What causes AADSTS50149?

code_challenge_method value is something other than 'S256' or 'plain' (e.g. 'SHA256', 'sha-256', 'S256-hash'). Case mismatch — 'S256' must be uppercase; 's256' is rejected. code_challenge is sent in the authorize request but code_challenge_method is missing or empty. Custom or outdated MSAL/ADAL wrapper that builds the PKCE parameters manually with a wrong method. Reverse proxy, SSO broker or API gateway that rewrites or strips the code_challenge_method query parameter

How do I fix AADSTS50149?

Inspect the authorize request (browser network tab or Fiddler trace) and confirm the literal value of code_challenge_method — it must be exactly 'S256' or 'plain'.. If you build the URL manually, replace the value with 'S256' and ensure the matching code_challenge is the base64url-encoded SHA-256 hash of the code_verifier (no padding, URL-safe).. Switch to a maintained library (MSAL.js, MSAL.NET, MSAL Python) and let it generate the PKCE pair — do not hand-roll it.. Check any proxy / WAF / API Management policy in front of login.microsoftonline.com that might rewrite query strings, and exclude the /authorize endpoint from rewriting.. If the request comes from an embedded webview or third-party tool, update it to a current version; older connectors sometimes send legacy method names.

High severityauthentication

Power BI Error:
AADSTS50149

What does this error mean?

The OAuth 2.0 authorization request specified a code_challenge_method that Microsoft Entra ID (Azure AD) does not accept.

Common causes

1code_challenge_method value is something other than 'S256' or 'plain' (e.g. 'SHA256', 'sha-256', 'S256-hash')
2Case mismatch — 'S256' must be uppercase; 's256' is rejected
3code_challenge is sent in the authorize request but code_challenge_method is missing or empty
4Custom or outdated MSAL/ADAL wrapper that builds the PKCE parameters manually with a wrong method
5Reverse proxy, SSO broker or API gateway that rewrites or strips the code_challenge_method query parameter

How to fix it

1Inspect the authorize request (browser network tab or Fiddler trace) and confirm the literal value of code_challenge_method — it must be exactly 'S256' or 'plain'.
2If you build the URL manually, replace the value with 'S256' and ensure the matching code_challenge is the base64url-encoded SHA-256 hash of the code_verifier (no padding, URL-safe).
3Switch to a maintained library (MSAL.js, MSAL.NET, MSAL Python) and let it generate the PKCE pair — do not hand-roll it.
4Check any proxy / WAF / API Management policy in front of login.microsoftonline.com that might rewrite query strings, and exclude the /authorize endpoint from rewriting.
5If the request comes from an embedded webview or third-party tool, update it to a current version; older connectors sometimes send legacy method names.

Frequently asked questions

What does AADSTS50149 mean?

Invalid Code_Challenge_method parameter.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes