What causes AADSTS901012?

External OIDC identity provider (e.g. Google, Okta, custom IdP) returned an ID token without the `email_verified` claim, or with `email_verified: false`. The user's email address at the external IdP has never been confirmed (no verification link clicked). External IdP is misconfigured and does not include email verification status in its OIDC claims mapping. Federation/SAML-to-OIDC bridge strips or omits the `email_verified` claim during token transformation. Guest/B2B invitation flow where the inviting tenant requires verified email but the home IdP does not enforce verification

How do I fix AADSTS901012?

At the external OIDC identity provider, verify the user's email address (resend verification mail and have the user click the confirmation link). In the external IdP's OIDC configuration, ensure the `email_verified` claim is included in issued ID tokens and set to `true` for verified accounts. Decode a sample ID token at jwt.ms and confirm both `email` and `email_verified: true` claims are present before it reaches Entra ID. In the Entra ID admin center, review the External Identities federation settings for the OIDC provider and confirm claim mappings are correct. If using B2B collaboration, re-send the guest invitation after the user verifies their email at their home IdP

Low severityauthentication

Power BI Error:
AADSTS901012

What does this error mean?

Sign-in via external OIDC identity provider failed because the ID token does not contain a verified email claim.

Common causes

1External OIDC identity provider (e.g. Google, Okta, custom IdP) returned an ID token without the `email_verified` claim, or with `email_verified: false`
2The user's email address at the external IdP has never been confirmed (no verification link clicked)
3External IdP is misconfigured and does not include email verification status in its OIDC claims mapping
4Federation/SAML-to-OIDC bridge strips or omits the `email_verified` claim during token transformation
5Guest/B2B invitation flow where the inviting tenant requires verified email but the home IdP does not enforce verification

How to fix it

1At the external OIDC identity provider, verify the user's email address (resend verification mail and have the user click the confirmation link)
2In the external IdP's OIDC configuration, ensure the `email_verified` claim is included in issued ID tokens and set to `true` for verified accounts
3Decode a sample ID token at jwt.ms and confirm both `email` and `email_verified: true` claims are present before it reaches Entra ID
4In the Entra ID admin center, review the External Identities federation settings for the OIDC provider and confirm claim mappings are correct
5If using B2B collaboration, re-send the guest invitation after the user verifies their email at their home IdP

Frequently asked questions

What does AADSTS901012 mean?

No verified email address was obtained from the identity provider. The email address is not verified in the ID token from the external OIDC identity provider.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes