What causes AADSTS50061?

Post-logout redirect URI sent in the end_session request is not registered on the app registration in Entra ID. SAML LogoutRequest is unsigned, signed with the wrong certificate, or uses an algorithm the Entra ID app does not accept. NameID or session index in the SAML LogoutRequest does not match the active Entra ID session. Logout request is sent to the wrong tenant endpoint (common/organizations vs. specific tenant ID) or uses an expired id_token_hint. Federated identity provider (ADFS or third-party IdP) returns a malformed SLO response back to Entra ID

How do I fix AADSTS50061?

Capture the full sign-out URL or SAML LogoutRequest from the browser (F12 → Network, or SAML-tracer) and confirm which parameter is rejected — the correlation ID in the error helps locate the exact request in the Entra sign-in logs. In Entra ID → App registrations → your app → Authentication, ensure the post-logout redirect URI exactly matches the value the app sends (scheme, host, trailing slash all matter). For SAML apps: verify the LogoutRequest is signed with the same certificate uploaded to the Entra Enterprise Application, and that the NameID format matches what Entra issued at sign-in. Pass a valid id_token_hint (for OIDC) or include a fresh SessionIndex (for SAML) instead of relying on cached values, and target the tenant-specific endpoint (https://login.microsoftonline.com/{tenant-id}/...) rather than /common. If a federated IdP is in the chain, check its SLO logs as well — Entra ID will surface AADSTS50061 when the upstream IdP response is invalid

High severityauthentication

Power BI Error:
AADSTS50061, Sign-Out Request Failed

What does this error mean?

Microsoft Entra ID (Azure AD) could not complete the sign-out because the logout request was malformed or invalid.

Common causes

1Post-logout redirect URI sent in the end_session request is not registered on the app registration in Entra ID
2SAML LogoutRequest is unsigned, signed with the wrong certificate, or uses an algorithm the Entra ID app does not accept
3NameID or session index in the SAML LogoutRequest does not match the active Entra ID session
4Logout request is sent to the wrong tenant endpoint (common/organizations vs. specific tenant ID) or uses an expired id_token_hint
5Federated identity provider (ADFS or third-party IdP) returns a malformed SLO response back to Entra ID

How to fix it

1Capture the full sign-out URL or SAML LogoutRequest from the browser (F12 → Network, or SAML-tracer) and confirm which parameter is rejected — the correlation ID in the error helps locate the exact request in the Entra sign-in logs
2In Entra ID → App registrations → your app → Authentication, ensure the post-logout redirect URI exactly matches the value the app sends (scheme, host, trailing slash all matter)
3For SAML apps: verify the LogoutRequest is signed with the same certificate uploaded to the Entra Enterprise Application, and that the NameID format matches what Entra issued at sign-in
4Pass a valid id_token_hint (for OIDC) or include a fresh SessionIndex (for SAML) instead of relying on cached values, and target the tenant-specific endpoint (https://login.microsoftonline.com/{tenant-id}/...) rather than /common
5If a federated IdP is in the chain, check its SLO logs as well — Entra ID will surface AADSTS50061 when the upstream IdP response is invalid

Frequently asked questions

What does AADSTS50061 mean?

Unable to complete sign out. The request was invalid.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes