What causes AADSTS75005?

Missing required fields in the SAML AuthnRequest (e.g. Issuer, NameID policy, AssertionConsumerServiceURL). Incorrect SAML request encoding — Entra ID expects DEFLATE + Base64 for SAML-Redirect binding, raw Base64 for SAML-POST binding. Application sends a SAML 1.1 request to a SAML 2.0 endpoint, or hits the wrong Entra SSO URL. Malformed XML in the SAML request (invalid signatures, broken namespaces, missing ID/IssueInstant attributes). Application's SAML implementation doesn't conform to the Microsoft Entra SAML protocol profile

How do I fix AADSTS75005?

Capture the SAML AuthnRequest using browser dev tools (Network tab) or a SAML tracer extension — decode the SAMLRequest parameter via Base64 + inflate to see the raw XML. Validate the decoded SAML request against Microsoft's Entra SAML protocol requirements: check Issuer, Destination, AssertionConsumerServiceURL, ID, IssueInstant, and Version="2.0". Verify the encoding matches the binding: DEFLATE + Base64 + URL-encode for HTTP-Redirect, plain Base64 for HTTP-POST. Confirm the app is hitting the correct Entra SSO endpoint (https://login.microsoftonline.com/{tenant-id}/saml2) and that the Enterprise Application in Entra is configured for SAML-based SSO (not OIDC). Share the captured SAML request with the application vendor and reference Microsoft's 'Debug SAML-based single sign-on' tutorial — the fix is on the SP/app side, not in Entra ID configuration

Low severityauthentication

Power BI Refresh Error:
AADSTS75005

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the SAML request because it doesn't conform to the SAML 2.0 protocol requirements.

Common causes

1Missing required fields in the SAML AuthnRequest (e.g. Issuer, NameID policy, AssertionConsumerServiceURL)
2Incorrect SAML request encoding — Entra ID expects DEFLATE + Base64 for SAML-Redirect binding, raw Base64 for SAML-POST binding
3Application sends a SAML 1.1 request to a SAML 2.0 endpoint, or hits the wrong Entra SSO URL
4Malformed XML in the SAML request (invalid signatures, broken namespaces, missing ID/IssueInstant attributes)
5Application's SAML implementation doesn't conform to the Microsoft Entra SAML protocol profile

How to fix it

1Capture the SAML AuthnRequest using browser dev tools (Network tab) or a SAML tracer extension — decode the SAMLRequest parameter via Base64 + inflate to see the raw XML
2Validate the decoded SAML request against Microsoft's Entra SAML protocol requirements: check Issuer, Destination, AssertionConsumerServiceURL, ID, IssueInstant, and Version="2.0"
3Verify the encoding matches the binding: DEFLATE + Base64 + URL-encode for HTTP-Redirect, plain Base64 for HTTP-POST
4Confirm the app is hitting the correct Entra SSO endpoint (https://login.microsoftonline.com/{tenant-id}/saml2) and that the Enterprise Application in Entra is configured for SAML-based SSO (not OIDC)
5Share the captured SAML request with the application vendor and reference Microsoft's 'Debug SAML-based single sign-on' tutorial — the fix is on the SP/app side, not in Entra ID configuration

Frequently asked questions

What does AADSTS75005 mean?

Microsoft Entra doesn’t support the SAML request sent by the app for SSO. T

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75005-not-a-valid-saml-request