What causes AADSTS900236?

SAML AuthnRequest contains a property (e.g. AssertionConsumerServiceIndex, ProviderName, Conditions, or a custom attribute) that Entra ID does not support. Service Provider (SP) is configured for a SAML profile or extension that Microsoft Entra ID does not implement. Third-party identity federation library injects optional SAML elements that are valid per spec but rejected by Entra ID. Mismatch between the SP-Initiated SSO request template and the Enterprise Application's SAML SSO configuration in Entra ID. Outdated or misconfigured SAML toolkit/SDK building requests with deprecated or unsupported property names

How do I fix AADSTS900236?

Capture the raw SAML AuthnRequest (browser SAML-tracer extension or Fiddler) and identify the exact property name reported in '{propertyName}'. Remove or unset that property in your SP / SAML library configuration — Entra ID expects a minimal AuthnRequest (Issuer, NameIDPolicy, optional RequestedAuthnContext). Cross-check your SP settings against Microsoft's supported SAML request parameters: https://learn.microsoft.com/azure/active-directory/develop/single-sign-on-saml-protocol. In the Entra admin center → Enterprise applications → your app → Single sign-on (SAML), verify the Reply URL, Identifier, and Sign-on URL match the values your SP sends. If using a SAML library (e.g. python3-saml, OneLogin, ComponentSpace), upgrade to the latest version and disable optional features like AssertionConsumerServiceIndex or custom Extensions

High severityauthentication

Power BI Error:
AADSTS900236

What does this error mean?

The SAML authentication request contains a property that Entra ID (Azure AD) does not support and rejects.

Common causes

1SAML AuthnRequest contains a property (e.g. AssertionConsumerServiceIndex, ProviderName, Conditions, or a custom attribute) that Entra ID does not support
2Service Provider (SP) is configured for a SAML profile or extension that Microsoft Entra ID does not implement
3Third-party identity federation library injects optional SAML elements that are valid per spec but rejected by Entra ID
4Mismatch between the SP-Initiated SSO request template and the Enterprise Application's SAML SSO configuration in Entra ID
5Outdated or misconfigured SAML toolkit/SDK building requests with deprecated or unsupported property names

How to fix it

1Capture the raw SAML AuthnRequest (browser SAML-tracer extension or Fiddler) and identify the exact property name reported in '{propertyName}'
2Remove or unset that property in your SP / SAML library configuration — Entra ID expects a minimal AuthnRequest (Issuer, NameIDPolicy, optional RequestedAuthnContext)
3Cross-check your SP settings against Microsoft's supported SAML request parameters: https://learn.microsoft.com/azure/active-directory/develop/single-sign-on-saml-protocol
4In the Entra admin center → Enterprise applications → your app → Single sign-on (SAML), verify the Reply URL, Identifier, and Sign-on URL match the values your SP sends
5If using a SAML library (e.g. python3-saml, OneLogin, ComponentSpace), upgrade to the latest version and disable optional features like AssertionConsumerServiceIndex or custom Extensions

Frequently asked questions

What does AADSTS900236 mean?

InvalidRequestSamlPropertyUnsupported- The SAML authentication request property '{propertyName}'

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes