What causes AADSTS90005?

The /authorize request includes both login_hint and sid (session identifier) — only one is allowed. Application code appends login_hint while an MSAL/ADAL session already injects an identifier. Custom SSO wrapper passes both a username hint and a domain_hint pointing to a different identity. Embedded Power BI / Fabric scenario where the host app forwards a login_hint while the embed token already carries a user identifier. Misconfigured federation provider that adds an extra identifier parameter on top of the original request

How do I fix AADSTS90005?

Capture the full /authorize URL (browser network tab or Fiddler) and list every parameter — locate the duplicate hint/identifier pair. In your auth library config (MSAL.js, MSAL.NET, ADAL, Power BI embed) remove the explicit loginHint/extraQueryParameters when the SDK already supplies a sid or account object. If you use AcquireTokenSilent followed by an interactive call, pass the IAccount object instead of a manual login_hint string to avoid both being sent. For Power BI Embedded: check the embed configuration — don't set both `tokenType` user identifier and a login_hint in the iframe URL. Re-test the sign-in; if the error persists, enable Entra ID sign-in logs (Microsoft Entra admin center → Monitoring → Sign-in logs) and inspect the failing request's Additional Details

Low severityauthentication

Power BI Error:
AADSTS90005

What does this error mean?

OAuth/OIDC authorize request contains both login_hint and identifier (or similar mutually exclusive parameters).

Common causes

1The /authorize request includes both login_hint and sid (session identifier) — only one is allowed
2Application code appends login_hint while an MSAL/ADAL session already injects an identifier
3Custom SSO wrapper passes both a username hint and a domain_hint pointing to a different identity
4Embedded Power BI / Fabric scenario where the host app forwards a login_hint while the embed token already carries a user identifier
5Misconfigured federation provider that adds an extra identifier parameter on top of the original request

How to fix it

1Capture the full /authorize URL (browser network tab or Fiddler) and list every parameter — locate the duplicate hint/identifier pair
2In your auth library config (MSAL.js, MSAL.NET, ADAL, Power BI embed) remove the explicit loginHint/extraQueryParameters when the SDK already supplies a sid or account object
3If you use AcquireTokenSilent followed by an interactive call, pass the IAccount object instead of a manual login_hint string to avoid both being sent
4For Power BI Embedded: check the embed configuration — don't set both `tokenType` user identifier and a login_hint in the iframe URL
5Re-test the sign-in; if the error persists, enable Entra ID sign-in logs (Microsoft Entra admin center → Monitoring → Sign-in logs) and inspect the failing request's Additional Details

Frequently asked questions

What does AADSTS90005 mean?

Unable to complete the request. The request i

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes