How to Fix AADSTS90023 Error in Microsoft Teams Guest Sign-In Issues on Mobile App

by

Learn how to fix AADSTS90023 and AADSTS9001026 errors in Microsoft Teams guest sign-ins on Mobile apps. Step-by-step Azure AD solutions.

Microsoft Teams guest access usually works smoothly – until it doesn’t. One of the most frustrating problems administrators and users encounter is the AADSTS90023 or AADSTS9001026 error, especially when a guest user attempts to sign in using the Teams mobile app (Android).

In this article, we’ll break down:

  • What AADSTS90023 and AADSTS9001026 actually mean
  • Why does the issue mostly affect Teams mobile guest users
  • Why does it work on Teams Web but fail on mobile
  • Practical step-by-step fixes you can try today
  • When and how to escalate to Microsoft Support

This guide is based on real tenant scenarios, not theory.

What Is AADSTS90023?

AADSTS90023: “The request is not valid. An error occurred while processing the incoming message.”

This error occurs when Azure Active Directory (Entra ID) fails to validate an authentication token during sign-in. In guest scenarios, it typically means:

  • The token belongs to a different tenant
  • The token is cached or outdated
  • The target tenant doesn’t trust the identity provider
  • The refresh token contains policy-only claims that don’t match the tenant

This is very common in B2B (guest) authentication flows.

What Is AADSTS9001026?

AADSTS9001026: The request was denied because the token came from an identity provider that the target tenant doesn’t trust.

In simple terms:

Azure AD received a token, but it doesn’t match what the tenant expects.

This often appears together with AADSTS90023, especially on mobile devices.

You may also like how to Set Up PSTN Calling in Microsoft Teams

How to Fix AADSTS90023 and AADSTS9001026 Errors in Microsoft Teams

Why This Happens Mostly on the Teams Mobile App

Many admins notice an important clue:

Teams Web works
Teams Android app fails

This is not a coincidence.

Why Web Works

  • Teams Web uses a more flexible authentication flow
  • Tokens are refreshed more aggressively
  • Cross-tenant guest redirects are handled better

Why Mobile Fails

  • Teams mobile stores tokens locally
  • Old or conflicting tokens aren’t always cleared
  • Tenant switching is more fragile for guest accounts
  • Android is especially sensitive to token cache corruption
This might interest you - Microsoft Teams Microphone Not Working in Outgoing Calls

Common Scenario Where This Error Appears

  • You have an Azure AD app using OAuth 2.0 Authorization Code Flow
  • It works for:
    • Internal users
    • Test tenants
  • It fails when:
    • A customer or guest tenant tries to refresh tokens
    • A Teams guest user selects your organization on mobile

Even deleting and re-inviting the guest often does not fix it, because the issue lives in token validation—not the user object.

Fixes to Try (In Order)

1. Check Microsoft Authenticator for Conflicting Tokens

Multiple or outdated MFA entries are a major cause of this issue.

What to do:

  • Open Microsoft Authenticator
  • Remove:
    • Duplicate work/school accounts
    • Old guest tenant entries
  • Keep only the active account
  • Re-add the account if necessary

2. Force a Token Refresh Using Edge Mobile

This is one of the most reliable fixes.

Steps:

  1. Install Microsoft Edge on the mobile device
  2. Open the guest invitation link in Edge (not Teams)
  3. Sign in fully and accept tenant access
  4. Close Edge
  5. Open the Teams app again

This forces Azure AD to issue fresh tokens.

3. Sign In Using Incognito / InPrivate Mode

This helps confirm whether the issue is with cached tokens.

Steps:

  • Open Edge or Chrome
  • Use InPrivate / Incognito mode
  • Sign in to Teams Web
  • Switch to the guest tenant

If this works, the problem is almost certainly token caching.

4. Remove and Re-Add the Guest Account (Both Sides)

If possible:

  • Ask the resource tenant admin to:
    • Remove the guest user from Entra ID
  • Wait 24–48 hours
  • Send a new invitation
  • Accept the invitation from a mobile browser first (not the app)

This resets the guest object and trust relationship.

5. Review Conditional Access Policies

Conditional Access is often overlooked.

Check if:

  • Mobile access is restricted
  • Guest users are blocked on unmanaged devices
  • MFA rules differ between web and mobile

Even if other guests work, policy targeting may differ.

6. Try Another Mobile Device

This helps rule out:

  • Device-level token corruption
  • Android OS account conflicts

If it works on another device, the issue is local – not tenant-wide.

A Comprehensive Guide - How to Manage Multiple Microsoft Teams Accounts

Why Reinstalling Teams Often Doesn’t Help

Uninstalling Teams:

  • Does not fully clear Azure AD tokens
  • Does not reset device-level authentication state

That’s why the problem often persists even after reinstalling.

Microsoft Authenticator: Why It Helps

Setting up Microsoft Authenticator does more than MFA.

It:

  • Refreshes authentication tokens
  • Aligns identity trust between tenants
  • Satisfies Conditional Access requirements
  • Reduces mobile-specific token failures

How to Set It Up

  1. Install Microsoft Authenticator
  2. Add a Work or School account
  3. Sign in using the same credentials as Teams
  4. Approve sign-in requests when prompted

Official guide: Microsoft Authenticator setup guide 

Another useful guide - File Sharing with External Users in Microsoft Teams

When You Need to Escalate to Microsoft

If all steps above fail, this is likely a backend issue.

As admins, we do not have visibility into:

  • Token validation pipelines
  • Cross-tenant trust failures
  • Internal AAD policy enforcement

How to Escalate

Go to:
Microsoft 365 Admin Center -> Support -> Help & Support

Include:

  • Error codes (AADSTS90023 / AADSTS9001026)
  • Device type (Android)
  • Guest tenant ID
  • Timestamp of the failure
  • Confirmation that Teams Web works

Microsoft Support has the only escalation path for this class of issue.

Final Thoughts

AADSTS90023 and AADSTS9001026 are not simple sign-in errors – they are cross-tenant token validation failures, and Teams mobile is where they appear most frequently.

The good news:

  • The issue is well-understood
  • In many cases, token refresh via Edge or Authenticator fixes it
  • When it doesn’t, Microsoft Support is the correct next step

If you’re managing guest access at scale, understanding how Azure AD handles mobile tokens will save you hours of frustration.

Leave a Comment