What causes AADSTS90020?

The federated IdP (ADFS or third-party) is not emitting the IDPEmail or ImmutableID claim in the SAML 1.1 assertion. Claim rules on ADFS are misconfigured: NameIdentifier is sent but the ImmutableID (sourceAnchor / objectGUID) transform is missing or empty. The user's on-prem AD object has no ImmutableID synced to Entra ID (Azure AD Connect sync gap or soft-matched cloud-only user). Wrong NameID format — the IdP returns a UPN or email instead of the persistent ImmutableID expected for SAML 1.1 federated sign-in. App is configured for SAML 1.1 (WS-Fed style) while the IdP is sending a SAML 2.0-style assertion without the legacy ImmutableID claim

How do I fix AADSTS90020?

On the federated IdP (ADFS), inspect the claim issuance rules for the Microsoft Office 365 / Entra ID relying party trust and confirm a rule emits ImmutableID from objectGUID (or the configured sourceAnchor). Capture the SAML assertion with Fiddler or the browser's SAML-tracer extension and verify the assertion contains a non-empty (or the equivalent NameIdentifier) value. In Entra ID, run Get-MgUser -UserId -Property OnPremisesImmutableId and confirm the value matches the Base64-encoded objectGUID of the on-prem AD user. If values are out of sync, force a delta sync via Azure AD Connect (Start-ADSyncSyncCycle -PolicyType Delta) and retry sign-in. If the relying party trust was recently modified, re-run Set-MsolDomainFederationSettings / Update-MgDomainFederationConfiguration to restore the correct federation metadata

Low severityauthentication

Power BI Error:
AADSTS90020

What does this error mean?

The SAML 1.1 assertion sent to Microsoft Entra ID (Azure AD) lacks the ImmutableID claim required to identify the user.

Common causes

1The federated IdP (ADFS or third-party) is not emitting the IDPEmail or ImmutableID claim in the SAML 1.1 assertion
2Claim rules on ADFS are misconfigured: NameIdentifier is sent but the ImmutableID (sourceAnchor / objectGUID) transform is missing or empty
3The user's on-prem AD object has no ImmutableID synced to Entra ID (Azure AD Connect sync gap or soft-matched cloud-only user)
4Wrong NameID format — the IdP returns a UPN or email instead of the persistent ImmutableID expected for SAML 1.1 federated sign-in
5App is configured for SAML 1.1 (WS-Fed style) while the IdP is sending a SAML 2.0-style assertion without the legacy ImmutableID claim

How to fix it

1On the federated IdP (ADFS), inspect the claim issuance rules for the Microsoft Office 365 / Entra ID relying party trust and confirm a rule emits ImmutableID from objectGUID (or the configured sourceAnchor)
2Capture the SAML assertion with Fiddler or the browser's SAML-tracer extension and verify the assertion contains a non-empty <Attribute Name="ImmutableID"> (or the equivalent NameIdentifier) value
3In Entra ID, run Get-MgUser -UserId <upn> -Property OnPremisesImmutableId and confirm the value matches the Base64-encoded objectGUID of the on-prem AD user
4If values are out of sync, force a delta sync via Azure AD Connect (Start-ADSyncSyncCycle -PolicyType Delta) and retry sign-in
5If the relying party trust was recently modified, re-run Set-MsolDomainFederationSettings / Update-MgDomainFederationConfiguration to restore the correct federation metadata

Frequently asked questions

What does AADSTS90020 mean?

the app is attempting to sign in without the neces

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes