#SharePointProblems | Koskila.net
Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog

How to fix "AADSTS50011: The reply address does not match the reply addresses configured" -error

koskila
Reading Time 6 min
Word Count 905 words
Comments 20 comments
Rating 5 (1 votes)
#authentication #azure-ad #azureadv2
View
Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

So, you have an error with the code AADSTS50011? That's ok - it's just Azure AD's authentication acting up because of invalid reply URLs! Most of the time, it's a simple configuration issue.

Since there might be a couple of different reasons for this error, this post also describes a couple of different solutions, that might help you overcome the issues. Read on to find out if one of them can help you!

Problem

So, you're getting an error somewhat like this:

AADSTS50011: The reply address ... does not match the reply addresses configured for the application.

AADSTS50011: The reply address ... does not match the reply addresses configured for the application.

But why? Did you mess something up? Well, if you're the person who configured the app you're trying to use, you probably did! (Although Microsoft might still be the one to blame for that).

Let's take a closer look at the reason for the issue under the hood, and after that, find out possible solutions!

Reason for getting AADSTS50011

The most typical error I have seen would be "AADSTS50011: The reply address does not match the reply addresses configured for the application."

Another variation of this error is "AADSTS50011: the reply URL specified in the request does not match the reply URLs configured for the application [guid]"

Yeah, there are a few different wordings for this error!

This error can typically be caused by 2 different configuration issues. You're either
(1) accessing the page from a different address than what you've configured for your app, or
(2) you have made a mistake in the configuration itself.

In both of these cases, it's typically fairly easy to fix the issue. You'll probably want to just tweak the configuration - and let's see how to do just that!

Solution(s) to different "The reply address does not match the reply addresses configured" -errors

Microsoft is constantly moving stuff around in their Azure Active Directory administration site, but this article now shows the latest version of the application registration portal, the one that's available under https://aad.portal.azure.com

Alternatively, just navigate to Azure Portal > Azure AD -> App Registrations. See below for an example:

App Registrations under Azure Active Directory.

App Registrations under Azure Active Directory.

Anyway, about the fixes - here are a few solutions that you could try:

The simple solution: Make sure, that your URL is actually included in the configuration

This might be obvious, I admit, but worth mentioning. So, this is what to do:

  1. Browse to https://aad.portal.azure.com (opens in a new tab)
  2. Log in using your Office 365 / Cloud App Administrator account
  3. Navigate to "App registrations"
  4. Find your app under "Owned applications" or "All applications"
  5. Select "Manage" -> "Authentication"
  6. Check the "Redirect URIs" section and verify that the URL you're accessing the app from is listed there!

"Redirect URIs" -section in Azure Active Directory's app registration view.

"Redirect URIs" -section in Azure Active Directory's app registration view.

What if you now have this error code, but with the error description "Reply address did not match because of case sensitivity."?

I have been encountering this lately - it seems, that Microsoft has implemented a more detailed error message as of late. And I'm not one to complain about that, as this should be even easier to fix!

Check this article out for the detailed steps: How to fix AADSTS50011: Reply address did not match because of case sensitivity.

What if you get another version of this error - now with code AADSTS500113?

This variant - AADSTS500113 - of the error complains something along the lines of "No reply address is registered for the application". I've posted about this error as well (see below) - but after making sure that the reply URL really IS there, you'll need to apply the API management hack described below.

For your reference:
How to fix the “AADSTS500113: No reply address is registered for the application” error?

What if you already added the URL, but it's still not working?

There are a couple of things to check. First of all: is the app id (client id) the same? You'll need to verify, that you're actually working on the same app that you're using on whatever page that throws the error.

If the client id is correct, and you're sure your URL is correct (even with the casing!), you might have encountered an annoying issue in how Office 365 manages app principal propagation. There's no transparency to this issue and you won't get a proper error.

However, to fix it, you only need to access a specific UI once. This is pretty quick - see the steps below:

Time needed: 10 minutes.

How to trigger the reply URL registration in SharePoint Online to fix AADSTS50011, whenever it's broken for whatever reason:

  1. Go to Tenant Administration

    You can get there from the waffle menu, or by navigating to https://yourtenant-admin.sharepoint.com

  2. Access the API management section

    It's only available in the "new" Admin Portal experience: In the upper-right corner, click the Try the preview button, which will take you to the new SharePoint admin center (if it isn't enabled for you already!)

    Then From the sidebar, click the API management -link

    (Alternatively, just access it with a link like this: https://yourtenant-admin.sharepoint.com/\_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement)

  3. Opening this page should trigger the provisioning of the necessary configuration.

    Yep. That's it. No further clicks are required!

To be updated, when new gotchas are found! :)

References

Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Related Posts

How to fix "AADSTS50011: Reply address did not match because of case sensitivity."

7y agoby koskila
#azure#azure-ad#azureadv2

How to fix "AADSTS700054: response_type 'id_token' is not enabled for the application" error

6y agoby koskila
#authentication#azure-ad

How to fix an "AADSTS500113: No reply address is registered for the application" error?

6y agoby koskila
#azure-ad

Comments

Interactive comments not implemented yet. Showing legacy comments migrated from WordPress.
Ben
2019-03-29 18:59:23)
I got this error from the cli. Not sure why its comparing the host url endpoint with the url endpoint + all callback params. I've even edit the oauth2AllowUrlPathMatching to true in the App registrations - Manifest. But it's not working, would you know something about this. Thankyou for your help. {"error":"invalid_client","error_description":"AADSTS500112: The reply address 'http://localhost:3000/users/auth/msoffice/callback?code=OAQABAAIAAACEfexXxjamQb3OeGQ4GugvTLQBBBCmGoJhaM7y3Ej0I3qP552hDuK8HA8aKwFPC0S8Pk93u-ffK55Uej2820CuIkOpymIef_QiSxHTuK6ZfWZSl8bR4M9tWecVFHeJt8dzdQ5m_r6CBXpJ8Y7PA_-R3_HotZvah-Nc53AMLYoNvN1FgRqlLfNkQPpG9f7S_7llZ1gEv9f3q-gLD6HA_70ERyfkIScgFFH-wWPQ3NzF4YEZlqx2Z1p8gQlbTF9sTVFnfkKJ0qsg3bDz8TfG68-N5dwkVHqHWbCGeZwgsc6tnIE7gP4oCVv74Rq1yLQErwKc4FDJ6pWmgG-BV3v8iibFIAG2a787mbvS9Kwo3Grq354BH-sSVlxW6hAMMa9jFTAMVlCmIKrb5Wrg9Yce2niFsT8NEiCFDxseLUgkWPSfN2gvdQeRk9PsSmuIjpgvdGZSbd7cn3ZcB3t5NAO0v3Yba8z-vN5QPOlgU5S9O0eLVxVVBx4xxMenFFRfXpXwHtBWzF-bm3mtQAISQi3GoTYRp1yVopFczR9mmNrBCRyXhYFWB3P40YpTie6DWPXA2e9hM7B3bOfVRLbDXKR8YHVvV4NiCK-Flln_Z2Hv_dLZdR_COLr5f37Q99pg4wcivLq7Qhn7fssiLJ9JFgFSpWs_IAA&state=b89ff2db9fe8b8141bd2a17cc02f598f930004f320a82a7f&session_state=07c75f51-01d1-46c3-bade-2e9bd32c4115' does not match the reply address 'http://localhost:3000/users/auth/msoffice/callback' provided when requesting Authorization code.\r\nTrace ID: 1f7ee439-abca-4cf1-974c-548c36f20100\r\nCorrelation ID: 7ec7f738-fa6e-4a31-b0b6-cb328fde89d8\r\nTimestamp: 2019-03-29 21:21:07Z","error_codes":[500112],"timestamp":"2019-03-29 21:21:07Z","trace_id":"1f7ee439-abca-4cf1-974c-548c36f20100","correlation_id":"7ec7f738-fa6e-4a31-b0b6-cb328fde89d8"}
Antti K. Koskela
2019-03-30 20:19:09
Hi Ben, Wow, what an interesting error you've run into! Very little found with the error code itself. Could it be something fairly new? I do have a pretty distant memory (ehh, so a few months old, but I never documented the steps) of an issue similar to yours - so I've got a couple of quick suggestions you could try: - I had a similar error being returned for a non-SSL redirect url, so a quick thing to try would be to configure SSL and see if it makes a difference - Back in the day I'd just slap an asterisk at the end of allowed reply urls for the application - I don't think it's been ever officially supported, but it has worked (at least at the end of the url) at least before. A quick thing to try anyway! At least something you can do to narrow it down :) Let me know if those steps make any difference or not!
Betty
2019-04-24 07:50:11
Hello Ben, i got the same problem, have you solved it?
Betty
2019-04-25 09:06:44
Hi Ben, I guess you are also using Rails. My solution: 1. I switched to another omniauth gem: omniauth-microsoft_graph. 2. Had to overwrite redirect_callbacks of the OmniauthCallbacksController: Ignoring 'credentials' in microsoft auth response to avoid CookieOverflow.
Markus
2019-08-01 10:37:29)
What if "What if you already added the URL, but it’s still not working?" the client id is wrong? Like where can i change the target client id for aad auth? In my case a new freshly made app with aad auth configured with express settings and new app registration still displays another app's client id in the error message..
Antti K. Koskela
2019-08-01 12:53:30
Hi Markus, Unless I completely misunderstand your description of the situation, the client id is not something you change in Azure AD - that's something you'd change in your app, to make the app use the desired app identity for authentication. If I did misunderstand, please do clarify the situation a bit more! Also, cheers for being the first fellow Finn ever (I think, at least) to leave a comment on my blog! :)
Jelo
2019-08-06 05:41:28)
What if the session expired and you got this error? but your redirect uri is dynamic? I saw that using a wildcard in the azure ad app is not a good practice, do you have any suggestion?
Antti K. Koskela
2019-08-21 14:41:33
Hi Jelo, Ah - I've run into this one once before. I ended up just overwriting the redirect URI logic to not be dynamic. Found that to be the simplest option! What's your tech stack here, and do you think you can do the same? I could post an example about how to do this if need be!
Ciarán12
2019-11-13 12:12:52)
So I got the error "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '#######-####-###-###-#######'" - I checked the reply urls configured in Azure AD and they are correct, and some of the users are able to authenticate and reach the site without issue while numerous others are having this issue, despite all using the same url. What could be the cause of some users' requests specifying a different reply url than others? All users have been given access via the Azure Portal (Enterprise Applications > myApp Users and Groups).
Antti K. Koskela
2019-11-14 09:45:54
Hi Ciarán12, Huh - no differences between casing, between having a trailing slash or not, url encoding (different browsers might encode spaces or non-latin characters differently) and probably a number of other reasons. Let me know if that helps!
Northgork
2019-11-28 03:39:26)
Oh look I am just trying to download a KB update and I get this silly error. Yet another bug in the never ending list of bugs MS have become really good at churning out along with faddy uselessware.
Antti K. Koskela
2019-11-28 11:28:26
Ha, that's definitely a new one. I've encountered a lot of errors with updates, but not this one yet. Try downloading the update in incognito mode, as I suppose Microsoft have logged you in on one site, and then failing to authenticate against another site - hence the error. Microsoft have definitely become quick at churning stuff out, agree with you there. At the same time, concentrating on more incremental and gradual improvements means they haven't made colossal mistakes since.. Well, I suppose Windows Vista, although it's up to a debate what counts as a mistake, and what's a colossal one and what's not :)
John
2020-01-23 12:53:13)
Ah thanks... I was caught at the first hurdle... accessing the WAC portal by using the IP address instead of the name configured in the Redirect URIs. Thank you!
Antti K. Koskela
2020-01-23 22:42:13
Thanks for sharing, John - happy it helped! :)
Abe Johnson
2021-07-13 19:54:03)
THANK YOU!!! been stuck on this issue for a week! Specifically navigating to the [ https://yourtenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement)] page fixed all my issues! Your the best!
Antti K. Koskela
2021-07-15 12:29:28
Cheers Abe, happy to hear it helped! :)
← Back to home
github x linkedin dev.to bluesky sessionize slideshare youtube thoughts on tech antti koskela
Whitewater Magpie Ltd.
© 2025
Static Site Generation timestamp: 2025-08-26T05:15:54Z