What causes AADSTS76026?

Clock drift on the on-premises federation server (AD FS, Ping, Okta, Shibboleth) versus Entra ID — Microsoft allows only a few minutes of skew on the SAML IssueInstant. NTP / time synchronization broken on the IdP host or on a domain controller in the federation chain. SAML AuthnRequest cached, replayed or delayed by a proxy, load balancer or browser back-button before reaching login.microsoftonline.com. Wrong timezone or daylight-saving configuration on the federation server (IssueInstant must be UTC, ending in 'Z'). Federated identity provider misconfiguration generating IssueInstant in local time instead of UTC

How do I fix AADSTS76026?

On the federated IdP (AD FS / Ping / Okta / Shibboleth) verify system time against an authoritative NTP source — drift must be under ~5 minutes versus UTC; restart w32time or chronyd if needed. Inspect the SAML AuthnRequest (browser dev tools → SAML-tracer, or Fiddler) and confirm the IssueInstant attribute is in UTC and within the last few minutes. Check that the federation server's timezone is correct and that DST changes were applied; SAML libraries must emit IssueInstant with the trailing 'Z' (Zulu/UTC). Re-run the sign-in in a fresh private window to rule out a cached/replayed AuthnRequest from a stale browser tab or back-button navigation. If the IdP is behind a reverse proxy or WAF, verify it is not buffering or replaying the SAML POST; reduce request latency to the Entra ID endpoint

High severityauthentication

Power BI Error:
AADSTS76026

What does this error mean?

The IssueTime timestamp in a SAML2 authentication request is older than Entra ID accepts, so the request is rejected.

Common causes

1Clock drift on the on-premises federation server (AD FS, Ping, Okta, Shibboleth) versus Entra ID — Microsoft allows only a few minutes of skew on the SAML IssueInstant
2NTP / time synchronization broken on the IdP host or on a domain controller in the federation chain
3SAML AuthnRequest cached, replayed or delayed by a proxy, load balancer or browser back-button before reaching login.microsoftonline.com
4Wrong timezone or daylight-saving configuration on the federation server (IssueInstant must be UTC, ending in 'Z')
5Federated identity provider misconfiguration generating IssueInstant in local time instead of UTC

How to fix it

1On the federated IdP (AD FS / Ping / Okta / Shibboleth) verify system time against an authoritative NTP source — drift must be under ~5 minutes versus UTC; restart w32time or chronyd if needed
2Inspect the SAML AuthnRequest (browser dev tools → SAML-tracer, or Fiddler) and confirm the IssueInstant attribute is in UTC and within the last few minutes
3Check that the federation server's timezone is correct and that DST changes were applied; SAML libraries must emit IssueInstant with the trailing 'Z' (Zulu/UTC)
4Re-run the sign-in in a fresh private window to rule out a cached/replayed AuthnRequest from a stale browser tab or back-button navigation
5If the IdP is behind a reverse proxy or WAF, verify it is not buffering or replaying the SAML POST; reduce request latency to the Entra ID endpoint

Frequently asked questions

What does AADSTS76026 mean?

IssueTime in an SAML2 Authentication Request is expired.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes