What causes AADSTS75008?

The Destination attribute in the SAML AuthnRequest points to a different Entra ID tenant or a stale endpoint. Application is configured with the old/generic SAML endpoint instead of the tenant-specific URL (login.microsoftonline.com/ /saml2). Tenant ID in the SAML request doesn't match the tenant where the Enterprise Application is registered. SAML request signed with metadata copied from a different (test/dev) tenant. Reverse proxy or custom domain rewriting the Destination URL incorrectly before it reaches Entra ID

How do I fix AADSTS75008?

On the application side, update the SAML Identity Provider Login URL to the tenant-specific endpoint shown in Entra ID > Enterprise Applications > > Single sign-on (format: https://login.microsoftonline.com/ /saml2). Capture the SAML AuthnRequest (browser dev tools or SAML tracer) and decode it — verify the Destination attribute exactly matches the Entra ID Login URL. Re-import the federation metadata XML from Entra ID into the application to overwrite stale endpoint values. Confirm the Tenant ID in the Destination URL matches the tenant where the Enterprise Application lives (not a different directory). If a reverse proxy or custom hostname sits in front of the SSO flow, ensure it doesn't rewrite or strip the Destination URL

High severityauthentication

Power BI Error:
AADSTS75008, Unexpected Destination

What does this error mean?

Azure AD/Entra ID rejected the SAML AuthnRequest because the Destination attribute didn't match the expected SSO endpoint.

Common causes

1The Destination attribute in the SAML AuthnRequest points to a different Entra ID tenant or a stale endpoint
2Application is configured with the old/generic SAML endpoint instead of the tenant-specific URL (login.microsoftonline.com/<tenant-id>/saml2)
3Tenant ID in the SAML request doesn't match the tenant where the Enterprise Application is registered
4SAML request signed with metadata copied from a different (test/dev) tenant
5Reverse proxy or custom domain rewriting the Destination URL incorrectly before it reaches Entra ID

How to fix it

1On the application side, update the SAML Identity Provider Login URL to the tenant-specific endpoint shown in Entra ID > Enterprise Applications > <app> > Single sign-on (format: https://login.microsoftonline.com/<tenant-id>/saml2)
2Capture the SAML AuthnRequest (browser dev tools or SAML tracer) and decode it — verify the Destination attribute exactly matches the Entra ID Login URL
3Re-import the federation metadata XML from Entra ID into the application to overwrite stale endpoint values
4Confirm the Tenant ID in the Destination URL matches the tenant where the Enterprise Application lives (not a different directory)
5If a reverse proxy or custom hostname sits in front of the SSO flow, ensure it doesn't rewrite or strip the Destination URL

Frequently asked questions

What does AADSTS75008 mean?

The request from the app was denied since the SAML request had an unexpected destination.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes