Low severityauthentication
Power BI Error:
AADSTS76021
What does this error mean?
The client sent an unsigned authentication request, but the Azure AD / Entra ID application is configured to require signed requests.
Common causes
- 1The Enterprise Application / app registration has 'Require Verifiable Request' (signedRequest) enabled, but the SAML SP or OIDC client is not configured to sign AuthnRequests
- 2Signing certificate is configured on the IdP side but the matching private key is missing or expired on the client/SP, so requests go out unsigned
- 3Custom or third-party SAML integration (e.g. legacy reporting tool, on-prem gateway) does not support request signing at all
- 4Mismatch between the signing algorithm expected by Entra ID (RSA-SHA256) and what the client uses, causing the request to be treated as unsigned
- 5Federation metadata on the SP side was regenerated without re-enabling the 'sign AuthnRequest' option
How to fix it
- 1Open the affected app in Entra admin center → Enterprise Applications → Single sign-on, and check whether 'Require Verifiable Request' / signed requests is enabled — if signing isn't strictly required, disable it as a quick unblock
- 2If signing must stay on, configure the SAML SP or client library to sign AuthnRequests with a valid X.509 certificate using RSA-SHA256, and upload the matching public certificate to the Entra app's SAML signing settings
- 3Verify the signing certificate on the client is not expired and that the private key is accessible to the process making the request (check certificate store / keyvault binding)
- 4Capture a SAML trace (browser dev tools or SAML-tracer extension) and confirm the outgoing AuthnRequest contains a <ds:Signature> block — if missing, the issue is purely client-side configuration
- 5For OIDC clients, ensure 'Request signing' / signed JWT request objects are enabled and the client is sending the request as a signed JWT (request parameter), not a plain query string