MetricSign
Start free
Low severityauthentication

Power BI Error:
AADSTS750054, SAMLRequest Missing in Redirect Binding: Causes & Fix

What does this error mean?

Microsoft Entra ID (Azure AD) received a SAML SSO request without a SAMLRequest or SAMLResponse query parameter.

Common causes

  • 1The application only supports IdP-initiated SSO but was launched via an SP-initiated sign-in URL, so no SAMLRequest is ever generated
  • 2The Sign-on URL configured in the Entra ID Enterprise Application points to a page that does not actually issue a SAML AuthnRequest
  • 3The Service Provider sends the AuthnRequest via HTTP POST binding (or a raw GET) instead of HTTP Redirect binding with the request encoded in the Location header
  • 4Single sign-on is not fully enabled or configured on the application (SP) side
  • 5A user bookmarked or pasted the bare Entra ID SAML2 endpoint (login.microsoftonline.com/<tenant>/saml2) without the AuthnRequest query parameters

How to fix it

  1. 1In the Microsoft Entra admin center → Enterprise Applications → <your app> → Single sign-on, click 'Test this application', paste AADSTS750054 in the 'Resolving Errors' box and follow the generated resolution guidance
  2. 2Confirm whether the application supports SP-initiated SSO; if it only supports IdP-initiated, launch it via the My Apps portal or the User access URL instead of a direct sign-in link
  3. 3Verify the Sign on URL in the Basic SAML Configuration matches the SP endpoint that actually issues the AuthnRequest (not a generic landing page)
  4. 4On the SP side, ensure the AuthnRequest is DEFLATE-compressed, Base64-encoded and sent as a SAMLRequest query parameter via an HTTP 302 Redirect — see SAML 2.0 spec section 3.4 (HTTP Redirect Binding)
  5. 5If the SP only supports HTTP POST binding, reconfigure the app on the SP side to use Redirect binding for the AuthnRequest, since Entra ID's SAML2 endpoint expects Redirect binding for this flow

Beyond the docs

Common practitioner solutions not covered in the official documentation.

  1. 1SP-initiated vs IdP-initiated: AADSTS750054 occurs when a browser hits the Entra SAML endpoint directly without a SAMLRequest. Always start SSO from the application's own login page (SP-initiated) — do not bookmark or deep-link to login.microsoftonline.com/saml2
  2. 2SAML-tracer: Install the SAML-tracer browser extension (Firefox/Chrome) and reproduce the failed sign-in — it captures the raw HTTP requests and shows whether the SP is generating and sending a SAMLRequest in the redirect
  3. 3Sign-on URL: In Entra ID → Enterprise applications → your app → Single sign-on, verify the 'Sign on URL' is the SP-initiated login endpoint of your application — not the Entra ID SSO URL itself
  4. 4Reply URL / ACS URL: Confirm the Assertion Consumer Service URL configured in Entra matches the endpoint your SP registered. A mismatch can prevent the SP from generating a valid SAMLRequest entirely
  5. 5Test with My Apps: Use the My Apps portal (myapps.microsoft.com) to launch the app — this triggers an IdP-initiated flow. If it works there but not via direct URL, the SP-initiated configuration in the application is the issue

Example log output

# Browser address bar / error page from login.microsoftonline.com:
AADSTS750054: SAMLRequest is required in the query for SAML Redirect binding.

# HTTP 400 response body:
{
  "error": "invalid_request",
  "error_description": "AADSTS750054: SAMLRequest is required in the query for SAML Redirect binding."
}

Frequently asked questions

What does AADSTS750054 mean?

AADSTS750054 means Azure AD received a request to the SAML SSO endpoint without a SAMLRequest parameter in the URL. SAML Redirect binding requires the service provider (your application) to initiate the flow by generating a SAMLRequest and redirecting the user to Azure AD with that request included in the URL query string.

How do I fix AADSTS750054?

The most common fix is to ensure users start the sign-in from the application's own login page rather than navigating directly to the Azure AD SSO URL. Also verify the Sign-on URL in Entra ID → Enterprise applications → your app → Single sign-on points to the SP-initiated login endpoint. If your app only supports IdP-initiated SSO, launch it via the My Apps portal instead.

Why does AADSTS750054 happen after bookmarking a URL?

When a user bookmarks or copies the Entra ID SAML endpoint URL directly (e.g., from their browser history during a previous login), subsequent visits hit the endpoint without a SAMLRequest because there is no SP to generate one. The fix is to bookmark the application URL itself, not the Azure AD login redirect.

Does AADSTS750054 occur with both SP-initiated and IdP-initiated SAML flows?

AADSTS750054 only occurs when the Redirect binding receives no SAMLRequest. It typically means an SP-initiated flow was attempted incorrectly — either the SP isn't generating the request, or the user navigated directly to the IdP URL. IdP-initiated flows launched from the My Apps portal or a configured app tile don't require a SAMLRequest and won't trigger this error.

How do I test whether my SAML SP is generating a valid SAMLRequest?

Install the SAML-tracer browser extension (available for Chrome and Firefox). Reproduce the failed sign-in with the extension open — it highlights SAML requests and responses in the network log. A working SP-initiated flow shows a SAMLRequest parameter in the redirect to login.microsoftonline.com. If no SAMLRequest appears, the issue is in your application's SAML library or configuration.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts750054-saml-request-not-present

Other authentication errors