What causes AADSTS90023?

Required OAuth/OIDC parameter missing (client_id, response_type, scope, redirect_uri) or duplicated in the request. Mismatch between v1.0 and v2.0 endpoint usage — e.g. v2.0 scopes sent to a v1.0 /authorize endpoint. Unsupported or malformed grant_type / response_type combination (e.g. 'token id_token' on a confidential client). URL-encoding issues in redirect_uri, state, or nonce parameters causing the request to be rejected before validation. Custom or third-party connector building the auth request manually (Power BI custom data connector, Databricks personal access flow) with non-spec parameters

How do I fix AADSTS90023?

Capture the failing /authorize or /token request (browser DevTools Network tab or Fiddler) and inspect every query/body parameter against Microsoft's OAuth 2.0 spec — this is the only way to see what's actually wrong. Verify endpoint version consistency: if you use scopes like 'https://analysis.windows.net/powerbi/api/.default' you must hit the v2.0 endpoint (login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize), not v1.0. For Power BI Service / Fabric: re-create the data source credential (Settings → Datasets → Data source credentials → Edit credentials) so the SDK rebuilds a clean auth request. For ADF / Synapse / Databricks linked services: remove and re-add the Microsoft Entra ID linked service or service principal credential, ensuring tenant ID and authority URL are correct. If using MSAL or ADAL in custom code, upgrade to the latest MSAL version — ADAL is deprecated and frequently produces malformed v2.0 requests

Low severityauthentication

Power BI Error:
AADSTS90023

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the sign-in request because the protocol parameters are malformed or unsupported.

Common causes

1Required OAuth/OIDC parameter missing (client_id, response_type, scope, redirect_uri) or duplicated in the request
2Mismatch between v1.0 and v2.0 endpoint usage — e.g. v2.0 scopes sent to a v1.0 /authorize endpoint
3Unsupported or malformed grant_type / response_type combination (e.g. 'token id_token' on a confidential client)
4URL-encoding issues in redirect_uri, state, or nonce parameters causing the request to be rejected before validation
5Custom or third-party connector building the auth request manually (Power BI custom data connector, Databricks personal access flow) with non-spec parameters

How to fix it

1Capture the failing /authorize or /token request (browser DevTools Network tab or Fiddler) and inspect every query/body parameter against Microsoft's OAuth 2.0 spec — this is the only way to see what's actually wrong
2Verify endpoint version consistency: if you use scopes like 'https://analysis.windows.net/powerbi/api/.default' you must hit the v2.0 endpoint (login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize), not v1.0
3For Power BI Service / Fabric: re-create the data source credential (Settings → Datasets → Data source credentials → Edit credentials) so the SDK rebuilds a clean auth request
4For ADF / Synapse / Databricks linked services: remove and re-add the Microsoft Entra ID linked service or service principal credential, ensuring tenant ID and authority URL are correct
5If using MSAL or ADAL in custom code, upgrade to the latest MSAL version — ADAL is deprecated and frequently produces malformed v2.0 requests

Frequently asked questions

What does AADSTS90023 mean?

The authentication service request isn't v

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes