AADSTS50011 - Invalid Reply URL

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Invalid Reply URL Mean?

AADSTS50011 occurs when Entra ID acts as a security gatekeeper. When your app sends a sign-in request, it specifies where the token should be sent back (redirect_uri). If this URI does not match the registered list in the App Registration character-for-character, Entra ID blocks the request to prevent token hijacking. Entra ID is strictly literal; it does not allow for close-enough matches.

Common Causes

• -Character Mismatch: Difference in a trailing slash (.../callback vs .../callback/).
• -Protocol Discrepancy: Using http on a local machine while the Azure registration only has https.
• -Port Confusion: App running on port :3000 locally but registered as :5000 in the portal.
• -Wrong App Registration: The client ID in the request points to App A, but you are editing the Redirect URIs for App B.
• -Wildcard Restrictions: Using wildcards in URIs for SPA or Web platforms, which Microsoft has largely restricted for security.

How to Fix Invalid Reply URL

1. 1Check the Browser URL: Look at the redirect_uri= parameter in the error page URL. Copy that exact string.
2. 2Ensure Character Parity: Paste that string into Entra ID > App Registration > Authentication as a new entry.
3. 3Verify Platform Type: If you are building a React/Vue app, ensure the URI is under the SPA section, not Web.
4. 4Sync Env Vars: Double-check that your .env file uses the exact same string as the Azure Portal.

Step-by-Step Diagnosis for Invalid Reply URL

1. 1Decode the redirect_uri parameter from the failing auth request URL.
2. 2Open the Microsoft Entra admin center and navigate to the Authentication blade of the app.
3. 3Compare sent versus registered URIs side-by-side, focusing on the scheme, port, and path.
4. 4Verify the clientId matches the registration you are currently auditing.

// App sends this (from browser address bar):
"http://localhost:3000/api/auth/callback/azure"

// Azure Portal must have exactly this:
"http://localhost:3000/api/auth/callback/azure"

Seen in Production

Debugging Tools

• -Browser URL Bar: Inspect the redirect_uri parameter during the failure.
• -Azure Portal Sign-in Logs: View the authentication details for specific mismatch reasons.

How to Verify the Fix

• -Restart the sign-in flow and confirm the browser redirects back to the app without an error.
• -Check the Network tab (F12) for a successful 302 redirect to the expected callback path.
• -Confirm that Staging and Prod environments have their own distinct URIs registered.

How to Prevent Recurrence

• -Use IaC: Manage Redirect URIs via Terraform or Bicep to eliminate manual entry errors.
• -Dynamic Config: Read the Redirect URI from a central environment variable in your code.
• -Pro-tip: Add updating the Redirect URI to your new environment checklist to catch port or domain changes before deployment.

Related Errors

Official References

• -Microsoft Troubleshooting Guide
• -Microsoft Identity Platform Error Codes - AADSTS50011
• -Azure Official Documentation