Low severityauthentication
Power BI Error:
AADSTS70001
What does this error mean?
The Issuer in the SAML request doesn't match the Identifier configured for the app in Microsoft Entra ID (Azure AD).
Common causes
- 1The Issuer attribute in the SAML AuthnRequest doesn't match the Identifier (Entity ID) value configured on the Enterprise Application in Entra ID
- 2Trailing slash mismatch between the app-side Issuer and the Entra ID Identifier (e.g. https://app.example.com vs https://app.example.com/)
- 3The Enterprise Application was deleted, recreated, or the app registration's Application ID URI changed without updating the SAML config
- 4Sign-in is being sent to the wrong tenant, so the Identifier doesn't exist in that directory
- 5Multiple Identifier values configured but the application sends one that isn't in the allowed list
How to fix it
- 1Open the error message and copy the exact Identifier value it reports — that's the Issuer your app is sending
- 2In the Microsoft Entra admin center, go to Enterprise Applications → your app → Single sign-on, and compare the Issuer from the error with the Identifier (Entity ID) in the Basic SAML Configuration section
- 3Update either the app-side Issuer or the Entra ID Identifier so they match character-for-character, including protocol (https://) and any trailing slash
- 4Use 'Test this application' on the Single sign-on page, paste the error into 'Resolving Errors' → 'Get resolution guidance' to confirm the diff is gone
- 5Verify you're signing in against the correct tenant — if the app lives in a different directory, switch tenant or reconfigure the SAML endpoint URL