What causes AADSTS90087?

Malformed or incorrectly URL-encoded wreply, wtrealm, or wctx query parameters in the WS-Federation sign-in request. wtrealm value does not match the App ID URI / identifier configured for the application in Entra ID (Azure AD). wreply URL is not listed as a valid Reply URL on the application registration. Truncated or corrupted sign-in URI (often caused by a proxy, load balancer, or SSO appliance rewriting the request). Application is configured to use WS-Federation while the relying party is sending OpenID Connect / SAML parameters (or vice versa)

How do I fix AADSTS90087?

Capture the full sign-in URL the user is hitting (from browser dev tools Network tab or Fiddler) and inspect the wtrealm, wreply, and wctx parameters for missing values, double-encoding, or unexpected characters. In the Microsoft Entra admin center, open the affected App registration and confirm that the Application ID URI exactly matches the wtrealm being sent, and that the wreply URL is registered as a Reply URL / Redirect URI. If a reverse proxy, WAF, or SSO appliance sits in front of the app, disable URL rewriting for the /wsfed or /federation endpoint and verify the request URI arrives intact at login.microsoftonline.com. Check that the relying party application is actually configured for WS-Federation — if it was migrated to SAML 2.0 or OIDC, update the client to stop sending WS-Fed requests. If the issue only affects federated/B2B users, validate the federation metadata and SingleSignOnService URL on the partner IdP and re-upload the federation metadata if it has drifted

Low severityauthentication

Power BI Error:
AADSTS90087

What does this error mean?

Entra ID could not construct a valid WS-Federation sign-in message from the request URI.

Common causes

1Malformed or incorrectly URL-encoded wreply, wtrealm, or wctx query parameters in the WS-Federation sign-in request
2wtrealm value does not match the App ID URI / identifier configured for the application in Entra ID (Azure AD)
3wreply URL is not listed as a valid Reply URL on the application registration
4Truncated or corrupted sign-in URI (often caused by a proxy, load balancer, or SSO appliance rewriting the request)
5Application is configured to use WS-Federation while the relying party is sending OpenID Connect / SAML parameters (or vice versa)

How to fix it

1Capture the full sign-in URL the user is hitting (from browser dev tools Network tab or Fiddler) and inspect the wtrealm, wreply, and wctx parameters for missing values, double-encoding, or unexpected characters
2In the Microsoft Entra admin center, open the affected App registration and confirm that the Application ID URI exactly matches the wtrealm being sent, and that the wreply URL is registered as a Reply URL / Redirect URI
3If a reverse proxy, WAF, or SSO appliance sits in front of the app, disable URL rewriting for the /wsfed or /federation endpoint and verify the request URI arrives intact at login.microsoftonline.com
4Check that the relying party application is actually configured for WS-Federation — if it was migrated to SAML 2.0 or OIDC, update the client to stop sending WS-Fed requests
5If the issue only affects federated/B2B users, validate the federation metadata and SingleSignOnService URL on the partner IdP and re-upload the federation metadata if it has drifted

Frequently asked questions

What does AADSTS90087 mean?

An error occurred while creating the WS-Federation message from the URI.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes