Share via

Seeing an AADSTS700016 error when signing-in to my Azure app after converting it to multi-tenant

Gustavo Knudsen 0 Reputation points
2024-05-08T15:42:36.6833333+00:00

We have a need in my company tenant to convert some already existing apps to multi-tenant In Azure/Entra ID. Most of these enterprise apps have SSO setup and working.

As you know, in order to convert these apps, we need to change their Application ID URI in the app registration to something that includes a verified domain of the tenant, otherwise when we try to change the app to multitenant, we would receive an error saying 'Unable to update the Supported account type. The property Application ID URI (found under "Expose an API") must be on a tenant verified domain.'

With the above in mind, we have an app which its App ID URI we'll call "exampleApp". In order to set exampleApp as multitenant, we change its App ID URI to "https://myazuretenant.onmicrosoft.com/exampleApp'.

This change works fine, and then we are able to change it to multi-tenant. However, once this change is done on the app registration, the enterprise app seems to be unable to find the app registration due to the APP ID URI change, and we start receiving a AADSTS700016 error as below when we try to authenticate to the app:

AADSTS700016: Application with identifier 'exampleApp' was not found in the directory 'myazuretenant'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

If I revert the App ID URI to 'exampleApp' in the app registration, the enterprise app is able to see it again, and sign-in works without issue.

Do I need to update something regarding the app URI ID on the Azure/Entra ID enterprise app in order for this to work, or is it a change that must be done on the app's code? Any help is appreciated

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,776 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 4,395 Reputation points Microsoft Vendor
    2024-05-10T12:36:16.8433333+00:00

    Hi @Gustavo Knudsen

    Thank you for posting this in Microsoft Q&A.

    I understand you are encountering an error (AADSTS700016) when trying to sign in to an Azure app after converting it to multi-tenant.

    The App ID URI for single tenant apps can be globally unique within that tenant. In contrast, for multitenant apps it must be globally unique across all tenants, which ensures that Microsoft Entra ID can find the app across all tenants. For example, if the name of your tenant was contoso.onmicrosoft.com then a valid App ID URI would be https://contoso.onmicrosoft.com/myapp.

    Based on the information you provided, it seems that you are correct in changing the App URI id. Can you please check if you are passing valid parameters? Make sure you are using the Application ID as the client ID. Could you please share an HTTP request with me? It would be helpful to understand the issue better.

    Meanwhile Can you check below steps to convert single-tenant app to multitenant on Microsoft Entra ID.

    1. Update your application registration to be multitenant
    2. Update your code to send requests to the /common endpoint
    3. Update your code to handle multiple issuer values
    4. Understand user and admin consent and make appropriate code changes

    For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#update-your-code-to-handle-multiple-issuer-values

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.