What causes AADSTS90010?

SAML application configured with an unsupported signature or digest algorithm (e.g. SHA-1 forced where the tenant requires SHA-256, or a non-standard XML signature method). OIDC/OAuth2 client requesting a JWT signing algorithm other than RS256 in the request_object_signing_alg or id_token_signed_response_alg (HS256, ES256K, none, etc. are not accepted). Token encryption configured with an unsupported JWE 'alg'/'enc' pair on the application registration's tokenEncryptionKeyId / optional claims. Custom SAML signing certificate using an unsupported key type or curve (e.g. non-RSA, RSA <2048 bits, or EC keys for SAML signing). Malformed authentication request where the algorithm parameter is empty, mistyped, or sent in the wrong casing/format

How do I fix AADSTS90010?

Identify the algorithm being requested: capture the failing request (Fiddler / browser network tab / SAML-tracer) and inspect the SAML / or the OIDC request_object_signing_alg / id_token_signed_response_alg value. For SAML apps, in Entra admin center → Enterprise applications → your app → Single sign-on → SAML Signing Certificate, set Signing Algorithm to SHA-256 and ensure the certificate is RSA 2048+ bits. For OIDC/OAuth2 apps, update the client/SDK configuration so the signing algorithm is RS256 (the only JWT signing alg Entra ID issues for ID tokens) and remove any HS256/ES256/'none' overrides. If you configured token encryption, verify the encryption key under App registration → Token configuration uses an RSA key and a supported JWE algorithm (RSA-OAEP with A256GCM); remove unsupported combinations. Re-test sign-in and, if it still fails, raise a Microsoft support ticket with the correlation ID from the error page — this code has no public troubleshooting article and Microsoft can confirm which algorithm was rejected

Low severityauthentication

Power BI Error:
AADSTS90010

Q: How do I fix AADSTS90010?

Identify the algorithm being requested: capture the failing request (Fiddler / browser network tab / SAML-tracer) and inspect the SAML / or the OIDC request_object_signing_alg / id_token_signed_response_alg value. For SAML apps, in Entra admin center → Enterprise applications → your app → Single sign-on → SAML Signing Certificate, set Signing Algorithm to SHA-256 and ensure the certificate is RSA 2048+ bits. For OIDC/OAuth2 apps, update the client/SDK configuration so the signing algorithm is RS256 (the only JWT signing alg Entra ID issues for ID tokens) and remove any HS256/ES256/'none' overrides. If you configured token encryption, verify the encryption key under App registration → Token configuration uses an RSA key and a supported JWE algorithm (RSA-OAEP with A256GCM); remove unsupported combinations. Re-test sign-in and, if it still fails, raise a Microsoft support ticket with the correlation ID from the error page — this code has no public troubleshooting article and Microsoft can confirm which algorithm was rejected

What does this error mean?

Azure AD/Entra ID rejected the sign-in because the requested cryptographic algorithm is not supported by the token issuance endpoint.

Common causes

1SAML application configured with an unsupported signature or digest algorithm (e.g. SHA-1 forced where the tenant requires SHA-256, or a non-standard XML signature method)
2OIDC/OAuth2 client requesting a JWT signing algorithm other than RS256 in the request_object_signing_alg or id_token_signed_response_alg (HS256, ES256K, none, etc. are not accepted)
3Token encryption configured with an unsupported JWE 'alg'/'enc' pair on the application registration's tokenEncryptionKeyId / optional claims
4Custom SAML signing certificate using an unsupported key type or curve (e.g. non-RSA, RSA <2048 bits, or EC keys for SAML signing)
5Malformed authentication request where the algorithm parameter is empty, mistyped, or sent in the wrong casing/format

How to fix it

1Identify the algorithm being requested: capture the failing request (Fiddler / browser network tab / SAML-tracer) and inspect the SAML <ds:SignatureMethod>/<ds:DigestMethod> or the OIDC request_object_signing_alg / id_token_signed_response_alg value
2For SAML apps, in Entra admin center → Enterprise applications → your app → Single sign-on → SAML Signing Certificate, set Signing Algorithm to SHA-256 and ensure the certificate is RSA 2048+ bits
3For OIDC/OAuth2 apps, update the client/SDK configuration so the signing algorithm is RS256 (the only JWT signing alg Entra ID issues for ID tokens) and remove any HS256/ES256/'none' overrides
4If you configured token encryption, verify the encryption key under App registration → Token configuration uses an RSA key and a supported JWE algorithm (RSA-OAEP with A256GCM); remove unsupported combinations
5Re-test sign-in and, if it still fails, raise a Microsoft support ticket with the correlation ID from the error page — this code has no public troubleshooting article and Microsoft can confirm which algorithm was rejected

Frequently asked questions

What does AADSTS90010 mean?

Unable to create the algorithm.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes