Entra External ID - Native Authentication - Sign Up Flow - AADSTS55200: The continuation_token is invalid

Question

Entra External ID - Native Authentication - Sign Up Flow - AADSTS55200: The continuation_token is invalid

HA 0

Got an error when trying to issue an access token after a user was created in Entra External ID.

{
    "error": "invalid_request",
    "error_description": "AADSTS55200: The continuation_token is invalid. Trace ID: c8625f72-8930-48c9-9841-6d91b3330e00 Correlation ID: cdde90f4-c2fd-4206-a24e-b3662a45e8a2 Timestamp: 2026-05-05 16:34:44Z",
    "error_codes": [
        55200
    ],
    "timestamp": "2026-05-05 16:34:44Z",
    "trace_id": "c8625f72-8930-48c9-9841-6d91b3330e00",
    "correlation_id": "cdde90f4-c2fd-4206-a24e-b3662a45e8a2"
}

Created the user using the following sign-up flow:

https://learn.microsoft.com/en-us/entra/identity-platform/reference-native-authentication-api?tabs=emailOtp#api-reference-for-sign-up

POST /signup/v1.0/start (OK)

POST /signup/v1.0/challenge (OK)

POST /signup/v1.0/continue (OK)

POST /oauth2/v2.0/token (FAILED)

Content-Type: application/x-www-form-urlencoded

client_id: [client ID]

continuation_token: [continuation token from previous endpoint]

grant_type: password

password: [password]

scope: [list of scopes]

Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:29:04.27+00:00

Hello HA,

This error means the continuation_token sent in the final token request is not valid in Microsoft Entra External ID native authentication flow.

In this flow, the continuation_token is short-lived, single-use, and bound to the current transaction. Each step returns a new token, and only the latest one is accepted.

If the token provided in the final request does not match the most recent step (for example, if it comes from an earlier response, has expired, or was already used), the service returns AADSTS55200.

This behavior is expected as part of how the native sign-up flow maintains state and security across requests.
HA 0 Reputation points

2026-05-05T17:37:00.09+00:00

Hi @Sridevi Machavarapu ,

Still got the same error. Exactly copied the continuation token returned by the endpoint below. Also made sure that it was never used and used it within seconds it was returned.

POST /signup/v1.0/continue

Was able to issue an access token from the sign-in flow but not from the sign-up flow.
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:40:53.98+00:00

Hello HA,

Thanks for confirming. Since the continuation_token is being used immediately and not reused, this doesn’t look like an expiry issue.

In the native authentication flow, the continuation_token returned during sign-up (including /signup/v1.0/continue) is used to complete the registration process, but it isn’t always valid for direct token issuance with grant_type=password.

This is why the sign-in flow works for token generation, while the sign-up flow does not. After completing sign-up, a separate sign-in flow is typically required to obtain an access token.
HA 0 Reputation points

2026-05-05T17:46:11.26+00:00

Hi @Sridevi Machavarapu ,

Thanks for the quick response. Do you know how I would issue an access token during the sign-up flow as per the article below?

https://learn.microsoft.com/en-us/entra/identity-platform/reference-native-authentication-api?tabs=emailOtp#api-reference-for-sign-up
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:55:01.0833333+00:00

Hello HA,

Thanks for sharing the screenshot.

You’re correct that the /oauth2/v2.0/token call should use the continuation_token from the last /signup/v1.0/continue call. This is supported in Microsoft Entra External ID** native authentication**.

This works only when the /signup/v1.0/continue step has fully completed the sign-up flow.

Even if /continue returns success, it can still represent an intermediate state if any required input or validation is still pending. In such cases, the continuation_token returned will not be accepted by the token endpoint, which results in AADSTS55200.

Only the continuation_token from the final completed state of the sign-up flow can be used to successfully issue an access token.
HA 0 Reputation points

2026-05-05T18:01:37.0233333+00:00

Hi @Sridevi Machavarapu ,

Do you know how to determine whether the sign-up flow have reached the 'final completed state' so the continuation token can be used to issue an access token?
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T18:42:41.29+00:00

Hello HA,

You can determine this from the response of the /signup/v1.0/continue call. A 200 OK alone does not mean the flow is complete.

If the response still includes additional steps (such as required actions, challenges, or missing attributes), then the flow is still in progress.

The flow is considered complete only when the response indicates that all requirements are satisfied and no further steps are returned.

Only the continuation_token from that final state can be used successfully with /oauth2/v2.0/token.
HA 0 Reputation points

2026-05-05T19:13:39.4966667+00:00

Hi @Sridevi Machavarapu ,The /signup/v1.0/continue call only returned the continuation token.

Don't see any other challenges. Also checked Entra External ID and the user is created with the expected attributes. Don't see any other actions that needed to be performed in the sign-up flow article. Was able to sign in with the newly created user using the sign-in flow.

The only action that is left is to issue the access token. However, keep getting the same error below.

Don't think there's any other steps I could take or action after the /signup/v1.0/continue call as per the diagram below.
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-06T00:37:17.97+00:00
Hello HA,

Thanks for sharing the detailed screenshots.

From your flow, the key point is how the password step is handled before calling the token endpoint.

After OTP verification, the sign-up flow can still require a credential step (password) to complete the transaction. This is reflected in the optional steps in the flow (credential_required → password challenge → submit password). Until this step is completed through /signup/v1.0/continue, the flow is not in a final state for token issuance.

In your case:

/signup/v1.0/continue with grant_type=oob completes OTP

The response returns a continuation_token, but this can still represent a state where credentials are expected next

The password is then sent directly to /oauth2/v2.0/token, which skips the expected step in the sign-up flow

Because of this, the continuation_token is not in the correct state for the token endpoint and is rejected with AADSTS55200.

For sign-up based token issuance, the password must be completed within the sign-up flow using /signup/v1.0/continue. The token endpoint works only after all required steps are completed within the flow in Microsoft Entra External ID** native authentication**.

1 answer

Your answer

Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:29:04.27+00:00

Hello HA,

This error means the continuation_token sent in the final token request is not valid in Microsoft Entra External ID native authentication flow.

In this flow, the continuation_token is short-lived, single-use, and bound to the current transaction. Each step returns a new token, and only the latest one is accepted.

If the token provided in the final request does not match the most recent step (for example, if it comes from an earlier response, has expired, or was already used), the service returns AADSTS55200.

This behavior is expected as part of how the native sign-up flow maintains state and security across requests.
HA 0 Reputation points

2026-05-05T17:37:00.09+00:00

Hi @Sridevi Machavarapu ,

Still got the same error. Exactly copied the continuation token returned by the endpoint below. Also made sure that it was never used and used it within seconds it was returned.

POST /signup/v1.0/continue

Was able to issue an access token from the sign-in flow but not from the sign-up flow.
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:40:53.98+00:00

Hello HA,

Thanks for confirming. Since the continuation_token is being used immediately and not reused, this doesn’t look like an expiry issue.

In the native authentication flow, the continuation_token returned during sign-up (including /signup/v1.0/continue) is used to complete the registration process, but it isn’t always valid for direct token issuance with grant_type=password.

This is why the sign-in flow works for token generation, while the sign-up flow does not. After completing sign-up, a separate sign-in flow is typically required to obtain an access token.
HA 0 Reputation points

2026-05-05T17:46:11.26+00:00

Hi @Sridevi Machavarapu ,

Thanks for the quick response. Do you know how I would issue an access token during the sign-up flow as per the article below?

https://learn.microsoft.com/en-us/entra/identity-platform/reference-native-authentication-api?tabs=emailOtp#api-reference-for-sign-up
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T17:55:01.0833333+00:00

Hello HA,

Thanks for sharing the screenshot.

You’re correct that the /oauth2/v2.0/token call should use the continuation_token from the last /signup/v1.0/continue call. This is supported in Microsoft Entra External ID** native authentication**.

This works only when the /signup/v1.0/continue step has fully completed the sign-up flow.

Even if /continue returns success, it can still represent an intermediate state if any required input or validation is still pending. In such cases, the continuation_token returned will not be accepted by the token endpoint, which results in AADSTS55200.

Only the continuation_token from the final completed state of the sign-up flow can be used to successfully issue an access token.
HA 0 Reputation points

2026-05-05T18:01:37.0233333+00:00

Hi @Sridevi Machavarapu ,

Do you know how to determine whether the sign-up flow have reached the 'final completed state' so the continuation token can be used to issue an access token?
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-05T18:42:41.29+00:00

Hello HA,

You can determine this from the response of the /signup/v1.0/continue call. A 200 OK alone does not mean the flow is complete.

If the response still includes additional steps (such as required actions, challenges, or missing attributes), then the flow is still in progress.

The flow is considered complete only when the response indicates that all requirements are satisfied and no further steps are returned.

Only the continuation_token from that final state can be used successfully with /oauth2/v2.0/token.
HA 0 Reputation points

2026-05-05T19:13:39.4966667+00:00

Hi @Sridevi Machavarapu ,The /signup/v1.0/continue call only returned the continuation token.

Don't see any other challenges. Also checked Entra External ID and the user is created with the expected attributes. Don't see any other actions that needed to be performed in the sign-up flow article. Was able to sign in with the newly created user using the sign-in flow.

The only action that is left is to issue the access token. However, keep getting the same error below.

Don't think there's any other steps I could take or action after the /signup/v1.0/continue call as per the diagram below.
Sridevi Machavarapu 29,290 Reputation points Microsoft External Staff Moderator

2026-05-06T00:37:17.97+00:00

Hello HA,

Thanks for sharing the detailed screenshots.

From your flow, the key point is how the password step is handled before calling the token endpoint.

After OTP verification, the sign-up flow can still require a credential step (password) to complete the transaction. This is reflected in the optional steps in the flow (credential_required → password challenge → submit password). Until this step is completed through /signup/v1.0/continue, the flow is not in a final state for token issuance.

In your case:

/signup/v1.0/continue with grant_type=oob completes OTP

The response returns a continuation_token, but this can still represent a state where credentials are expected next

The password is then sent directly to /oauth2/v2.0/token, which skips the expected step in the sign-up flow

Because of this, the continuation_token is not in the correct state for the token endpoint and is rejected with AADSTS55200.

For sign-up based token issuance, the password must be completed within the sign-up flow using /signup/v1.0/continue. The token endpoint works only after all required steps are completed within the flow in Microsoft Entra External ID** native authentication**.

Answer 1

The error indicates that the continuation_token used in the final call of the sign-up flow is invalid. In the native authentication sign-up flow, continuation tokens are tightly scoped to a specific step and must be:

Taken from the immediately preceding successful response.
Used with the correct endpoint and grant_type expected for that step.
Unexpired and unmodified.

From the documented behavior for sign-up:

/signup/v1.0/start and /signup/v1.0/challenge return a continuation_token that is then used with /signup/v1.0/continue.

When submitting a one-time passcode (OTP) sent to email, the request to /signup/v1.0/continue must use:

  POST https://{tenant_subdomain}.ciamlogin.com/{tenant_subdomain}.onmicrosoft.com/signup/v1.0/continue
  Content-Type: application/x-www-form-urlencoded
  continuation_token=...
  &client_id=...
  &grant_type=oob
  &oob={otp_code}

When additional user attributes are required, the same /signup/v1.0/continue endpoint is used with the continuation token and the required attributes.

The context also defines error semantics:

invalid_request can be returned when continuation token validation fails or when required parameters (such as client_id) are missing or invalid.
invalid_grant is used when the continuation token is invalid in some flows, but for sign-up the docs explicitly state invalid_request can be used when continuation token validation fails.
expired_token is returned when the continuation token is expired.

Given the sample error:

"error": "invalid_request",
"error_description": "AADSTS55200: The continuation_token is invalid.

this matches the documented case where continuation token validation fails.

To resolve this in the sign-up flow:

Ensure the correct endpoint and grant_type are used for the step:
- For OTP verification during sign-up: /signup/v1.0/continue with grant_type=oob and oob={otp_code}.
- Do not use grant_type=password with the sign-up continuation token unless the documentation for that specific step explicitly requires it (the provided context only shows grant_type=oob for OTP in sign-up and reset-password flows).
Ensure the continuation_token is the latest one:
- Use the continuation_token returned in the last successful response (for example, from /signup/v1.0/challenge or from an attributes_required response) without modification.
If the flow returns attributes_required or verification_required:
- Read required_attributes or unverified_attributes from the error response.
- Call /signup/v1.0/continue again with the same continuation token plus the required attributes or verification data.
If the token might be expired:
- The service would typically return expired_token, but if any doubt exists, restart the sign-up flow from /signup/v1.0/start to obtain a fresh continuation token and repeat the documented sequence.

In short, the continuation token from the sign-up flow cannot be used arbitrarily with grant_type=password. It must be used exactly as specified for the sign-up step (for example, with grant_type=oob when submitting the OTP) against /signup/v1.0/continue, and always taken from the immediately preceding successful response.

References:

Context # Native authentication API reference

Share via

Entra External ID - Native Authentication - Sign Up Flow - AADSTS55200: The continuation_token is invalid

1 answer

Your answer