Fix AADB2C90068: Azure AD B2C sign-in token validation error

You're seeing AADB2C90068 and it's blocking sign-ins. Let's fix it.

This error means your application or Azure AD B2C policy expects the token issuer to be one thing, but the token comes from another. It's a mismatch in the issuer URL. The good news: it's a simple configuration fix.

Quick fix: Update the issuer URL

The error message usually tells you exactly what went wrong. Look for something like: "The provided token's issuer 'https://login.microsoftonline.com/...' does not match the expected issuer 'https://your-tenant.b2clogin.com/...'. That's your clue.

1. Open your Azure AD B2C tenant in the Azure portal.

   Go to portal.azure.com, search for "Azure AD B2C", and select your tenant.

2. Check your user flow or custom policy.

   If you're using a user flow (built-in):

   • Go to User flows and select the one you're testing.
   • Click Properties.
   • Find Token compatibility settings. Make sure the Issuer (iss) claim matches what your app expects. Common mismatch: login.microsoftonline.com vs your-tenant.b2clogin.com.
   • Change it to https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/v2.0/ if your app uses b2clogin.com.

   If you're using custom policies (recommended for complex scenarios):

   • Open your TrustFrameworkBase.xml file.
   • Search for Issuer in the ClaimsProviders section. You'll find it inside the TechnicalProfile for the JWT token issuer.
   • Ensure the IssuerUri matches exactly what your app expects. Example: https://your-tenant.b2clogin.com/12345678-1234-1234-1234-123456789012/v2.0/
   • Save and upload the policy back to Azure AD B2C.
3. Restart the user flow or policy.

   After making changes, go back to your sign-in page and test again. The error should disappear.

Why this happens

Azure AD B2C supports two hostnames for tokens: login.microsoftonline.com (older) and your-tenant.b2clogin.com (newer, recommended). When you create a user flow or custom policy, the default issuer is set to one of these. But your application code might hardcode the other one. Or you changed the hostname in the policy but forgot to update the app. The error fires when the token's issuer claim doesn't match what the app expects during validation.

The real fix is making sure both sides agree. You can either:

• Change the app's expected issuer to match the token, or
• Change the token issuer in the policy or user flow to match the app.

I prefer standardizing on b2clogin.com — it's more reliable and gives you better control over the domain. Microsoft recommends it too.

Less common variations of the same issue

Issue: The issuer URL has a trailing slash or wrong version

Sometimes the issuer ends with /v2.0 or /v2.0/ and the app expects the other. Even a missing slash can cause AADB2C90068. Check both sides — copy the exact URL from the token error message and paste it into your app's configuration.

Issue: Token validation happens in a different app (like an API)

You might have a web app that authenticates users, but the actual token validation happens in a separate API. That API might have a different expected issuer. Update the API's settings to match the B2C token issuer.

Issue: Custom policies with multiple technical profiles

If you have multiple ClaimsProvider entries that issue tokens (like for different user flows), each one must have the correct issuer. A common mistake is copying a policy from one tenant to another without updating the IssuerUri. Always double-check after cloning.

Issue: Stale tokens from cache

After you fix the issuer, users who still have old tokens in their browser cache might see the error if the token's issuer no longer matches. Clear the browser cache or have users sign out completely and back in.

Prevention

Standardize on b2clogin.com from day one

When you create a new Azure AD B2C tenant, configure your apps to use https://your-tenant.b2clogin.com as the token endpoint. Avoid mixing hostnames between app and policy.

Test token validation with a tool

Before you roll out to users, decode the token at jwt.ms. Check the iss claim. It should match exactly what your app expects. If it doesn't, fix it before deployment.

Use the same issuer across all environments

If you have dev, test, and production tenants, keep the issuer format consistent. For example, always use https://{tenant}.b2clogin.com/{tenant-id}/v2.0/. That way, when you move a policy from dev to prod, you only update the tenant name, not the issuer structure.

Document the issuer in your app's readme

Write down the exact issuer URL in your app's configuration file. Include it in your deployment checklist. This keeps your team from guessing later.

One last thing: If you changed the issuer in the Azure portal but the error persists, wait a few minutes. Azure AD B2C can take up to 5 minutes to propagate the change. Try again after that.

That's it. AADB2C90068 is almost always a issuer mismatch. Align the two sides and you're good. If the error still shows up after the steps above, check the app registration's manifest for any custom token settings — that's a deep cut, but it's caught me before.