Low severityauthentication
Power BI Error:
AADSTS90004
What does this error mean?
The OAuth/OpenID Connect request sent to Microsoft Entra ID (Azure AD) is malformed and cannot be parsed.
Common causes
- 1Missing or malformed required parameter in the auth request (client_id, redirect_uri, response_type, scope or grant_type)
- 2redirect_uri is not URL-encoded properly, contains a trailing slash mismatch, or doesn't exactly match a Redirect URI registered on the Entra ID app registration
- 3Duplicated query-string parameters (e.g. two scope= or two client_id= values) caused by a misconfigured SDK, proxy or gateway
- 4Wrong content-type on the token endpoint POST — must be application/x-www-form-urlencoded, not application/json
- 5Custom-built or outdated authentication code constructing the request manually instead of using MSAL, leading to invalid characters or missing parameters
How to fix it
- 1Capture the exact failing request URL or POST body (browser DevTools → Network, or Fiddler) and inspect the parameters sent to login.microsoftonline.com — this immediately reveals which one is malformed or missing
- 2Verify every required parameter is present and correctly URL-encoded: client_id, redirect_uri, response_type, scope, and (for token requests) grant_type and client_secret/assertion
- 3Compare the redirect_uri in the request character-for-character with the Redirect URIs configured under Entra ID → App registrations → your app → Authentication; trailing slashes, http vs https and casing must match exactly
- 4If you're calling the /token endpoint, confirm the POST uses Content-Type: application/x-www-form-urlencoded and that no parameter appears twice in the body
- 5Replace any hand-rolled auth code with the Microsoft Authentication Library (MSAL) for your platform — MSAL constructs the request correctly and eliminates the most common causes of AADSTS90004