Share via

Single-Tenant Azure AD App Returns "Application Not Found" Error During OAuth Token Exchange — Even After Admin Consent and Fresh Registration

Edward Litke 0 Reputation points
2026-03-29T21:04:34.8033333+00:00

I have created a single-tenant Azure AD application (registered for one specific organizational tenant only) and successfully granted admin consent. The application exists in the portal, the service principal exists in Enterprise Applications, and admin consent shows as "Granted." However, when attempting OAuth token exchange, the endpoint returns:

AADSTS700016: Application with identifier [APP_ID] was not found in the directory [TENANT_DOMAIN].

Details:

Scenario:

  • Single-tenant app (not multitenant)
  • Registered in organizational Azure AD tenant
  • Admin consent granted and confirmed in portal
  • Service principal visible in Enterprise Applications
  • Redirect URI properly configured
  • Credentials valid

Attempt 1 (Initial App):

  • App registered as multitenant
  • Changed to single-tenant after publisher verification warning
  • Result: AADSTS700016 error after 10+ minute sync wait

Attempt 2 (Fresh App):

  • Created new app as single-tenant from registration
  • Admin consent granted immediately after setup
  • Result: AADSTS700016 error (same issue, fresh app)

Token endpoint behavior:

Diagnostic Data:

  • Request ID: <PII REMOVED>
  • Correlation ID: <PII REMOVED>
  • Timestamp: 2026-03-29T20:59:53Z

Questions:

  1. Why does the token endpoint report "application not found" when the app exists in both portals?
  2. Is there a service principal sync delay between Enterprise Applications and the token endpoint?
  3. Should single-tenant apps have different configuration for token endpoint access?

This appears to be an Azure AD infrastructure issue rather than misconfiguration, but I want to rule that out.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 13,490 Reputation points Microsoft External Staff Moderator
    2026-03-31T09:11:15.9766667+00:00

    Hello Edward Litke

    Thank you for reaching out to Microsoft Q&A.

    The single-tenant app and its service principal aren’t being located by the token endpoint, even though you see them in the portal. Here’s what I’d double-check:

    1. Token endpoint URL
      • Make sure you’re hitting https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token where {TENANT} is your Azure AD tenant ID (GUID) or your verified initial domain (e.g. contoso.onmicrosoft.com).
      • If you accidentally put the client/app ID in that segment, AAD won’t find the app in that directory and you’ll get AADSTS700016.
    2. Well-Known OpenID configuration
    3. Service principal provisioning lag
      • For a single-tenant app, provisioning in your own directory is almost instantaneous (typically seconds–a few minutes max). You shouldn’t need to wait longer than 10 minutes. There’s no cross-directory sync for single-tenant apps.
    4. Single-tenant vs. multi-tenant configuration
      • There’s no extra “switch” required in the token URL for single-tenant apps—it’s just your tenant instead of “common” or “organizations.” The rest of the OAuth flow and endpoint parameters (client_id, client_secret, code, redirect_uri, scopes) are exactly the same.

    Let us know the above steps helps.

    Thanks

    Microsoft docs:-

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.