When you use Copilot in Microsoft 365, you may see the error AADSTS9002313 with the message Invalid Request. This error stops Copilot from generating responses, drafting documents, or accessing your data. The cause is almost always a malformed authentication token or a mismatch in the token request parameters sent by the client app to Azure Active Directory. This article explains why the token request fails and provides the exact steps to resolve the issue across browsers, desktop apps, and mobile devices.
Key Takeaways: Fixing AADSTS9002313 in Copilot
- Clear browser cache and cookies: Stale or corrupted token data triggers the 9002313 error in Copilot web apps.
- Use InPrivate or Incognito mode: Testing in a clean session isolates the issue without affecting saved credentials.
- Reset the Microsoft Authenticator app: Corrupted device registration in Authenticator causes the error on mobile and desktop Copilot.
Why Copilot Shows AADSTS9002313 Invalid Request
The error code AADSTS9002313 indicates that Azure Active Directory received an authentication request with invalid or missing parameters. The most common root cause is a malformed token in the browser cache or a corrupted device registration in the Microsoft Authenticator app. When Copilot sends a request to Microsoft Graph, the token must include the correct audience claim for graph.microsoft.com, a valid nonce, and a properly formatted redirect URI. If any of these elements are wrong, AAD rejects the request with the 9002313 error.
Another frequent trigger is a mismatch between the authentication endpoint version. Copilot for Microsoft 365 uses the v2.0 endpoint by default. If a cached token from an older v1.0 endpoint is reused, the parameters do not match and the error appears. This happens after a Microsoft 365 tenant migration or after updating the Copilot app.
Token Cache Corruption in Browsers
Browsers store authentication tokens in local storage and cookies. When a token expires or becomes invalid, the browser may still send it to Azure AD. The server checks the token signature and claims, finds them invalid, and returns the 9002313 error. This is the most common cause for users accessing Copilot through the Microsoft 365 web portal or Copilot.microsoft.com.
Corrupted Device Registration in Authenticator
On mobile devices and Windows desktops, the Microsoft Authenticator app manages device registration. If the registration data becomes corrupted after an app update or OS upgrade, Authenticator generates a malformed token request. Copilot then cannot authenticate and shows the Invalid Request error.
Steps to Clear Browser Cache and Fix the Error
Perform these steps in the exact order shown. Test Copilot after each step to see if the error is resolved.
- Sign out of all Microsoft 365 accounts in the browser
Open the Microsoft 365 portal at office.com. Click your profile picture in the top right corner and select Sign out. Repeat for any other Microsoft accounts signed into the browser, such as personal Outlook or Xbox accounts. - Clear browser cache and cookies for the last hour
In Edge, click the three-dot menu > Settings > Privacy, search, and services > Choose what to clear. Set the time range to Last hour. Check Cached images and files and Cookies and other site data. Click Clear now. Do not clear passwords or autofill data. - Close all browser windows and reopen
Close every instance of the browser. Do not use the Restore previous session option. Open a new window and navigate to office.com. - Sign in and test Copilot
Sign in with your Microsoft 365 work or school account. Open a new Copilot chat by going to copilot.microsoft.com or by opening Copilot in Word or Teams. Send a test prompt such as Summarize the latest email from my manager. If the error does not appear, the problem was a corrupted token cache.
Steps to Reset Microsoft Authenticator and Fix the Error
If the error persists after clearing the browser cache, the device registration in the Authenticator app is likely corrupted. Complete these steps on the device where Copilot shows the error.
- Open Microsoft Authenticator and remove the work or school account
Launch Authenticator on your phone or desktop. Tap the work or school account that is linked to your Microsoft 365 tenant. Tap the account name, then tap Remove account. Confirm the removal. - Re-add the account to Authenticator
In Authenticator, tap the plus icon or Add account. Select Work or school account. Sign in with your Microsoft 365 credentials. Complete the multi-factor authentication challenge if prompted. Allow the app to register the device again. - Restart the device
Restart your phone or Windows computer. This clears any leftover token fragments in memory. - Open Copilot and test
Launch the Copilot app or open Copilot in Microsoft 365. Send a test prompt. If the error is gone, the device registration was the cause.
If Copilot Still Shows the Error After the Main Fixes
Copilot Returns AADSTS9002313 Only in One Browser
The browser profile may have a corrupted extension or a proxy setting that modifies authentication headers. Create a new browser profile. In Edge, click the profile icon > Manage profile settings > Add profile. Set up a new profile with no extensions. Sign in and test Copilot. If the error disappears, remove the problematic extension from the original profile or reset the proxy settings to automatic detection.
Copilot Returns AADSTS9002313 on Mobile but Not Desktop
The mobile device may have a system date and time that is out of sync. An incorrect time causes the token timestamp to be invalid. On an iPhone, go to Settings > General > Date and Time and enable Set Automatically. On Android, go to Settings > System > Date and Time and enable Use network-provided time. Restart the device and test Copilot again.
Copilot Returns AADSTS9002313 After a Tenant Migration
If your organization migrated from Azure AD v1.0 to v2.0, cached tokens from the old endpoint cause the error. The IT administrator must clear all existing tokens for the tenant. Users can force a token refresh by running the following command in Windows PowerShell as an administrator: Clear-AzureADTokenCache -UserPrincipalName user@domain.com. After running the command, sign out of all Microsoft 365 apps, restart the device, and sign back in.
Copilot Error AADSTS9002313 vs AADSTS50058: Key Differences
| Item | AADSTS9002313 Invalid Request | AADSTS50058 Silent Login Failed |
|---|---|---|
| Description | Malformed or missing parameters in the authentication request | No valid token found in the cache and the silent login request failed |
| Root cause | Corrupted token cache, wrong endpoint version, or corrupted device registration | Session expired, multi-factor authentication required, or the user needs to re-authenticate interactively |
| Primary fix | Clear browser cache and cookies, then re-add the account in Authenticator | Sign out and sign back in interactively, or complete a multi-factor authentication challenge |
| User action required | Manual cache clearing and device re-registration | Interactive sign-in with MFA prompt |
Understanding the difference between these two errors helps you choose the correct fix. AADSTS9002313 always points to a malformed request, while AADSTS50058 points to a missing or expired session. If you see AADSTS50058 after fixing the 9002313 error, complete an interactive sign-in with multi-factor authentication to restore the session.
You can now resolve the AADSTS9002313 Invalid Request error in Copilot by clearing browser cache, resetting the Microsoft Authenticator device registration, or checking the system date and time. Start with the browser cache clearing steps because that is the most common cause. If the error persists after a tenant migration, ask your IT administrator to clear the Azure AD token cache for your account. Use the comparison table above to distinguish this error from other authentication failures and apply the correct fix faster.