What causes AADSTS50070?

NameID format mismatch between the SAML LogoutRequest and the original SAML AuthnResponse (e.g. emailAddress vs. persistent vs. unspecified). Session already expired or signed out via another channel before the LogoutRequest reached Entra ID. Application sends a SAML SLO request with a hardcoded or stale NameID that no longer maps to the user's active session. Identifier mapping in the Enterprise Application (User Identifier / nameidentifier claim) is configured differently than what the SP sends in logout. Multiple sessions / multiple browser tabs where the SessionIndex or NameID in the logout request doesn't match the session being targeted

How do I fix AADSTS50070?

In Entra ID > Enterprise Applications > [your app] > Single sign-on, check the configured 'User Identifier' (NameID) and confirm it exactly matches what the application sends in its LogoutRequest (UPN, email, ObjectID, etc.). Capture the SAML LogoutRequest from the browser (SAML-tracer or F12 network tab) and compare the attribute and value against the original AuthnResponse — they must be identical. If the user already signed out elsewhere (other tab, IdP-initiated logout, session timeout), treat this error as benign — instruct the app to redirect to its post-logout URL instead of surfacing the error. For custom apps: ensure the SP stores the exact NameID and SessionIndex from the AuthnResponse and replays them in the LogoutRequest, rather than reconstructing the NameID from user attributes. Check Entra ID Sign-in logs (filter on the user and correlation ID from the error) to confirm whether the session was already terminated before the logout request arrived

Low severityauthentication

Power BI Error:
AADSTS50070

What does this error mean?

Sign-out request specified a name identifier (NameID) that doesn't match any active session in Microsoft Entra ID.

Common causes

1NameID format mismatch between the SAML LogoutRequest and the original SAML AuthnResponse (e.g. emailAddress vs. persistent vs. unspecified)
2Session already expired or signed out via another channel before the LogoutRequest reached Entra ID
3Application sends a SAML SLO request with a hardcoded or stale NameID that no longer maps to the user's active session
4Identifier mapping in the Enterprise Application (User Identifier / nameidentifier claim) is configured differently than what the SP sends in logout
5Multiple sessions / multiple browser tabs where the SessionIndex or NameID in the logout request doesn't match the session being targeted

How to fix it

1In Entra ID > Enterprise Applications > [your app] > Single sign-on, check the configured 'User Identifier' (NameID) and confirm it exactly matches what the application sends in its LogoutRequest (UPN, email, ObjectID, etc.)
2Capture the SAML LogoutRequest from the browser (SAML-tracer or F12 network tab) and compare the <NameID Format=...> attribute and value against the original AuthnResponse — they must be identical
3If the user already signed out elsewhere (other tab, IdP-initiated logout, session timeout), treat this error as benign — instruct the app to redirect to its post-logout URL instead of surfacing the error
4For custom apps: ensure the SP stores the exact NameID and SessionIndex from the AuthnResponse and replays them in the LogoutRequest, rather than reconstructing the NameID from user attributes
5Check Entra ID Sign-in logs (filter on the user and correlation ID from the error) to confirm whether the session was already terminated before the logout request arrived

Frequently asked questions

What does AADSTS50070 mean?

SignoutUnknownSessionIde

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes