Low severityauthentication
Power BI Error:
AADSTS75011
What does this error mean?
SAML request specifies a RequestedAuthnContext that doesn't match the authentication method already used by the user.
Common causes
- 1The SAML request contains a RequestedAuthnContext (e.g. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport) that differs from the method the user already used to sign in
- 2Federated user already authenticated via WIA/ADFS with urn:federation:authentication:windows, but the app requests a different AuthnContextClassRef
- 3App requests MFA-specific context (e.g. 'X509, MultiFactor') while the existing session was established with single-factor authentication
- 4Microsoft Entra ID passes through the IdP's original AuthnContext instead of performing a fresh authentication, causing a mismatch
- 5forceAuthn="false" (or omitted) in the SAML request, so Entra ID reuses the cached authentication context
How to fix it
- 1Capture the SAML AuthnRequest (browser SAML tracer or Fiddler) and inspect the <RequestedAuthnContext> element — note the exact AuthnContextClassRef value
- 2If the application doesn't strictly require a specific authentication method, remove the RequestedAuthnContext element from the SAML request entirely (RequestedAuthnContext is optional)
- 3If the AuthnContext must be honored, set forceAuthn="true" in the SAML AuthnRequest so Entra ID performs a fresh authentication that matches the requested context
- 4Check the federation chain: if users come in via ADFS or another IdP, verify that the upstream IdP can issue the requested AuthnContextClassRef — otherwise change the app's required context to match what the IdP emits (e.g. urn:federation:authentication:windows for WIA)
- 5For MFA-related mismatches, configure a Conditional Access policy that enforces MFA instead of relying on the SAML AuthnContext, then drop the MultiFactor RequestedAuthnContext from the request