What causes AADSTS90123?

Federated identity provider (ADFS, Okta, Ping, etc.) actively denied the request due to its own conditional access or risk policy. Broken or expired federation trust between the external IdP and Microsoft Entra ID (certificate rollover, metadata mismatch). Guest/B2B user signing in via a home-tenant IdP that blocked the cross-tenant authentication. Social IdP (Google, Facebook, Apple) revoked or invalidated the consent/session for the user. IdP-side account state issue: user disabled, locked, MFA failed at the IdP, or claim issuance rules rejected the user

How do I fix AADSTS90123?

Open the sign-in logs of the upstream identity provider (ADFS event log, Okta System Log, Ping audit log, or the social IdP's account activity) for the same timestamp — the real denial reason lives there, not in Entra ID. In the Microsoft Entra admin center → Sign-in logs, open the failed entry and check the 'Federated' / 'Identity provider' fields to confirm which IdP returned the denial. Verify the federation trust: in Entra ID check the domain's federation settings (Get-MgDomainFederationConfiguration) and confirm the IdP's token-signing certificate and metadata URL are still valid. If it concerns a B2B guest, ask the guest's home-tenant admin to review their conditional access and cross-tenant access settings; the deny is happening in their tenant. For social/external IdPs, have the user re-consent or re-link the account in My Account → Sign-in methods, then retry; if it persists, recreate the External Identities provider configuration

Low severityauthentication

Power BI Error:
AADSTS90123

What does this error mean?

The federated or external identity provider denied the token request, so Entra ID (Azure AD) cannot issue a token.

Common causes

1Federated identity provider (ADFS, Okta, Ping, etc.) actively denied the request due to its own conditional access or risk policy
2Broken or expired federation trust between the external IdP and Microsoft Entra ID (certificate rollover, metadata mismatch)
3Guest/B2B user signing in via a home-tenant IdP that blocked the cross-tenant authentication
4Social IdP (Google, Facebook, Apple) revoked or invalidated the consent/session for the user
5IdP-side account state issue: user disabled, locked, MFA failed at the IdP, or claim issuance rules rejected the user

How to fix it

1Open the sign-in logs of the upstream identity provider (ADFS event log, Okta System Log, Ping audit log, or the social IdP's account activity) for the same timestamp — the real denial reason lives there, not in Entra ID
2In the Microsoft Entra admin center → Sign-in logs, open the failed entry and check the 'Federated' / 'Identity provider' fields to confirm which IdP returned the denial
3Verify the federation trust: in Entra ID check the domain's federation settings (Get-MgDomainFederationConfiguration) and confirm the IdP's token-signing certificate and metadata URL are still valid
4If it concerns a B2B guest, ask the guest's home-tenant admin to review their conditional access and cross-tenant access settings; the deny is happening in their tenant
5For social/external IdPs, have the user re-consent or re-link the account in My Account → Sign-in methods, then retry; if it persists, recreate the External Identities provider configuration

Frequently asked questions

What does AADSTS90123 mean?

The token can't be issued because the ide

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes