This post was most recently updated on March 17th, 2021.3 min read.
So, you got an error with a code AADSTS50011? It’s just Azure AD’s authentication acting up because of invalid reply address! here’s a bunch of different reasons that lead to this error. This post describes the variant where the URL’s case sensitivity differns from what’s configured. For me, the most typical scenario where I run into this error is accessing the app from SharePoint.
In short: When trying to run code that tries to authenticate against AAD (like a SharePoint Online webpart or a Teams tab), you’re getting an error somewhat like this:
AADSTS50011: The reply address <...> does not match the reply addresses configured for the application: '<guid>'. More details: Reply address did not match because of case sensitivity.
This is another variation of the good old “AADSTS50011: The reply address does not match the reply addresses configured“-error.
I recently encountered this version of the error. Normally, you don’t get any extra details – the “More details:” -section will just say “not available” or some such. But I guess a lot of people have been struggling with the case-sensitivity of the URLs (I wonder who thought that was a good idea?), and Microsoft has opted to provide this, slightly improved version of the classical reply-url error.
For once, the error message actually tells you exactly what’s wrong.
At least it’s likely it does.
See, I ran into this issue with SharePoint Online, as I was supposed to have an SPFx webpart running on a certain page, authenticating and doing a few things. For this, I had simply registered said page as the redirect URI.
Your situation might be similar – my URL had “<site>/Pages/default.aspx” in it, but I entered it as “<site>/pages/default.aspx” in the configuration.
This shouldn’t usually matter. SharePoint normally handles redirection between differently capitalized versions of the URL, and you should only need to use one version of the URL. Just copying whatever URL that’s in the address bar when you enter the page generally works – simple as that.
However, that doesn’t really always work like it should, and you don’t always have just one version of the URL. That means, that you’ll just have to make sure your links always point to whatever address SharePoint actually resolves as the default – so make sure to either use only the web’s address (e.g. use the URL without library and page names), or use the address SharePoint returns to you by default. Or you can use both – you just can’t use multiple different capitalizations, for some reason!
The solution is 50% obvious, but 50% gotcha.
If you think it’s easily done – and you can just change the case in the reply address from “/Pages/default.aspx” to “/pages/default.aspx” and be done with it, you’re only half correct. Whereas the checking for reply addresses in the authentication is case-sensitive, saving the urls is not.
If you just fix the url and save, it’ll look like it saved but it didn’t actually change the reply address. It still won’t work.
So, this is what you’ll need to do instead:
Time needed: 5 minutes.
How to fix the casing on Azure Active Directory app registration Redirect URI configuration?
- Remove the offending value in the reply-url configuration
- Save the changes (click the button at the bottom of the page)
- Scroll back to the reply-urls, add a new one, this time with correct casing
- Save again – and after this, it should work!
Seems incredibly redundant and somewhat obvious – but that’s the gotcha for you!