What causes AADSTS75016?

NameIDPolicy Format is set to a URI that Entra ID does not support (e.g. urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos or X509SubjectName). AllowCreate attribute is set to 'false' while the user has no pre-existing persistent NameID in Entra ID. SPNameQualifier in the NameIDPolicy does not match the Entity ID / Identifier configured on the Enterprise Application in Entra ID. Custom SAML SP (non-gallery app) sends a malformed or empty NameIDPolicy element in the AuthnRequest. Mismatch between the SP's expected NameID format and the 'User Identifier' / claim mapping configured on the Enterprise Application

How do I fix AADSTS75016?

Capture the raw SAML AuthnRequest (browser SAML-tracer extension or Fiddler) and inspect the element — note the Format, AllowCreate and SPNameQualifier attributes. In the SP configuration, change the NameIDPolicy Format to a value Entra ID supports: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, :emailAddress, or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent — or remove the NameIDPolicy element so Entra ID uses its default. Set AllowCreate='true' (or omit the attribute) in the AuthnRequest so Entra ID can issue a NameID for first-time users. In Entra ID > Enterprise Applications > [your app] > Single sign-on, verify that the 'Unique User Identifier (Name ID)' claim Format matches what the SP requests, and that the Identifier (Entity ID) matches the SPNameQualifier. If you do not control the SP, contact the application vendor with the captured AuthnRequest and ask them to align the NameIDPolicy with Entra ID's supported formats (docs: learn.microsoft.com/entra/identity-platform/single-sign-on-saml-protocol)

Low severityauthentication

Power BI Error:
AADSTS75016

What does this error mean?

The SAML2 AuthnRequest sent to Microsoft Entra ID (Azure AD) contains a NameIDPolicy that Entra ID does not accept.

Common causes

1NameIDPolicy Format is set to a URI that Entra ID does not support (e.g. urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos or X509SubjectName)
2AllowCreate attribute is set to 'false' while the user has no pre-existing persistent NameID in Entra ID
3SPNameQualifier in the NameIDPolicy does not match the Entity ID / Identifier configured on the Enterprise Application in Entra ID
4Custom SAML SP (non-gallery app) sends a malformed or empty NameIDPolicy element in the AuthnRequest
5Mismatch between the SP's expected NameID format and the 'User Identifier' / claim mapping configured on the Enterprise Application

How to fix it

1Capture the raw SAML AuthnRequest (browser SAML-tracer extension or Fiddler) and inspect the <samlp:NameIDPolicy> element — note the Format, AllowCreate and SPNameQualifier attributes
2In the SP configuration, change the NameIDPolicy Format to a value Entra ID supports: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, :emailAddress, or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent — or remove the NameIDPolicy element so Entra ID uses its default
3Set AllowCreate='true' (or omit the attribute) in the AuthnRequest so Entra ID can issue a NameID for first-time users
4In Entra ID > Enterprise Applications > [your app] > Single sign-on, verify that the 'Unique User Identifier (Name ID)' claim Format matches what the SP requests, and that the Identifier (Entity ID) matches the SPNameQualifier
5If you do not control the SP, contact the application vendor with the captured AuthnRequest and ask them to align the NameIDPolicy with Entra ID's supported formats (docs: learn.microsoft.com/entra/identity-platform/single-sign-on-saml-protocol)

Frequently asked questions

What does AADSTS75016 mean?

Saml2AuthenticationRequestInva

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes