Undocumented authentication differences between single-tenant and multi-tenant Entra ID applications

Question

Undocumented authentication differences between single-tenant and multi-tenant Entra ID applications

Hervé-Henri Houzard 0

TL;DR
While investigating an authentication failure, we found undocumented behavioral differences between single-tenant and multi-tenant Entra ID applications. Specifically, the Origin HTTP header is rejected by single-tenant apps using “Mobile and desktop” redirect URIs, but accepted by multi-tenant apps in the same flow. The resulting error (AADSTS9002326) does not appear in the official documentation, which made the issue difficult to diagnose.

What we observed

When using MSAL to perform an interactive authentication flow:

Single-tenant applications fail if the request includes an Origin header and the redirect URI type is “Mobile and desktop”

Multi-tenant applications tolerate the same header in otherwise identical requests
The failure returns error code AADSTS9002326, with a message saying "*Cross-origin token redemption is only permitted for the 'Single-Page-Application' client type. Request origin:

VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-01-27T18:10:49.45+00:00
The error AADSTS9002326 appears because Microsoft Entra ID only permits cross‑origin token redemption for applications registered as Single‑Page Applications (SPA). In your single‑tenant registration, the app is categorized under Mobile & Desktop redirect URIs, which are treated as native clients. Native clients are not allowed to redeem authorization codes when the Origin header is present. Since your authentication flow includes an Origin header, Entra ID rejects the request. In the multi‑tenant configuration, the same redirect URI is processed under the SPA category, allowing the request to complete successfully. This is why the behavior differs even though the auth flow is identical what changes is the platform type Entra ID matches, not the tenant mode.

AADSTS9002326 is triggered during authorization code redemption, not during user sign‑in.

Entra ID allows CORS behavior only for SPA platform types.

Native (Mobile & Desktop) platform types must not send an Origin header.

The difference you observe between single‑tenant and multi‑tenant apps is due to redirect URI classification, not tenant configuration.

Recommended approach

For browser‑based flows (CORS + system browser):

Register the app as a Single‑page application.

Add your HTTPS redirect URIs under SPA.

Remove Mobile & Desktop redirect URIs if not required.

Use MSAL Authorization Code Flow with PKCE.

For true native applications:

Keep the app registered under Mobile & Desktop.

Ensure the /token request is made without the Origin header.

Use the system browser or OS broker instead of embedded webviews that add CORS headers.

Verification steps

In Sign‑in logs, the AADSTS9002326 error should no longer appear.

Network trace should show:

For SPA → Origin allowed.

For native → no Origin header present.

Tokens should contain valid aud, tid, and scp/roles after successful redemption.
Hervé-Henri Houzard 0 Reputation points

2026-01-28T13:43:42.3866667+00:00
Hello, it appears part of my original message was truncated when posted.

Thank you for the detailed explanation, it does align with what we observed in practice.

The purpose of this post, however, is to request clarification and official documentation of the behavior you described.

Specifically, the following points you confirmed:

Entra ID allows CORS behavior only for SPA platform types

Native (Mobile & Desktop) platform types must not send an Origin header

The behavioral difference between single-tenant and multi-tenant apps is due to redirect URI platform classification, not tenant configuration

do not appear to be explicitly backed by official Microsoft documentation.

In contrast, the following point is clearly documented:

For SPA applications, the Microsoft identity platform returns an error if a redirect URI is used without an Origin (at https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)

Also note that the error AADSTS9002326 does not appear in https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

Finally, I would appreciate clarification on the following statement: "In the multi-tenant configuration, the same redirect URI is processed under the SPA category, allowing the request to complete successfully"

Does this imply that Entra ID may classify the same redirect URI under different platform types depending on tenant mode, or is this classification strictly determined by the application registration configuration?
VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-01-28T20:57:36.8166667+00:00

Hervé-Henri Houzard Thanks for the clarification. The behaviors you listed (CORS allowed only for SPA, native apps not sending Origin, and AADSTS9002326) are not currently documented in Microsoft Learn. At present, only the SPA requirement for an Origin header is officially documented. Redirect URI platform classification does not change between single‑tenant and multi‑tenant modes; it is determined strictly by the app registration’s configured platform type. The different result you observed is due to endpoint‑level enforcement differences—the tenant‑specific endpoint applies stricter Mobile/Desktop rules, while the /common multi‑tenant endpoint has more permissive handling for browser‑initiated MSAL flows. This can make the same request succeed in a multi‑tenant context without altering the underlying platform type
VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-02-03T19:46:22.43+00:00

Hervé-Henri Houzard I’m following up on my previous comment as I haven’t received a response. Please let me know if you need any additional information or assistance from my side.