What causes AADSTS901014?

The external OIDC IdP is not issuing the claim that Entra ID is configured to read as the external identifier (e.g. Entra expects `sub` but the IdP only returns `oid` or `email`).. Misconfigured claim mapping in the Entra ID External Identities / SAML-OIDC federation settings — wrong claim name or case mismatch.. The external IdP application/client is missing the required scope (e.g. `openid`, `profile`) so the identifier claim is omitted from the ID token.. The user object in the external IdP has no value populated for the mapped identifier attribute.. Recent change at the external IdP side (claim renamed, scope removed, or token schema updated) breaking a previously working federation.

How do I fix AADSTS901014?

Capture a sample ID token from the external OIDC IdP (via IdP debug logs or a test sign-in trace) and decode it on jwt.ms — confirm exactly which claims are present.. In the Entra admin center → External Identities → All identity providers (or the federation configuration on the tenant), open the OIDC IdP entry and check which claim is set as the external user identifier.. Align the two: either reconfigure the external IdP to emit the expected claim (usually `sub`) with the correct scopes, or update the Entra-side mapping to point at a claim the IdP actually issues.. Verify the user account in the external IdP has a non-empty value for the mapped attribute; empty/null values produce the same error.. Re-test the sign-in in an InPrivate window and inspect the sign-in log entry in Entra ID — the Additional Details should now show a populated external identifier.

Low severityauthentication

Power BI Error:
AADSTS901014, No External Identifier in OIDC ID Token

What does this error mean?

The ID token returned by an external OIDC identity provider is missing the claim configured as the external user identifier.

Common causes

1The external OIDC IdP is not issuing the claim that Entra ID is configured to read as the external identifier (e.g. Entra expects `sub` but the IdP only returns `oid` or `email`).
2Misconfigured claim mapping in the Entra ID External Identities / SAML-OIDC federation settings — wrong claim name or case mismatch.
3The external IdP application/client is missing the required scope (e.g. `openid`, `profile`) so the identifier claim is omitted from the ID token.
4The user object in the external IdP has no value populated for the mapped identifier attribute.
5Recent change at the external IdP side (claim renamed, scope removed, or token schema updated) breaking a previously working federation.

How to fix it

1Capture a sample ID token from the external OIDC IdP (via IdP debug logs or a test sign-in trace) and decode it on jwt.ms — confirm exactly which claims are present.
2In the Entra admin center → External Identities → All identity providers (or the federation configuration on the tenant), open the OIDC IdP entry and check which claim is set as the external user identifier.
3Align the two: either reconfigure the external IdP to emit the expected claim (usually `sub`) with the correct scopes, or update the Entra-side mapping to point at a claim the IdP actually issues.
4Verify the user account in the external IdP has a non-empty value for the mapped attribute; empty/null values produce the same error.
5Re-test the sign-in in an InPrivate window and inspect the sign-in log entry in Entra ID — the Additional Details should now show a populated external identifier.

Frequently asked questions

What does AADSTS901014 mean?

The external identifier does not exist in the ID token from the external OIDC identity provider.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes