What causes AADSTS700054?

The app registration in Entra ID does not have 'ID tokens' checked under Authentication > Implicit grant and hybrid flows.. The client (MSAL.js, ADAL, custom SPA) is configured with `response_type=id_token` or `id_token token` while the registration only allows code flow.. An app was migrated from ADAL to MSAL or from implicit to auth code + PKCE, but the client config still requests an `id_token` directly from the /authorize endpoint.. The wrong app registration / client_id is being used — ID tokens are enabled on a different registration than the one the request hits.. A multi-tenant app was re-provisioned in a new tenant where the implicit grant settings were not replicated.

How do I fix AADSTS700054?

Sign in to the Microsoft Entra admin center (entra.microsoft.com) as at least Cloud Application Administrator, go to Entra ID > App registrations and open the app whose `client_id` appears in the failing request.. Open Authentication > Implicit grant and hybrid flows and tick 'ID tokens (used for implicit and hybrid flows)'. Save and wait 1–2 minutes for propagation.. If you don't actually need implicit flow, change the client to authorization code flow with PKCE instead — set `response_type=code` in MSAL/your SPA config; this is the modern, recommended path for Power BI embedded and Fabric SPAs.. Verify the `client_id` in the failing /authorize request matches the registration you just edited — a mismatch means you fixed the wrong app.. For Power BI embed / custom apps, clear the browser cache (or test in a private window) so the old failed authorize response is not replayed, then retry the sign-in.

Low severityauthentication

Power BI Error:
AADSTS700054

What does this error mean?

The app requested an ID token from Azure AD / Entra ID, but ID token implicit grant is not enabled in the app registration.

Common causes

1The app registration in Entra ID does not have 'ID tokens' checked under Authentication > Implicit grant and hybrid flows.
2The client (MSAL.js, ADAL, custom SPA) is configured with `response_type=id_token` or `id_token token` while the registration only allows code flow.
3An app was migrated from ADAL to MSAL or from implicit to auth code + PKCE, but the client config still requests an `id_token` directly from the /authorize endpoint.
4The wrong app registration / client_id is being used — ID tokens are enabled on a different registration than the one the request hits.
5A multi-tenant app was re-provisioned in a new tenant where the implicit grant settings were not replicated.

How to fix it

1Sign in to the Microsoft Entra admin center (entra.microsoft.com) as at least Cloud Application Administrator, go to Entra ID > App registrations and open the app whose `client_id` appears in the failing request.
2Open Authentication > Implicit grant and hybrid flows and tick 'ID tokens (used for implicit and hybrid flows)'. Save and wait 1–2 minutes for propagation.
3If you don't actually need implicit flow, change the client to authorization code flow with PKCE instead — set `response_type=code` in MSAL/your SPA config; this is the modern, recommended path for Power BI embedded and Fabric SPAs.
4Verify the `client_id` in the failing /authorize request matches the registration you just edited — a mismatch means you fixed the wrong app.
5For Power BI embed / custom apps, clear the browser cache (or test in a private window) so the old failed authorize response is not replayed, then retry the sign-in.

Frequently asked questions

What does AADSTS700054 mean?

Response_type 'id_token' isn't enabled for the application. The application requested an ID token from the a

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes