What causes AADSTS90013?

The user typed a UPN or email with invalid characters, extra whitespace, or a missing domain (e.g. 'john@' or 'john.doe@contoso'). The application sends a malformed login_hint parameter to the /authorize endpoint. The authority URL contains an invalid tenant ID or domain (e.g. 'login.microsoftonline.com//' or a GUID with wrong length). A custom sign-in form forwards an empty or non-string value as username to MSAL/ADAL. URL-encoding issues where '+' or '@' characters in the username get double-encoded or stripped

How do I fix AADSTS90013?

Capture the exact value that was submitted - check browser network tab for the /authorize request and inspect the login_hint and username parameters. Validate the UPN format client-side before calling MSAL: must match ` @ ` with no spaces or control characters. Verify the authority URL in your MSAL/ADAL config: should be `https://login.microsoftonline.com/ ` with a single trailing slash and a valid GUID or verified domain. If using login_hint, ensure the value comes from a trusted source (token claim or directory lookup), not raw user input. Reproduce in a private browser window to rule out cached/corrupted session cookies from a previous bad sign-in attempt

Low severityauthentication

Power BI Refresh Error:
AADSTS90013

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the sign-in because a user-supplied value (UPN, tenant ID, or login_hint) is malformed.

Common causes

1The user typed a UPN or email with invalid characters, extra whitespace, or a missing domain (e.g. 'john@' or 'john.doe@contoso')
2The application sends a malformed login_hint parameter to the /authorize endpoint
3The authority URL contains an invalid tenant ID or domain (e.g. 'login.microsoftonline.com//' or a GUID with wrong length)
4A custom sign-in form forwards an empty or non-string value as username to MSAL/ADAL
5URL-encoding issues where '+' or '@' characters in the username get double-encoded or stripped

How to fix it

1Capture the exact value that was submitted - check browser network tab for the /authorize request and inspect the login_hint and username parameters
2Validate the UPN format client-side before calling MSAL: must match `<localpart>@<domain.tld>` with no spaces or control characters
3Verify the authority URL in your MSAL/ADAL config: should be `https://login.microsoftonline.com/<tenant-id-or-domain>` with a single trailing slash and a valid GUID or verified domain
4If using login_hint, ensure the value comes from a trusted source (token claim or directory lookup), not raw user input
5Reproduce in a private browser window to rule out cached/corrupted session cookies from a previous bad sign-in attempt

Frequently asked questions

What does AADSTS90013 mean?

The input from the user isn't valid.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes