![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 90%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)
25,149 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
This is currently a product limitation like you observed, but I've reached out the product group to see if there is a better workaround than the ones you mentioned or plans to improve this functionality. Like you said, Azure AD does not from authorization requests to non-HTTPS URLs, but http followed by localhost is the only exception. The https: scheme is required for any external domain name.
You can use your current workaround of serving your localhost URLs via https, or you can use a different domain name for your development environment that supports https.
As a security measure, Azure AD requires that redirect URIs use a secure scheme to prevent attacks.
I've reached out to the product team though to share your feedback and will update this thread accordingly if they are able to offer some better workarounds and updates on this functionality.
Switching to a different OAuth2 provider may work, but it may not have all of the security options offered by Azure AD.
