What causes AADSTS90102?

redirect_uri is missing the scheme (e.g. 'app.example.com/callback' instead of 'https://app.example.com/callback'). redirect_uri is double URL-encoded or contains illegal characters (spaces, unencoded query separators). redirect_uri contains a URL fragment (#...), which is not allowed in OAuth 2.0 authorization requests. Relative URI passed instead of absolute, or a literal placeholder like '{redirect_uri}' was sent unsubstituted. Trailing whitespace or newline in the redirect_uri value due to a config/templating bug

How do I fix AADSTS90102?

Inspect the failing sign-in URL and extract the redirect_uri query parameter — confirm it starts with 'https://' (or 'http://localhost' for dev) and is a fully qualified absolute URI. URL-decode the value once and verify it has no fragment (#), no spaces, and no unsubstituted template placeholders; re-encode exactly once before sending. In the Entra ID (Azure AD) portal → App registrations → your app → Authentication, confirm the exact redirect URI is registered under the correct platform (Web / SPA / Public client) and matches character-for-character. If using MSAL or a Power BI embedded scenario, set the redirectUri explicitly in code rather than relying on window.location — and avoid trailing slashes mismatches between code and Entra registration. Reproduce against login.microsoftonline.com with a minimal request to isolate whether the bad URI comes from your app config, a reverse proxy rewrite, or a CDN/edge rule

Low severityauthentication

Power BI Refresh Error:
AADSTS90102

What does this error mean?

Azure AD / Entra ID rejected the sign-in because the redirect_uri parameter is not a valid absolute URI.

Common causes

1redirect_uri is missing the scheme (e.g. 'app.example.com/callback' instead of 'https://app.example.com/callback')
2redirect_uri is double URL-encoded or contains illegal characters (spaces, unencoded query separators)
3redirect_uri contains a URL fragment (#...), which is not allowed in OAuth 2.0 authorization requests
4Relative URI passed instead of absolute, or a literal placeholder like '{redirect_uri}' was sent unsubstituted
5Trailing whitespace or newline in the redirect_uri value due to a config/templating bug

How to fix it

1Inspect the failing sign-in URL and extract the redirect_uri query parameter — confirm it starts with 'https://' (or 'http://localhost' for dev) and is a fully qualified absolute URI
2URL-decode the value once and verify it has no fragment (#), no spaces, and no unsubstituted template placeholders; re-encode exactly once before sending
3In the Entra ID (Azure AD) portal → App registrations → your app → Authentication, confirm the exact redirect URI is registered under the correct platform (Web / SPA / Public client) and matches character-for-character
4If using MSAL or a Power BI embedded scenario, set the redirectUri explicitly in code rather than relying on window.location — and avoid trailing slashes mismatches between code and Entra registration
5Reproduce against login.microsoftonline.com with a minimal request to isolate whether the bad URI comes from your app config, a reverse proxy rewrite, or a CDN/edge rule

Frequently asked questions

What does AADSTS90102 mean?

The value must be a valid absolute URI.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes