What causes AADSTS90015?

Oversized 'state' or 'nonce' parameter being passed through the authorization request. Too many scopes/resources requested in a single sign-in request (especially when combining Graph + Power BI + Fabric scopes). Long redirect_uri or extra custom query parameters appended to the /authorize endpoint. Using response_mode=query or fragment with a large id_token/code payload instead of form_post. A misconfigured client (custom auth library, embedded Power BI scenario) that re-appends parameters on each redirect, growing the URL on retries

How do I fix AADSTS90015?

Switch the authorization request to response_mode=form_post — this moves the response from the URL into the POST body and resolves the vast majority of AADSTS90015 cases.. Audit the 'state' parameter: store large state server-side (keyed by a short GUID) instead of round-tripping the full payload through the URL.. Reduce the scope list — request only the scopes you need for the current step and use incremental consent for additional resources (Graph, Power BI, Fabric) later.. Inspect the failing request in browser DevTools (Network tab) or Fiddler; measure the full /authorize URL length and identify which parameter is bloating it.. If using an SDK (MSAL, ADAL, custom OIDC client), update to the latest MSAL version and verify your redirect_uri is short and registered exactly as configured in the Entra ID app registration.

Low severityauthentication

Power BI Error:
AADSTS90015

What does this error mean?

The OAuth/OIDC request URL exceeds the maximum query string length accepted by the Microsoft identity platform.

Common causes

1Oversized 'state' or 'nonce' parameter being passed through the authorization request
2Too many scopes/resources requested in a single sign-in request (especially when combining Graph + Power BI + Fabric scopes)
3Long redirect_uri or extra custom query parameters appended to the /authorize endpoint
4Using response_mode=query or fragment with a large id_token/code payload instead of form_post
5A misconfigured client (custom auth library, embedded Power BI scenario) that re-appends parameters on each redirect, growing the URL on retries

How to fix it

1Switch the authorization request to response_mode=form_post — this moves the response from the URL into the POST body and resolves the vast majority of AADSTS90015 cases.
2Audit the 'state' parameter: store large state server-side (keyed by a short GUID) instead of round-tripping the full payload through the URL.
3Reduce the scope list — request only the scopes you need for the current step and use incremental consent for additional resources (Graph, Power BI, Fabric) later.
4Inspect the failing request in browser DevTools (Network tab) or Fiddler; measure the full /authorize URL length and identify which parameter is bloating it.
5If using an SDK (MSAL, ADAL, custom OIDC client), update to the latest MSAL version and verify your redirect_uri is short and registered exactly as configured in the Entra ID app registration.

Frequently asked questions

What does AADSTS90015 mean?

The query string is too long.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes