AADSTS40010?

Retry the sign-in after 1–2 minutes — this error is explicitly marked retryable and often clears on its own once the IdP recovers. Check the health of your federated IdP: for ADFS verify the AD FS service and devicestate endpoints respond, for Okta/Ping check the status page and admin console for incidents. Validate the token-signing certificate and federation metadata: in Entra ID admin center → External Identities → Federation, confirm the IdP signing cert thumbprint matches the live IdP and isn't expired. Inspect the IdP's own logs (ADFS Event Viewer → AD FS/Admin, or Okta/Ping system log) at the timestamp of the failure for the underlying SAML/WS-Fed exception. If the issue persists, run Microsoft's federation troubleshooter (Test-FederationTrust / Get-MsolFederationProperty) and re-run Update-MgDomainFederationConfiguration to refresh the trust

Low severityauthentication

Power BI Error:
AADSTS40010, Federated IdP Failure

What does this error mean?

Azure AD/Entra ID could not complete sign-in because the federated Identity Provider (ADFS, Okta, Ping) returned a retryable server error.

Common causes

1Federated Identity Provider (ADFS, Okta, PingFederate) is unavailable or returning 5xx errors
2Token-signing certificate on the federated IdP has expired or rotated without updating the federation trust in Entra ID
3Federation metadata mismatch between Entra ID and the IdP (issuer URI, endpoints, or signing thumbprint out of sync)
4ADFS proxy/Web Application Proxy (WAP) is unreachable from the internet (DNS, firewall, or TLS issue)
5Transient load or throttling at the IdP — especially during peak sign-in or after a failover

How to fix it

1Retry the sign-in after 1–2 minutes — this error is explicitly marked retryable and often clears on its own once the IdP recovers
2Check the health of your federated IdP: for ADFS verify the AD FS service and devicestate endpoints respond, for Okta/Ping check the status page and admin console for incidents
3Validate the token-signing certificate and federation metadata: in Entra ID admin center → External Identities → Federation, confirm the IdP signing cert thumbprint matches the live IdP and isn't expired
4Inspect the IdP's own logs (ADFS Event Viewer → AD FS/Admin, or Okta/Ping system log) at the timestamp of the failure for the underlying SAML/WS-Fed exception
5If the issue persists, run Microsoft's federation troubleshooter (Test-FederationTrust / Get-MsolFederationProperty) and re-run Update-MgDomainFederationConfiguration to refresh the trust

Frequently asked questions

What does AADSTS40010 mean?

There's an issue with your federated Identity Provider. Contact your IDP to resolve this is

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes