What causes AADSTS40015?

Federated IdP (ADFS, Okta, Ping, etc.) is unreachable, throwing 5xx, or its token endpoint is misconfigured. Expired or rotated token-signing certificate on the IdP no longer matches the federation trust in Entra ID. Clock skew between the IdP and Entra ID causing the authorization code to be considered expired or not-yet-valid. Federation metadata in Entra ID is stale after an IdP change (issuer URI, endpoint URLs, or signing key updated on IdP side but not synced). Authorization code already redeemed, replayed, or returned to a different redirect URI than the one registered with the IdP

How do I fix AADSTS40015?

Reproduce the sign-in and capture the full correlation ID + timestamp; share these with the IdP team — AADSTS40015 is raised by Entra ID but the root cause is logged on the federated IdP. On the federated IdP (ADFS/Okta/Ping), check health of the OAuth2/WS-Federation token endpoint and inspect logs for the same correlation window for code-redemption failures. Validate the IdP's token-signing certificate: confirm it's not expired, matches the certificate registered in the federation trust, and run `Update-MsolFederatedDomain` (ADFS) or re-import federation metadata if it was rotated. Check time sync (NTP) on IdP servers — even ~5 minutes of skew invalidates short-lived authorization codes. If only specific apps fail (e.g. Power BI Desktop, Fabric, ADF linked services using OAuth), verify the redirect URI registered at the IdP exactly matches the one Entra ID sends, and confirm the federated domain is still in `Federated` (not `Managed`) state via `Get-MsolDomain`

Low severityauthentication

Power BI Error:
AADSTS40015

What does this error mean?

Federated identity provider failed to redeem the OAuth2 authorization code during sign-in to Microsoft Entra ID.

Common causes

1Federated IdP (ADFS, Okta, Ping, etc.) is unreachable, throwing 5xx, or its token endpoint is misconfigured
2Expired or rotated token-signing certificate on the IdP no longer matches the federation trust in Entra ID
3Clock skew between the IdP and Entra ID causing the authorization code to be considered expired or not-yet-valid
4Federation metadata in Entra ID is stale after an IdP change (issuer URI, endpoint URLs, or signing key updated on IdP side but not synced)
5Authorization code already redeemed, replayed, or returned to a different redirect URI than the one registered with the IdP

How to fix it

1Reproduce the sign-in and capture the full correlation ID + timestamp; share these with the IdP team — AADSTS40015 is raised by Entra ID but the root cause is logged on the federated IdP
2On the federated IdP (ADFS/Okta/Ping), check health of the OAuth2/WS-Federation token endpoint and inspect logs for the same correlation window for code-redemption failures
3Validate the IdP's token-signing certificate: confirm it's not expired, matches the certificate registered in the federation trust, and run `Update-MsolFederatedDomain` (ADFS) or re-import federation metadata if it was rotated
4Check time sync (NTP) on IdP servers — even ~5 minutes of skew invalidates short-lived authorization codes
5If only specific apps fail (e.g. Power BI Desktop, Fabric, ADF linked services using OAuth), verify the redirect URI registered at the IdP exactly matches the one Entra ID sends, and confirm the federated domain is still in `Federated` (not `Managed`) state via `Get-MsolDomain`

Frequently asked questions

What does AADSTS40015 mean?

There's an issue with your federated Identity Provider. Contact your IDP to resolve this issue.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes