AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application ...

Ju 1 Reputation point

I have an application configured in Azure AD which we're accessing via SSO for several years. As we have received an email to update the certificate which will expire, I have created a new certificate in Azure AD and uploaded that certificate to the application's provider. No URLs were changed in either places, but I do get the error mentioned in the subject when I perform a test login in the goal of then activating the provider, that the URL doesn't match.

When I roll back to the old certificate, the test login shows the same error AADSTS50011, but it turned out there is a way to enable the provider without performing a test login, so the SSO login works normally now.

Any suggestions on what I can try, or what I have missed?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,549 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,741 Reputation points Microsoft Employee

    Hello @Ju , Thank you for reaching out. This error usually comes up when the request that is being sent by the application contains a redirect uri that doesn't match up with the one configured in the app registration.

    The best way to troubleshoot this issue all by yourself would be to follow the steps mentioned below and figure out the redirect uri that the app is sending to AAD in the request and what is configured in your app registration.

    1. Install fiddler and make sure you enable HTTPS decryption option enabled on Fiddler before taking a trace.
      - Fiddler download link: https://www.telerik.com/download/fiddler
      - Enable HTTPS decryption: https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS
    2. Once the fiddler is installed and configured, start the fiddler trace and try to perform the login test. if this is a web-app, try accessing the web-app in the in-private browsing mode.
    3. Once you have performed the login test and it fails with that error, stop the fiddler trace and check for the request in Fiddler (Hint: look for the request to authorize endpoint. Refer to the screenshot below)
    4. So from Fiddler you would know the request URI that is being sent by your app to AAD.
    5. Next, open up Powershell as an administrator and run the following cmd: Get-AzureADApplication -SearchString "{App-Name}" | Select-Object DisplayName, AppId, ReplyUrls | fl
    6. This cmdlet would give you a list of replyURLs/RedirectURIs configured in your app registration.
    7. Last thing, you just need to compare the redirect URI you found from Fiddler and the Reply URLs you found from the Powershell cmdlet and check if there is a mismatch. If there is a mismatch, fix the request and make your app to send one of the reply URLs found in the app registration, or the reply URL sent in the request is correct from App side, update the same in the app registration.

    By this, we will make sure the reply URL is sent in the request and the reply url configured in the Ap-Registration in AAD are the same and this error won't come up.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.