Share via

Values of IdentifierUris property must use a verified domain of the organization or its subdomain

mwf 20 Reputation points
2023-12-25T03:36:55.17+00:00

Verified Publisher: I have an application in Azure AD, and under Brandings and properties the Publisher is verified (I had to host a file .well-known/microsoft-identity-association.json).

Screenshot 2023-12-23 at 4.01.34 PM

Verified Domains: I have also added the Custom domains, and they too are verified, for both the domain and the subdomain.

Screenshot 2023-12-23 at 3.59.47 PM

Goal: The bigger goal here is to update an existing application in the Microsoft Store, which "magically" appeared in Azure AD under the Applications from personal account.

Problem:

I now want to alter this application, to be able to make use the Graph API calls. And from what I understand I first need to configure the application, for Signing In, and also enable it to be Multi-tenant.

When I then modify the manifest file, to be use AzureADMultipleOrgs, I am presented with an error that has indicated I need unique identifierUris.

Yet when I change the value of

"identifierUris": [],

to

"identifierUris": ["https://product.mydomain.name"], (*without the training slash**)

I get the following Error:

Error detail: Values of IdentifierUris property must use a verified domain of the organization or its subdomain

Screenshot 2023-12-23 at 3.56.36 PM

This error appears to be misleading? What is actually wrong here?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-12-27T06:37:04.0733333+00:00

    Hi @mwf ,

    Thanks for reaching out.

    Switching an app registration from single-tenant to multi-tenant can sometimes fail due to Application ID URI name collisions.

    IdentifierUris is the user-defined URI(s) that uniquely identify a web app within its Microsoft Entra tenant or verified customer owned domain.

    For a single-tenant application, the App ID URI need only be unique within that tenant. For a multi-tenant application, it must be globally unique so Microsoft Entra ID can find the app across all tenants.

    For example, if the name of your tenant is contoso.onmicrosoft.com, then https://contoso.onmicrosoft.com/myapp is a valid App ID URI. If your tenant has a verified domain of contoso.com, then a valid App ID URI would also be https://contoso.com/myapp. If the App ID URI doesn't follow the second pattern, https://contoso.com/myapp, converting the app registration to multi-tenant fails.

    The recommendation in this scenario is to register new application as Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant).

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.