The AADSTS900561 Error means Azure AD expected a POST sign-in request but received a GET one, so fixing that mismatch lets the login succeed.
What The AADSTS900561 Error Means
The AADSTS900561 Error shows during Microsoft sign-in when Azure Active Directory, now called Microsoft Entra ID, receives the wrong HTTP method for a secure endpoint. The page usually says “The endpoint only accepts POST requests. Received a GET request,” along with a request Id, correlation Id, and a timestamp.
In practice, the login flow should send a POST request with credentials or tokens in the request body. Something along the path turns that call into a GET request, so the token service rejects it instead of issuing access tokens. That is why the page appears even though your username and password might be correct.
You can see this message with Outlook.com, OneDrive, Microsoft 365 work or school accounts, Xbox sign-in in a browser, and custom business apps that rely on Microsoft Entra ID. The pattern stays the same for all of them: the secure endpoint accepts POST only, the client sends GET, and the sign-in attempt stalls until that mismatch is cleared.
Error Code AADSTS900561 Fix Steps For Regular Users
If you reach this screen while signing in through a browser, you can try several safe checks before you ask an administrator for help. These steps touch only your browser and device, so mail, files, and games stored in the cloud remain unchanged.
- Reload the sign-in page — Use a hard refresh such as Ctrl+F5 so the page loads again without stale cache data that might replay a broken request.
- Use an official login link — Open the service from its own home page or from https://login.microsoftonline.com instead of an old bookmark, email link, or shortcut saved years ago.
- Try a different browser — Switch to Edge, Chrome, Firefox, or Safari and test sign-in there to see whether the code appears only in one browser.
- Clear Microsoft cookies — Remove cookies for domains such as login.microsoftonline.com, live.com, and office.com so the sign-in flow starts as if it were the first visit.
- Allow third-party cookies for Microsoft pages — Many Microsoft sign-in flows rely on cookies from related domains; blocking them can break POST-based login traffic and trigger this error.
- Disable strict browser extensions — Turn off ad blockers, privacy filters, VPN plug-ins, and script blockers for a moment, then retry the sign-in to see whether one of them rewrites the request.
- Restart the device — A full restart closes stuck browser processes and background helpers that might hold on to a half-baked session.
When one browser starts working again while another still shows the code, the issue often sits with cache, cookies, or an add-on in the broken browser. You can keep using the working one for daily tasks and clean up the stubborn browser later when you have spare time.
Error Code AADSTS900561 Fix Steps For Admins And Developers
Admins and developers see this code when an app that uses Microsoft Entra ID sends the wrong HTTP method toward a token or logout endpoint. For OpenID Connect and OAuth flows, POST is expected for token redemption and certain logout calls, but a custom client, reverse proxy, or script can change that method to GET on the way out.
- Check the authentication flow — Confirm that the app follows a documented flow such as the authorization code flow or device code flow and that each token request uses POST instead of GET.
- Review redirect and reply URLs — In the app registration, match redirect URIs and reply URLs exactly to deployed hosts and paths, and remove legacy URLs that point to pages which trigger GET traffic toward token endpoints.
- Rely on official Microsoft libraries — Use MSAL and related SDKs where possible so parameter layout, token endpoints, and HTTP methods line up with current Microsoft guidance.
- Inspect reverse proxies and gateways — Check whether web application firewalls, proxies, or API gateways rewrite POST to GET during inspection, logging, or caching of outbound calls.
- Verify single-page app routing — Make sure SPA frameworks such as Angular or React do not intercept the authorization response and reissue it as a GET request toward the token endpoint.
- Log HTTP method and endpoint safely — Add logging around authentication calls that records the HTTP method, target URL, and status code without storing credentials, auth codes, or tokens.
Once the app sends a clean POST request to the correct Microsoft endpoint, AADSTS900561 stops and users receive their tokens as expected. If the problem returns, compare working and broken traces side by side and look for places where the method or path changes in one trace only.
Common Ways Error Code AADSTS900561 Shows Up
Across Microsoft Q&A threads and vendor articles, the same patterns appear again and again. Matching your own case to one of these patterns saves time because you can head straight to the most likely fix instead of guessing in the dark.
| Where You See The Error | Likely Root Cause | Who Usually Fixes It |
|---|---|---|
| Outlook.com, OneDrive, consumer Microsoft account sign-in in a browser | Old bookmark, strict cookie settings, or a privacy add-on that alters login requests | End user adjusts browser settings, clears cookies, or switches browser |
| Microsoft 365 work or school sign-in | Blocked third-party cookies, saved legacy portal link, or tenant sign-in page changes | End user starts with browser fixes, admin checks tenant sign-in logs |
| Custom web app or API using Microsoft Entra ID | App sends GET to /token, proxy rewrites POST to GET, or wrong redirect URI | Developer updates code and proxy rules |
| Third-party SaaS product linked to Microsoft accounts | SaaS vendor uses outdated Microsoft sign-in endpoints or custom scripts for logout | Vendor updates integration; admin may open a ticket with that vendor |
Use the table as a quick map. If your issue lines up with one of the rows, start with the fixes in that column first before you move to deeper network or tenant checks.
Why The Endpoint Only Accepts Post Requests
Azure AD limits token and credential handling endpoints to POST because those calls carry sensitive data. When a client trades an authorization code for tokens, the request body can include long strings, client secrets, and other fields that should not sit in URLs or referrer headers.
POST also matches the usual shape of OAuth 2.0 and OpenID Connect traffic. In these protocols, GET works well for public configuration and initial authorization requests, while POST takes care of state-changing token work. When a client sends GET instead of POST to a token endpoint, the token service treats that call as malformed and responds with codes such as AADSTS900561 instead of trying to guess the intent.
This strict behavior guards against tokens leaking into browser history, network appliances, and logging systems that record URLs. It also gives admins a clear signal that something in the client or the network path bends the method in a way the identity platform does not accept.
Keeping Error Code AADSTS900561 Away Next Time
Once the immediate problem is gone, a few small habits and design choices can reduce the chance of seeing this sign-in code again. The goal is simple: keep token calls on POST, keep login links current, and avoid hidden middle layers that rewrite requests in strange ways.
- Standardize on modern sign-in libraries — Use Microsoft identity libraries such as MSAL in new projects so the HTTP methods and endpoints follow current patterns without custom hacks.
- Phase out legacy login links — Replace very old bookmarks, desktop shortcuts, and intranet buttons that still point at retired Microsoft login pages.
- Document safe browser settings — Give staff a short note on cookie rules, allowed extensions, and browser versions that work well with Microsoft sign-in.
- Watch sign-in error trends — Use Entra ID reports or central logs to spot spikes in AADSTS900561, then trace them back to a specific app, proxy, or new policy.
- Test new apps from several networks — Before wide rollout, test sign-in from home, office, guest Wi-Fi, and mobile hotspots to catch gateways that tamper with POST calls.
For regular users, the habits are even simpler: start sign-in from official pages, avoid very old shortcuts, keep browsers up to date, and use only a small set of trusted extensions. With those basics in place, the AADSTS900561 Error should show up only rarely, and when it does, both you and your admins will have a clear path to fix it.