What causes AADSTS900384?

Cached or hardcoded signing keys — the app didn't refresh the JWKS from the OpenID Connect metadata endpoint after Microsoft rotated keys. Token was issued by a different authority/tenant than the one validating it (wrong `iss` or tenant ID in the authority URL). Stale or replayed token: the JWT was modified, truncated, or an old token is reused after key rotation. Clock skew or token tampering between the issuer and the validating service. Custom JWT validation library misconfigured (wrong audience, wrong issuer, or signature algorithm mismatch)

How do I fix AADSTS900384?

Acquire a fresh access/ID token from the correct tenant authority (`https://login.microsoftonline.com/{tenant-id}/v2.0`) and retry — most transient cases resolve here. Force your app to re-fetch the OpenID Connect signing keys from `https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys` (clear any in-memory JWKS cache). Decode the failing JWT at jwt.ms and verify `iss`, `aud`, `tid`, and `kid` match the tenant and app registration you're validating against. In Power BI / ADF / Fabric: re-authenticate the data source connection or service principal credential — stale refresh tokens after a Conditional Access or key-rotation event commonly trigger this. If you control the validating service, confirm the JWT validation library uses the tenant's discovery document (not a pinned key) and accepts the current signing algorithm (RS256)

Low severityauthentication

Power BI Error:
AADSTS900384, JWT signature validation failed

What does this error mean?

The signing key on the JWT doesn't match the keys Microsoft Entra ID (Azure AD) expects, so the token is rejected.

Common causes

1Cached or hardcoded signing keys — the app didn't refresh the JWKS from the OpenID Connect metadata endpoint after Microsoft rotated keys
2Token was issued by a different authority/tenant than the one validating it (wrong `iss` or tenant ID in the authority URL)
3Stale or replayed token: the JWT was modified, truncated, or an old token is reused after key rotation
4Clock skew or token tampering between the issuer and the validating service
5Custom JWT validation library misconfigured (wrong audience, wrong issuer, or signature algorithm mismatch)

How to fix it

1Acquire a fresh access/ID token from the correct tenant authority (`https://login.microsoftonline.com/{tenant-id}/v2.0`) and retry — most transient cases resolve here
2Force your app to re-fetch the OpenID Connect signing keys from `https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys` (clear any in-memory JWKS cache)
3Decode the failing JWT at jwt.ms and verify `iss`, `aud`, `tid`, and `kid` match the tenant and app registration you're validating against
4In Power BI / ADF / Fabric: re-authenticate the data source connection or service principal credential — stale refresh tokens after a Conditional Access or key-rotation event commonly trigger this
5If you control the validating service, confirm the JWT validation library uses the tenant's discovery document (not a pinned key) and accepts the current signing algorithm (RS256)

Frequently asked questions

What does AADSTS900384 mean?

JWT token failed signature validation. Actual message content is runtime specific, there are a variety of ca

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes