What causes AADSTS75003?

Application's SAML metadata sets the AssertionConsumerService (ACS) binding to HTTP-Redirect or HTTP-Artifact instead of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.. ProtocolBinding attribute in the AuthnRequest specifies a non-POST binding, so Entra ID has nowhere valid to send the response.. Enterprise Application in Microsoft Entra ID is configured with a Reply URL (ACS) registered under the wrong binding type.. Custom or legacy SAML SP implementation that defaults to SOAP/Artifact bindings not supported by Entra ID.. Federation metadata XML uploaded to Entra ID is stale or points to an old endpoint that no longer accepts HTTP POST.

How do I fix AADSTS75003?

Capture the SAML AuthnRequest (browser dev tools → Network, or SAML-tracer extension) and inspect the ProtocolBinding attribute — it must be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.. In the Microsoft Entra admin center → Enterprise applications → your app → Single sign-on, verify the Reply URL (ACS) is configured for HTTP POST and matches the application's ACS endpoint exactly.. On the application/SP side, update the SAML metadata so the AssertionConsumerService element uses Binding="...HTTP-POST" — re-upload the metadata to Entra ID if it's consumed from a file/URL.. Ask the application vendor to confirm support for the Microsoft Entra SAML implementation; some legacy SPs ship with Redirect/Artifact defaults that must be toggled in their admin config.. Re-test SSO and, if it still fails, follow Microsoft's "How to debug SAML-based single sign-on" tutorial to compare the captured request against Entra's SAML protocol requirements.

Low severityauthentication

Power BI Error:
AADSTS75003

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the SAML response because the app requested a binding other than HTTP POST.

Common causes

1Application's SAML metadata sets the AssertionConsumerService (ACS) binding to HTTP-Redirect or HTTP-Artifact instead of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
2ProtocolBinding attribute in the AuthnRequest specifies a non-POST binding, so Entra ID has nowhere valid to send the response.
3Enterprise Application in Microsoft Entra ID is configured with a Reply URL (ACS) registered under the wrong binding type.
4Custom or legacy SAML SP implementation that defaults to SOAP/Artifact bindings not supported by Entra ID.
5Federation metadata XML uploaded to Entra ID is stale or points to an old endpoint that no longer accepts HTTP POST.

How to fix it

1Capture the SAML AuthnRequest (browser dev tools → Network, or SAML-tracer extension) and inspect the ProtocolBinding attribute — it must be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
2In the Microsoft Entra admin center → Enterprise applications → your app → Single sign-on, verify the Reply URL (ACS) is configured for HTTP POST and matches the application's ACS endpoint exactly.
3On the application/SP side, update the SAML metadata so the AssertionConsumerService element uses Binding="...HTTP-POST" — re-upload the metadata to Entra ID if it's consumed from a file/URL.
4Ask the application vendor to confirm support for the Microsoft Entra SAML implementation; some legacy SPs ship with Redirect/Artifact defaults that must be toggled in their admin config.
5Re-test SSO and, if it still fails, follow Microsoft's "How to debug SAML-based single sign-on" tutorial to compare the captured request against Entra's SAML protocol requirements.

Frequently asked questions

What does AADSTS75003 mean?

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes