After adding a new claims to an app I am getting the following error AADSTS50146 running the app.

Question

After adding a new claims to an app I am getting the following error AADSTS50146 running the app.

Pessotto Diego 0

Hi,

I have been requested to add an optional claims (user.onpremisessamaccountname) to an application part of our Entra ID (Azure AD) tenant. Developer reported that the application is failing with error "AADSTS50146 This application is required to be configured with an application-specific signing key".

I found that for a single tenant application (this is our case) I can put "AcceptMappedClaims" to TRUE in the application manifest. With this parameter set I am getting this error "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains.".

Looking at the URI that the developer entered I have seen that domain he was using was not part of our verified domain. I add it and verified it but the error AADSTS501461 is still persisting.

Any idea where the problem is?

Thank you

1 answer

Your answer

Answer 1

Navya 20,180 Microsoft External Staff Moderator

Hi @Pessotto Diego

Thank you for reaching out on Microsoft Q&A.

I understand that after adding the optional claim (user.onpremisessamaccountname) to your application, the authentication process is failing with the error AADSTS50146.

This error occurs because the application is receiving a token with customized claims, but it has not been configured to accept these modifications. By default, Microsoft Entra ID ensures that tokens remain unchanged and securely signed. If claims are modified, the application must explicitly acknowledge them to prevent security risks.

As outlined in documentation, there are two ways to resolve this issue:

Configure a custom signing key (typically for multi-tenant applications).
Update the application manifest to accept mapped claims (for single-tenant applications).

Since your application is single tenant, setting "acceptMappedClaims": true in the manifest is the correct approach. However, I see that you are encountering same error:

AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains.

Given that you have already added and verified the required domain, please double-check the following:

Ensure the domain is properly verified in the Custom domain names section of your Microsoft Entra ID tenant.
Confirm that the Application ID URI is correctly set to use a verified domain name of your Microsoft Entra tenant (e.g., https://yourdomain/my-api)

Hope this helps. Do let us know if you any further queries.

Pessotto Diego 0 Reputation points

2025-02-21T21:57:04.99+00:00

Hi Navya,

I had a look at the configuration that the developer has done in the app registration.

What I have seen he has defined an authentication URL set to a SPA (Single Page Application) for which I have previously verified the domain. The URL is like that: https://xxx.yyy.zzz.aaaa.services. I have verified the domain aaaa.services which is now part of your tenant.

In your feedback I see that you talk about the Application ID URI which is different.

The value that he set is: api://<appid>.

I also see that he defined a scope set to the value: api://<appid>/api.dts.

Guidance appreciated.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-02-24T09:19:59.6433333+00:00

Hi @Pessotto Diego

Thank you for providing more details on the issue.

From your description, it sounds like you are referring to the redirect URI of the application when mentioning the authentication URL. To ensure we're aligned, I am sharing a screenshot for verification. Please confirm if this is what you are referring to.

Regarding the Application ID URI, the requested token audience must use a verified domain name associated with your Microsoft Entra tenant. This means the Application ID URI (identifier Uris in the application manifest) should be updated to follow the format: https://your-verified-domain/my-apiThis ensures proper authentication and token issuance for your application.

For further reference, you can review the official Microsoft documentation: Update the Application Manifest

Hope this helps. Do let us know if you any further queries.
Pessotto Diego 0 Reputation points

2025-02-24T09:29:48.1466667+00:00

Hi,

For clarification I am adding what the developper has configured:

Authentification URL is:

Application ID URI is:

Authentication domain is : dev.xxxx.yyyy.services. I have verified: yyyy.services

Application ID URI: done nothing on that one.

Is the configuration from the developper correct?

Guidance please?
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-02-24T10:13:25.4133333+00:00

Hi @Pessotto Diego

Thank you for sharing a screenshot of your configurations.

The developer needs to update the Application ID URI.

Click on Edit, add the Application ID URI as https://yyyy.services (your verified domain)/my-api, and then save it.

Try it once, and please let me know if you are still encountering the same issue AADSTS501461
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-02-25T05:45:39.61+00:00

Hi @Pessotto Diego

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Pessotto Diego 0 Reputation points

2025-02-25T11:15:24.1633333+00:00

Hi,

just to make sure I understand you want the developper to change the Application ID URI like that:

From

api://<app ID>

To

https://yyyy.services/my-api and not https://dev.xxxx.yyyy.services/my-api

Guidance please.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-02-26T05:22:51.5066667+00:00

Hi @Pessotto Diego

Thank you for following up on this.

The authentication domain is dev.xxxx.yyyy.services, and I have verified yyyy.services.

Based on the data you provided, I believe you have verified the yyyy.services domain. Please correct me if I'm wrong.

The developer needs to update the Application ID URI with the verified domain. If you're unsure which domain has been verified, go to the domain page, check the verified domain, and update accordingly.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2025-02-27T07:10:21.8933333+00:00

Hi @Pessotto Diego

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-02-28T13:09:02.3866667+00:00
Pessotto Diego To resolve the error update manifest as:

{ "acceptMappedClaims": true, "accessTokenAcceptedVersion": 2, }

Share via

After adding a new claims to an app I am getting the following error AADSTS50146 running the app.

1 answer

Your answer