What causes AADSTS90056?

App posts to /token without first obtaining an authorization_code from /authorize (skipping step 1 of the auth-code flow). The authorization_code is expired (codes are single-use and short-lived) or has already been redeemed. Wrong endpoint configured — e.g. /common used while the app is single-tenant, or v1.0 vs v2.0 mismatch between /authorize and /token. redirect_uri / client_id / scope at /token does not exactly match what was sent to /authorize. Malformed POST body to /token (missing grant_type=authorization_code, code, client_id, or redirect_uri parameters)

How do I fix AADSTS90056?

Open Entra ID (Azure AD) → App registrations → your app → Endpoints, and confirm the OAuth 2.0 authorization endpoint and token endpoint match the tenant and API version (v2.0) your client is using. Verify your client first calls /authorize and only POSTs the returned authorization_code to /token — never call /token in isolation. Re-trigger the sign-in to get a fresh code; codes expire within ~10 minutes and can only be redeemed once. Ensure redirect_uri, client_id, and scope on the /token POST exactly match the values used on /authorize (case-sensitive, trailing slash matters). For Power BI / Fabric / ADF service principals: check that the app has the correct API permissions granted (admin consent) and that the scope/resource (e.g. https://analysis.windows.net/powerbi/api/.default) is valid for the tenant

Low severityauthentication

Power BI Error:
AADSTS90056, invalid token redemption request

What does this error mean?

The app called /token without a valid authorization_code, or hit the wrong tenant/endpoint when redeeming the code.

Common causes

1App posts to /token without first obtaining an authorization_code from /authorize (skipping step 1 of the auth-code flow)
2The authorization_code is expired (codes are single-use and short-lived) or has already been redeemed
3Wrong endpoint configured — e.g. /common used while the app is single-tenant, or v1.0 vs v2.0 mismatch between /authorize and /token
4redirect_uri / client_id / scope at /token does not exactly match what was sent to /authorize
5Malformed POST body to /token (missing grant_type=authorization_code, code, client_id, or redirect_uri parameters)

How to fix it

1Open Entra ID (Azure AD) → App registrations → your app → Endpoints, and confirm the OAuth 2.0 authorization endpoint and token endpoint match the tenant and API version (v2.0) your client is using
2Verify your client first calls /authorize and only POSTs the returned authorization_code to /token — never call /token in isolation
3Re-trigger the sign-in to get a fresh code; codes expire within ~10 minutes and can only be redeemed once
4Ensure redirect_uri, client_id, and scope on the /token POST exactly match the values used on /authorize (case-sensitive, trailing slash matters)
5For Power BI / Fabric / ADF service principals: check that the app has the correct API permissions granted (admin consent) and that the scope/resource (e.g. https://analysis.windows.net/powerbi/api/.default) is valid for the tenant

Frequently asked questions

What does AADSTS90056 mean?

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes