First pass

ryanberg-aquent · ryanberg-aquent · commit 5d258d5dbc05 · 2026-01-28T09:28:45.000-10:00
diff --git a/support/entra/entra-id/app-integration/error-code-aadsts76021-request-not-signed.md b/support/entra/entra-id/app-integration/error-code-aadsts76021-request-not-signed.md
@@ -1,59 +1,62 @@
 ---
-# Required metadata
-# For more information, see https://learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata
-# For valid values of ms.service, ms.prod, and ms.topic, see https://learn.microsoft.com/en-us/help/platform/metadata-taxonomies
-
-title: 'Error AADSTS76021 (ApplicationRequiresSignedRequests) with SAML authentication: The request sent by client is not signed'
+title: "Error AADSTS76021 (ApplicationRequiresSignedRequests) with SAML authentication: The request sent by client is not signed"
 description: Describes a problem in which a user receives the error AADSTS76021 when trying to sign-in
-author:      custorod # GitHub alias
-ms.author: custorod
+ms.author: jarrettr
+author: JarrettRenshaw
+ms.topic: troubleshooting
 ms.service: entra-id
 ms.topic: troubleshooting-problem-resolution
 ms.date:     01/14/2026
-ms.subservice: authentication
+ms.custom: sap:Issues Signing In to Applications
 ---
 # Error AADSTS76021 (ApplicationRequiresSignedRequests) with SAML authentication: The request sent by client is not signed
 
-## Overview
-The error **AADSTS76021** occurs during federated authentication with Microsoft Entra ID when using SAML-based Single Sign-On (SSO). This error indicates that the request sent by the client is not signed while the application requires signed requests. Even if the request is signed, the signature might not be placed according to the SAML binding configuration.
+## Summary
+
+The error **AADSTS76021** occurs during federated authentication with Microsoft Entra ID when using SAML-based Single Sign-On (SSO). This error indicates that the request sent by the client isn't signed while the application requires signed requests. Even if the request is signed, the signature might not be placed according to the SAML binding configuration.
 
 According to [SAML specifications](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf), two primary and most commonly used binding types exist:
 
-- **HTTP-Redirect** [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]: For HTTP GET requests, the signature is included as a query parameter in the URL.
+- **HTTP-Redirect** [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]: For HTTP get method (GET) requests, the signature is included as a query parameter in the URL.
 - **HTTP-POST** [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]: For HTTP POST requests, the signature is embedded within the XML payload of the SAML message.
 
-If the application expects the signature in one location but the request uses another binding type, Microsoft Entra ID will reject the request, resulting in **AADSTS76021**.
+If the application expects the signature in one location but the request uses another binding type, Microsoft Entra ID rejects the request, resulting in the **AADSTS76021** error.
 
----
+## Resolution
 
-## Resolution Steps
-1. **Verify SAML Binding Type**
-   - Check whether the application expects HTTP-Redirect or HTTP-POST.
+1. **Verify SAML binding type**
 
-2. **Ensure Configuration Matches**
-   - Confirm that the Identity Provider (IdP) and Service Provider (SP) configurations align.
+Check whether the application expects HTTP-Redirect or HTTP-POST.
 
-3. **Validate Signature Placement**
-   - For HTTP-Redirect: Signature must be in the query string.
-   - For HTTP-POST: Signature must be inside the XML `<Signature>` element.
+2. **Ensure configuration matches**
 
-4. **Update Application or IdP Configuration**
-   - Align binding type and signature placement.
-   - In Microsoft Entra ID, confirm SAML settings under **Enterprise Applications > Single Sign-On**.
+Confirm that the Identity Provider (IdP) and Service Provider (SP) configurations align.
 
----
+3. **Validate signature placement**
+   
+- For HTTP-Redirect: Signature must be in the query string.
+- For HTTP-POST: Signature must be inside the XML `<Signature>` element.
+
+4. **Update application or IdP configuration**
+   
+- Align binding type and signature placement.
+- In Microsoft Entra ID, confirm SAML settings under **Enterprise Applications > Single Sign-On**.
 
 ## Examples
 
-### Example 1: HTTP-Redirect Binding (GET)
-Signed request includes query parameters:
+### Example 1: HTTP-Redirect binding (GET)
+
+The signed request includes query parameters like the following example:
+
 ```
 https://contoso.com?
 SAMLRequest=<Base64EncodedRequest>&RelayState=<StateValue>&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha256&Signature=<Base64Signature>
 ```
 
-### Example 2: HTTP-POST Binding (POST)
-Signed request includes signature inside XML:
+### Example 2: HTTP-POST binding (POST)
+
+The signed request includes a signature inside XML like the following example:
+
 ```xml
 <samlp:AuthnRequest>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -70,39 +73,37 @@ Signed request includes signature inside XML:
 </samlp:AuthnRequest>
 ```
 
----
+### SAML 2.0 bindings
 
-## More Information 
-
-### SAML 2.0 Bindings
 SAML 2.0 defines several protocol bindings that map SAML request and response message exchanges onto standard communication protocols. These bindings specify rules for message encoding, signature placement, and transport security.
 
-### 1. HTTP-Redirect Binding
+#### HTTP-Redirect binding 
+
 - **Description**: Uses HTTP GET requests where SAML messages are transmitted as query parameters.
-- **Use Case**: Common for initiating authentication requests.
+- **Use case**: Common for initiating authentication requests.
+
+#### HTTP-POST binding
 
-### 2. HTTP-POST Binding
 - **Description**: Uses HTTP POST requests where SAML messages are embedded in the body as XML.
-- **Use Case**: Common for sending signed assertions securely.
+- **Use case**: Common for sending signed assertions securely.
+
+#### HTTP-Artifact binding
+
+- **Description**: Exchanges small artifacts through HTTP which are later resolved into full SAML messages.
+- **Use case**: Reduces message size in front-channel communication.
 
-### 3. HTTP-Artifact Binding
-- **Description**: Exchanges small artifacts via HTTP, which are later resolved into full SAML messages.
-- **Use Case**: Reduces message size in front-channel communication.
+#### Simple Object Access Protocol (SOAP) binding
 
-### 4. SOAP Binding
 - **Description**: Uses SOAP over HTTP for back-channel communication.
-- **Use Case**: Common for artifact resolution and management operations.
+- **Use Ccase**: Common for artifact resolution and management operations.
+
+#### Reverse SOAP (PAOS) binding
 
-### 5. PAOS Binding
 - **Description**: Reverse HTTP binding used for Enhanced Client or Proxy (ECP) profiles.
-- **Use Case**: Enables advanced client interactions. 
+- **Use case**: Enables advanced client interactions. 
 
 [SAML Bindings Specification](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)
 
---- 
+## Resources
   
-For a full list of Active Directory Authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/azure/active-directory/develop/reference-aadsts-error-codes).
-
-[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
-
----
+For a full list of Active Directory Authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/azure/active-directory/develop/reference-aadsts-error-codes).
diff --git a/support/entra/toc.yml b/support/entra/toc.yml
@@ -106,9 +106,8 @@ items:
           href: entra-id/app-integration/send-notification-details.md
     - name: Troubleshoot sign-in to apps
       items:
-                             - name: Error AADSTS76021 - Request sent by client is not signed
-                               href: ./entra-id/app-integration/error-code-aadsts76021-request-not-signed.md
-                               displayName: AADSTS76021 ApplicationRequiresSignedRequests
+        - name: Error AADSTS76021 - Request sent by client is not signed
+          href: entra-id/app-integration/error-code-aadsts76021-request-not-signed.md
         - name: AADSTS7500514 - A supported type of SAML response was not found
           href: entra-id/app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md
         - name: Error code AADSTS50173 - The provided grant has expired due to it being revoked
