This post was most recently updated on August 31st, 2022.
4 min read.So, you have an error with the code AADSTS50011? That’s ok – it’s just Azure AD‘s authentication acting up because of invalid reply URLs! Most of the time, it’s a simple configuration issue.
Since there might be a couple of different reasons for this error, this post also describes a couple of different solutions, that might help you overcome the issues. Read on to find out if one of them can help you!
Problem
So, you’re getting an error somewhat like this:
But why? Did you mess something up? Well, if you’re the person who configured the app you’re trying to use, you probably did! (Although Microsoft might still be the one to blame for that).
Let’s take a closer look at the reason for the issue under the hood, and after that, find out possible solutions!
Reason for getting AADSTS50011
The most typical error I have seen would be “AADSTS50011: The reply address does not match the reply addresses configured for the application.“
Another variation of this error is “AADSTS50011: the reply URL specified in the request does not match the reply URLs configured for the application [guid]“
Yeah, there are a few different wordings for this error!
This error can typically be caused by 2 different configuration issues. You’re either
(1) accessing the page from a different address than what you’ve configured for your app, or
(2) you have made a mistake in the configuration itself.
In both of these cases, it’s typically fairly easy to fix the issue. You’ll probably want to just tweak the configuration – and let’s see how to do just that!
Solution(s) to different “The reply address does not match the reply addresses configured” -errors
Microsoft is constantly moving stuff around in their Azure Active Directory administration site, but this article now shows the latest version of the application registration portal, the one that’s available under https://aad.portal.azure.com
Alternatively, just navigate to Azure Portal > Azure AD -> App Registrations. See below for an example:
Anyway, about the fixes – here are a few solutions that you could try:
The simple solution: Make sure, that your URL is actually included in the configuration
This might be obvious, I admit, but worth mentioning. So, this is what to do:
- Browse to https://aad.portal.azure.com (opens in a new tab)
- Log in using your Office 365 / Cloud App Administrator account
- Navigate to “App registrations“
- Find your app under “Owned applications” or “All applications”
- Select “Manage” -> “Authentication”
- Check the “Redirect URIs” section and verify that the URL you’re accessing the app from is listed there!
What if you now have this error code, but with the error description “Reply address did not match because of case sensitivity.”?
I have been encountering this lately – it seems, that Microsoft has implemented a more detailed error message as of late. And I’m not one to complain about that, as this should be even easier to fix!
Check this article out for the detailed steps: How to fix AADSTS50011: Reply address did not match because of case sensitivity.
What if you get another version of this error – now with code AADSTS500113?
This variant – AADSTS500113 – of the error complains something along the lines of “No reply address is registered for the application”. I’ve posted about this error as well (see below) – but after making sure that the reply URL really IS there, you’ll need to apply the API management hack described below.
For your reference:
How to fix the “AADSTS500113: No reply address is registered for the application” error?
What if you already added the URL, but it’s still not working?
There are a couple of things to check. First of all: is the app id (client id) the same? You’ll need to verify, that you’re actually working on the same app that you’re using on whatever page that throws the error.
If the client id is correct, and you’re sure your URL is correct (even with the casing!), you might have encountered an annoying issue in how Office 365 manages app principal propagation. There’s no transparency to this issue and you won’t get a proper error.
However, to fix it, you only need to access a specific UI once. This is pretty quick – see the steps below:
Time needed: 10 minutes
How to trigger the reply URL registration in SharePoint Online to fix AADSTS50011, whenever it’s broken for whatever reason:
- Go to Tenant Administration
You can get there from the waffle menu, or by navigating to https://yourtenant-admin.sharepoint.com
- Access the API management section
It’s only available in the “new” Admin Portal experience: In the upper-right corner, click the Try the preview button, which will take you to the new SharePoint admin center (if it isn’t enabled for you already!)
Then From the sidebar, click the API management -link
(Alternatively, just access it with a link like this: https://yourtenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement) - Opening this page should trigger the provisioning of the necessary configuration.
Yep. That’s it. No further clicks are required!
To be updated, when new gotchas are found! :)
References
- Microsoft’s introduction to their latest Azure Active Directory app registration view:
- A similar discussion on GitHub:
He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.
This is his personal professional (e.g. professional, but definitely personal) blog.
