AADSTS90100 FlowToken Parameter Is Empty Or Not Valid means Microsoft blocked sign-in because a required session token was missing or broken.
If you sign in to Microsoft 365, Azure, GitHub Classroom, Outlook, or another Microsoft-backed app and see this message on a white login page, it usually feels random and opaque. The good news is that the error almost always points to a problem with a temporary sign-in token, not with your password or account license.
This guide breaks the error down in plain language, then walks through fixes you can try as a regular user and deeper checks for admins and developers who manage sign-ins through Microsoft Entra ID (Azure AD).
What The AADSTS90100 FlowToken Error Means
Azure Active Directory, now Microsoft Entra ID, uses short-lived values such as flowtoken, ctx, and canary to keep track of where you are in the sign-in process. Each time the browser posts a form or follows a redirect, those values help the service tie your request back to the earlier step.
When one of those values is missing, empty, expired, or mangled, Microsoft Entra ID cannot safely finish the sign-in step. At that point the service stops and returns the text “AADSTS90100: flowtoken parameter is empty or not valid” or a close variant that mentions ctx instead of flowtoken.
The important part: this message usually means the sign-in request is broken, not that your account is blocked or your password is wrong. Most users can clear it with a handful of local fixes, and admins can confirm the root cause in Microsoft Entra sign-in logs.
Typical places where this error shows up include:
- Microsoft 365 web portals — Pages such as
https://myapps.microsoft.comorhttps://portal.office.comafter account selection. - New Outlook and Office apps — A link from the app opens a browser window that immediately stops with the AADSTS90100 message.
- Custom or automated sign-ins — Scripts, JMeter plans, or test harnesses that replay Microsoft login flows without all required fields.
Why The FlowToken Parameter Is Empty Or Not Valid
Different setups can lead to the same error text. In practice, most situations fall into a few patterns that all break the internal flow token.
- Stale cookies and cached sign-in state — Long-running browser sessions can hold old cookies or local storage entries that no longer line up with current login pages. When the browser replays that stale state, the token that Microsoft expects is missing or does not match.
- Broken deep links from apps or email — Some apps pass a long login URL into the browser. If that URL is truncated by a line break, rewritten by a mail gateway, or changed by a plug-in, the browser may reach the login page without all the details required to build the flowtoken.
- New Outlook link handling quirks — Several users report that clicking account-related links inside the new Outlook interface opens a browser sign-in that fails with this error, while signing in directly from the portal works. That points to the way the app builds or encodes the link.
- Browser extensions or privacy tools — Ad blockers, script filters, or enterprise add-ons sometimes strip hidden form fields or block scripts on
login.microsoftonline.com, which can drop or alter the flowtoken. - Clock skew on the device — If a laptop clock drifts far from real time, short-lived tokens can age out almost instantly. The browser then sends what looks like an expired or invalid flowtoken back to the service.
- Automation that misses hidden parameters — Load tests or custom authentication clients that copy only part of the login form often leave out fields such as
flowtokenorctx. Azure then returns a 90100 error because the request does not match a valid step in the flow. - Certificate-based or federated setups — In certificate sign-in or SAML/WS-Fed scenarios, a mismatch between the posted assertion and the session context can trigger the same message.
When users see the text aadsts90100 flowtoken parameter is empty or not valid in different browsers and on different networks, that points more toward a configuration, policy, or app-level issue than a simple cookie glitch.
AADSTS90100 FlowToken Parameter Is Empty Or Not Valid Fixes For Users
If you just want to sign in and you do not manage the tenant, start with local fixes. These steps clear stale state, bypass broken links, and give Microsoft Entra ID a clean request.
- Sign In From A Known Portal — Close the error tab, open a new one, and go directly to
https://myapps.microsoft.comorhttps://portal.office.com. Sign in from there instead of from an app link or email button. - Use A Private Or InPrivate Window — Open a private browsing window, paste the portal URL, and try the sign-in there. Private mode ignores most existing cookies and local storage, which often clears flowtoken problems right away.
- Clear Microsoft Login Cookies — In your main browser, open the settings page for cookies and site data, and remove entries for
login.microsoftonline.com,login.live.com, andmicrosoft.com. Keep other cookies intact to avoid extra side effects. - Try Another Browser Or Device — Sign in from one other browser or from a phone on mobile data. If that works and your main browser still fails, the issue sits with its cache, plug-ins, or profile.
- Disable Aggressive Extensions Temporarily — Turn off ad blockers, script filters, and privacy extensions for the duration of the sign-in. Once you reach the target app or portal, you can turn them back on.
- Check Date And Time Settings — Make sure the device clock, time zone, and sync settings match your region. Turn on automatic time sync with an internet time source, then retry sign-in.
- Sign Out And Back In From The App — If the error appears when a local app launches the browser, sign out inside the app, close it fully, and start it again. Let the app prompt the standard Microsoft login rather than reusing a half-broken session.
If users in your company repeatedly hit aadsts90100 flowtoken parameter is empty or not valid while others sign in without trouble, local state on those machines is still the most likely cause. For readers who manage the tenant or the app, the next section goes deeper.
Quick Fix Table For Common User Scenarios
| Where You See The Error | Best First Action | Who Should Act |
|---|---|---|
| Browser after clicking a link in Outlook | Open portal URL in a private window and sign in there | End user |
| New Outlook when opening account pages | Sign in from myapps.microsoft.com, then retry link |
End user, then IT if it keeps happening |
| Scripted sign-in or load test step | Compare captured browser traffic to test script fields | Developer or test engineer |
| Every browser on one device | Fix clock, clear Microsoft cookies, try another network | End user with IT guidance |
Troubleshooting The FlowToken Flow For Admins And Developers
When this error shows up across many users, or inside automated flows, admins and developers need more than cache clears. The goal is to see which step in the sign-in breaks the flowtoken and why.
Use Microsoft Entra Sign-In Logs
- Open Sign-In Logs — In the Microsoft Entra admin center, go to the sign-in logs for users.
- Filter On Error Code 90100 — Add a filter for the error code, or search for the code text in the error details field.
- Check Patterns — Look for shared traits such as one application ID, one platform (mobile, browser), one network range, or a single Conditional Access policy tied to those failed attempts.
If every failed attempt maps to one application, focus efforts there. If all trouble starts after a certain policy rollout, review that policy’s requirements and any known notes from Microsoft about interaction with smart cards, certificates, or device compliance.
Capture A Browser Trace
- Record Network Traffic — Use the browser’s developer tools network tab or a tool such as Fiddler to record traffic while reproducing the error.
- Compare Good And Bad Runs — Capture one trace from a successful sign-in, and one from a failing sign-in, then compare the sequence of redirects and POST requests to
login.microsoftonline.com. - Inspect Hidden Fields — On the last POST before the error appears, expand the form data and confirm whether
flowtoken,ctx, and related fields are present and non-empty.
If the browser never sends flowtoken on the failing path, check for JavaScript errors, blocked scripts, or extensions that modify page content. When an intermediate proxy rewrites forms, review its rules to ensure it leaves Microsoft login fields untouched.
Review Automation, Load Tests, And Custom Clients
- Replay The Full Form — Make sure scripts that mimic a browser send all hidden form fields from the previous response, not just username and password.
- Correlate Dynamic Values — If you use tools such as JMeter, set up correlation rules that pull
flowtoken,ctx, and similar values from one response and send them unchanged on the next request. - Avoid Hand-Crafted Login Requests — When possible, rely on Microsoft authentication libraries instead of manually posting to login endpoints. Those libraries handle details around tokens, cookies, and redirects.
Check Federation And Certificate-Based Flows
- Validate SAML Or WS-Fed Assertions — Confirm that the identity provider sends a valid assertion with expected audience, timestamps, and name ID, and that the relying party trust matches those values.
- Review Certificate Mapping — In certificate-based sign-in, check that the certificate presented by the client maps correctly to an account and that any revocation checks succeed. Misaligned mapping can leave the service unable to match the current flowtoken with the account.
How To Capture Logs And Ask Microsoft For Help
Sometimes the tenant, not the endpoint or device, ends up at the center of the issue. In that case, pulling together clear data for Microsoft shortens the time to a fix.
Collect Details From The Error Page
- Copy Request And Correlation IDs — On the error page, click the “More details” link and copy the Request Id and Correlation Id fields, plus the timestamp.
- Note The Application And URL — Record which application the user tried to reach and the full browser address just before the error appeared.
- Grab Screenshots — Take a screenshot that shows the error text and the more details section, with any personal data redacted before you share it widely.
Export Logs And Open A Help Request
- Export Sign-In Logs — From the Microsoft Entra admin center, export sign-in entries that match the error, including success and failure entries around the same time window.
- Package Browser Traces — Save HAR files or Fiddler traces from at least one failing case and, if possible, one working case that targets the same app.
- Submit Through The Admin Portal — Use the Microsoft 365 or Azure portal’s built-in help entry points to raise a request, attach your logs, and mention that the error text is AADSTS90100 with missing or invalid flowtoken or ctx fields.
With that material, Microsoft engineers can trace the request across their internal layers and identify whether the issue links to a regional incident, a specific policy, or the way one app talks to the platform.
How To Reduce FlowToken Sign-In Errors Over Time
Once the immediate incident is under control, a few habits make this error far less likely to show up again across your tenant.
- Keep Browsers Fresh — Encourage users to update browsers, close long-running windows, and sign out of personal accounts before they work with corporate apps.
- Standardize Login Entry Points — Point staff toward a small set of trusted URLs such as
myapps.microsoft.comand your own branded portal, rather than deep links from messages that might change or expire. - Review Conditional Access Regularly — When you change policies, test sign-ins from different locations, device types, and sign-in methods to catch friction before a wide rollout.
- Audit Proxies And Rewrite Rules — Check that any reverse proxies, VPN appliances, email gateways, or security tools do not rewrite Microsoft login URLs or strip POST bodies on
login.microsoftonline.com. - Use Official Authentication Libraries — For custom apps, prefer Microsoft Authentication Library (MSAL) and related SDKs instead of raw HTTP calls to login endpoints, to keep up with protocol changes.
- Monitor Error Trends — Keep an eye on sign-in logs for spikes in error code 90100. Spikes near change windows give a clear signal that a new setting, deployment, or routing change needs attention.
With clear sign-in paths, modern browsers, reliable clocks, and carefully tested policies, the message “AADSTS90100 FlowToken Parameter Is Empty Or Not Valid” turns from a mysterious blocker into a rare edge case that is easier to diagnose and fix.
