What causes AADSTS900561?

User pressed the browser Back button after completing sign-in, replaying the auth redirect as a GET against the /token or /authorize endpoint (Microsoft's documented primary cause). Developer error: redirect URI in the Entra ID app registration points at a Microsoft endpoint (/oauth2/v2.0/token, /oauth2/v2.0/authorize) instead of the application's own callback URL. MSAL/ADAL client uses response_mode=form_post but the reply URL is opened directly via GET — e.g. bookmark, copy-pasted link, or email link. Reverse proxy, WAF, Azure Front Door, or load balancer downgrading POST to GET on 302 redirects (verb stripping instead of using 307/308). Custom logout flow issuing a raw GET to /oauth2/logout instead of using the MSAL logoutRedirect() / end_session_endpoint flow

Low severityauthentication

Power BI Error:
AADSTS900561

What does this error mean?

Microsoft Entra ID (Azure AD) OAuth2 endpoint received a non-POST verb (usually GET) where only POST is accepted.

Common causes

1User pressed the browser Back button after completing sign-in, replaying the auth redirect as a GET against the /token or /authorize endpoint (Microsoft's documented primary cause)
2Developer error: redirect URI in the Entra ID app registration points at a Microsoft endpoint (/oauth2/v2.0/token, /oauth2/v2.0/authorize) instead of the application's own callback URL
3MSAL/ADAL client uses response_mode=form_post but the reply URL is opened directly via GET — e.g. bookmark, copy-pasted link, or email link
4Reverse proxy, WAF, Azure Front Door, or load balancer downgrading POST to GET on 302 redirects (verb stripping instead of using 307/308)
5Custom logout flow issuing a raw GET to /oauth2/logout instead of using the MSAL logoutRedirect() / end_session_endpoint flow

How to fix it

1Open browser DevTools → Network and confirm the failing request: capture the exact HTTP verb and the login.microsoftonline.com path returning 900561. If it only fires after a Back-button click and sign-in still completes, follow Microsoft's guidance and ignore it — catch AADSTS900561 in your app and redirect to home instead of surfacing an error.
2In Entra ID (Azure AD) → App registrations → your app → Authentication, verify every Redirect URI points to your application's own callback (e.g. https://app.example.com/auth/callback). None should reference /token, /authorize, or any login.microsoftonline.com path.
3In your MSAL/ADAL config, ensure postLogoutRedirectUri is registered and that logout uses the SDK's logoutRedirect() / logoutPopup() — never a hand-built GET to /oauth2/logout or /oauth2/v2.0/logout.
4If response_mode=form_post is in use, confirm the reply URL is only ever reached as the POST target of the Entra ID form post. Bookmarks or shared links to that URL will always trigger 900561 — point users at your app root instead.
5If traffic flows through a reverse proxy, WAF, Azure Front Door, or an SSO gateway, verify it preserves POST bodies and uses 307/308 (not 302/303) for any redirect on the auth path. Verb downgrade on redirect is a known cause.

Example log output

AADSTS900561: The endpoint only accepts POST requests. Please try again using a POST request. Trace ID: c2a18f44-3d09-4b7e-a501-00e6d2f9c023 Correlation ID: a3f21c88-7b4d-4e01-b92c-001f3d8a5e12 Timestamp: 2026-05-09 08:14:32ZMicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. OAuth token acquisition failed for service principal 'pbi-refresh-sp'. Activity ID: b7e30d19-2c4a-4f8c-9a1e-00a5c2d1f034Dataset refresh failed: 'Sales_DW_Daily'. Error code: AADSTS900561. Refresh aborted after 0 retries (non-retryable authentication failure). Next scheduled window: 2026-05-09T09:00:00Z.

Frequently asked questions

What does AADSTS900561 mean?

AADSTS900561 (BadResourceRequestInvalidRequest) means the Azure AD authentication endpoint received an HTTP verb it does not support — typically a GET request when only POST is accepted. This often happens when a user presses the browser back button after authentication, resending the request as GET instead of POST.

How do I fix AADSTS900561?

First, determine the trigger. If users see it after pressing the back button, it is expected and harmless — redirect them to your app's home page. If it blocks sign-in entirely, check your MSAL redirect URI configuration and ensure the authentication flow uses POST for token exchange. For AD FS staged rollout scenarios, verify the Entra Connect Sync connector account has the required Replicate Directory Changes permissions.

Can I ignore AADSTS900561?

Yes, in most cases. Microsoft's own documentation states this error 'can be ignored' when it is triggered by the browser back button. However, if the error blocks all users from signing in — for example during an AD FS to Entra ID migration — it requires immediate investigation of your sync and permission configuration.

Why does AADSTS900561 appear during AD FS migration?

When migrating from AD FS to Entra ID using Staged Rollout, AADSTS900561 can appear if the Entra Connect Sync connector account has lost its Active Directory permissions. Specifically, it needs Replicate Directory Changes and Replicate Directory Changes All to perform password hash synchronization. Without these permissions, PHS fails silently and users cannot authenticate via the managed path.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes