What causes AADSTS50117?

Malformed JSON in the `claims` query parameter (unescaped quotes, trailing commas, missing braces). Claims parameter not URL-encoded before being appended to the /authorize or /token request. Custom claims challenge built by hand instead of echoing the WWW-Authenticate header from a Conditional Access step-up response. Unsupported top-level keys — only `id_token`, `access_token`, and `userinfo` are accepted; vendor-specific keys cause deserialization failure. MSAL/ADAL library version too old to emit a CAE/Conditional Access compliant claims payload

How do I fix AADSTS50117?

Capture the exact /authorize or /token request and pretty-print the `claims` parameter — validate it as JSON (jsonlint) and confirm it is URL-encoded in the request. Compare the structure to Microsoft's claims request spec: top-level must be `{"id_token":{...},"access_token":{...}}`, with each claim as an object containing `essential`, `value`, or `values`. If the claims challenge originates from a Conditional Access / CAE step-up, pass the `claims` value verbatim from the resource's WWW-Authenticate header — do not reconstruct it. Upgrade MSAL (MSAL.NET ≥ 4.50, MSAL.js ≥ 2.30, MSAL Python ≥ 1.20) so the library handles the claims challenge serialization for you. If you control the requesting app, remove any custom/non-standard claim keys and retry; if it's a third-party app (Power BI Desktop, gateway, ADF linked service), file a ticket with the vendor with the captured request

Low severityauthentication

Power BI Error:
AADSTS50117

What does this error mean?

Azure AD/Entra ID could not parse the JSON policy passed in the OAuth claims request parameter.

Common causes

1Malformed JSON in the `claims` query parameter (unescaped quotes, trailing commas, missing braces)
2Claims parameter not URL-encoded before being appended to the /authorize or /token request
3Custom claims challenge built by hand instead of echoing the WWW-Authenticate header from a Conditional Access step-up response
4Unsupported top-level keys — only `id_token`, `access_token`, and `userinfo` are accepted; vendor-specific keys cause deserialization failure
5MSAL/ADAL library version too old to emit a CAE/Conditional Access compliant claims payload

How to fix it

1Capture the exact /authorize or /token request and pretty-print the `claims` parameter — validate it as JSON (jsonlint) and confirm it is URL-encoded in the request
2Compare the structure to Microsoft's claims request spec: top-level must be `{"id_token":{...},"access_token":{...}}`, with each claim as an object containing `essential`, `value`, or `values`
3If the claims challenge originates from a Conditional Access / CAE step-up, pass the `claims` value verbatim from the resource's WWW-Authenticate header — do not reconstruct it
4Upgrade MSAL (MSAL.NET ≥ 4.50, MSAL.js ≥ 2.30, MSAL Python ≥ 1.20) so the library handles the claims challenge serialization for you
5If you control the requesting app, remove any custom/non-standard claim keys and retry; if it's a third-party app (Power BI Desktop, gateway, ADF linked service), file a ticket with the vendor with the captured request

Frequently asked questions

What does AADSTS50117 mean?

Failed to deserialize policy specified in the request's claim parameter.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes