What causes AADSTS90107?

SAML request or response contains invalid XML characters (unescaped &, , or non-UTF-8 bytes). Truncated or corrupted SAML token caused by URL length limits or proxy/load-balancer rewriting. Incorrect Base64/Deflate encoding of the SAMLRequest parameter sent to login.microsoftonline.com. Federation metadata (SP or IdP) out of sync, producing requests that no longer match the expected schema. Custom or third-party identity broker emitting malformed AuthnRequest XML

How do I fix AADSTS90107?

Capture the failing SAML request with browser dev tools (Network tab → SAML-tracer extension) and inspect the decoded SAMLRequest — look for invalid characters, missing closing tags, or truncation.. Validate the decoded XML against the SAML 2.0 schema; pay special attention to attribute values containing &, that should be XML-escaped.. Re-download the federation metadata XML from your identity provider and re-upload it to the Entra ID Enterprise Application (or vice versa) to resync signing certificates and endpoints.. If a reverse proxy, WAF, or load balancer sits in front of the SP, check that it isn't modifying or truncating the SAMLRequest query parameter (common with long URLs > 2 KB).. For custom apps using MSAL/ADAL, upgrade to the latest SDK version — older builds occasionally produced non-compliant XML for specific tenant configurations.

High severityauthentication

Power BI Error:
AADSTS90107, Malformed Authentication Request

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the sign-in request because the XML/SAML payload contains invalid or malformed characters.

Common causes

1SAML request or response contains invalid XML characters (unescaped &, <, >, or non-UTF-8 bytes)
2Truncated or corrupted SAML token caused by URL length limits or proxy/load-balancer rewriting
3Incorrect Base64/Deflate encoding of the SAMLRequest parameter sent to login.microsoftonline.com
4Federation metadata (SP or IdP) out of sync, producing requests that no longer match the expected schema
5Custom or third-party identity broker emitting malformed AuthnRequest XML

How to fix it

1Capture the failing SAML request with browser dev tools (Network tab → SAML-tracer extension) and inspect the decoded SAMLRequest — look for invalid characters, missing closing tags, or truncation.
2Validate the decoded XML against the SAML 2.0 schema; pay special attention to attribute values containing &, <, > that should be XML-escaped.
3Re-download the federation metadata XML from your identity provider and re-upload it to the Entra ID Enterprise Application (or vice versa) to resync signing certificates and endpoints.
4If a reverse proxy, WAF, or load balancer sits in front of the SP, check that it isn't modifying or truncating the SAMLRequest query parameter (common with long URLs > 2 KB).
5For custom apps using MSAL/ADAL, upgrade to the latest SDK version — older builds occasionally produced non-compliant XML for specific tenant configurations.

Frequently asked questions

What does AADSTS90107 mean?

The request isn't valid. Make sure your data doesn't have invalid characters.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes