What causes AADSTS70005?

response_type=token is requested but 'Access tokens (used for implicit flows)' is not enabled on the app registration's Authentication blade. response_type=id_token is requested but 'ID tokens (used for implicit and hybrid flows)' is not enabled. response_type=id_token (or 'id_token token') is sent without the 'openid' scope in the scope parameter. An unsupported or malformed value is passed in the encoded wctx / state parameter, or response_type combinations like 'code id_token' aren't configured as a valid hybrid flow. Legacy SPA or embedded report client still uses the implicit grant while the app registration has been migrated to the authorization code + PKCE flow

How do I fix AADSTS70005?

In the Azure/Entra portal open App registrations → your app → Authentication, and tick 'ID tokens' and/or 'Access tokens' to match the response_type your client sends — or remove the implicit flow client and switch to authorization code + PKCE. If you request response_type=id_token, ensure the scope parameter contains 'openid' (and typically 'profile'); without it Entra ID returns AADSTS70005. For Power BI Embedded / embed-for-your-customers scenarios, verify that MSAL.js / ADAL.js is configured for the same flow as the app registration (auth code with PKCE is the current recommendation; implicit is deprecated). Decode the wctx/state parameter from the failing request and confirm it's valid Base64URL JSON — strip custom OAuth parameters that Entra ID doesn't recognize. Reproduce the sign-in with browser devtools (Network tab) or Fiddler, capture the /authorize request, and compare response_type, scope and redirect_uri against the app registration manifest

Low severityauthentication

Power BI Error:
AADSTS70005

What does this error mean?

The Microsoft Entra ID (Azure AD) authorization request specified a response_type that the app registration doesn't allow.

Common causes

1response_type=token is requested but 'Access tokens (used for implicit flows)' is not enabled on the app registration's Authentication blade
2response_type=id_token is requested but 'ID tokens (used for implicit and hybrid flows)' is not enabled
3response_type=id_token (or 'id_token token') is sent without the 'openid' scope in the scope parameter
4An unsupported or malformed value is passed in the encoded wctx / state parameter, or response_type combinations like 'code id_token' aren't configured as a valid hybrid flow
5Legacy SPA or embedded report client still uses the implicit grant while the app registration has been migrated to the authorization code + PKCE flow

How to fix it

1In the Azure/Entra portal open App registrations → your app → Authentication, and tick 'ID tokens' and/or 'Access tokens' to match the response_type your client sends — or remove the implicit flow client and switch to authorization code + PKCE
2If you request response_type=id_token, ensure the scope parameter contains 'openid' (and typically 'profile'); without it Entra ID returns AADSTS70005
3For Power BI Embedded / embed-for-your-customers scenarios, verify that MSAL.js / ADAL.js is configured for the same flow as the app registration (auth code with PKCE is the current recommendation; implicit is deprecated)
4Decode the wctx/state parameter from the failing request and confirm it's valid Base64URL JSON — strip custom OAuth parameters that Entra ID doesn't recognize
5Reproduce the sign-in with browser devtools (Network tab) or Fiddler, capture the /authorize request, and compare response_type, scope and redirect_uri against the app registration manifest

Frequently asked questions

What does AADSTS70005 mean?

The app returned an unsupported response type due to the following reasons:

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes