This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 47%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
When I use a custom redirect URI such as schema://app, the application signs in without showing the DUO MFA prompt, and the user is logged in directly to the resource. In this flow, no Conditional Access policy is applied.
However, when I use the redirect URI as http://localhost, the DUO MFA prompt is displayed, and the Conditional Access policy is evaluated and enforced correctly.
How does Microsoft Entra ID evaluate Conditional Access policies based on the redirect URI, and why does the behavior differ between a custom URI scheme and http://localhost?
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello SB,
http://localhost turns the application into a confidential client in Microsoft Entra ID. This implies that client_secret (or certificate) must be included in the /token request.
This is what the 401 Unauthorized error means: During token redemption, client authentication was unsuccessful.
The problem is not with Conditional Access. Include the client_secret and let me know if it works!
That signals to Entra that its a public client:
and Policies arent evaluated against public clients, they are against the resource you trying to access with that client
Thanks @Andy David - MVP for the clarification, found this https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/confidential-client-application-authentication-error-aadsts7000218#how-microsoft-entra-id-determines-the-client-type helpful. So Entra ID determines the client type by redirect-URI.
I tried to use http://localhost as redirect-URI and it shows the DUO prompt now (Conditional Access policy applied successfully) but after getting the auth code when it tries to redeem the code to get the access_token it throws below error
"errors": [
{
"cause": null,
"code": "IDP_ERROR",
"detail": "401 Unauthorized from POST https://login.microsoftonline.com/abcd/oauth2/v2.0/token",
"domain": “XYZ”,
"message": "Error calling identity provider",
"parameters": {},
"severity": null,
"timestampInUtc": “—“
}
],
"resource": "/auth/v1/token",
"status": 401,
"traceId": “xyzabcd”
}
Is Entra ID expecting any additional parameters in the token request when using http://localhost as the redirect URI? What exactly does this 401 error indicate in this scenario?
Thanks