This issue occurs in the following scenario:
- The web application uses any of the Azure AD–supported authentication protocols (OpenID Connect, WS-Federation or SAML 2.0).
- The associated application object is configured in Azure AD with a single reply URL.
- When the service provider (web application)–initiated authentication request for sign-in is made, the web application does not specify the optional “reply URL” query string parameter in the request.
Then, the app developer makes a change to the web application configuration (through the Azure Management Portal) by changing the reply URL. The app developer also deploys the web application at a new endpoint (to match the new reply URL) and no longer services any requests that come to the old reply URL endpoint. In this situation, all existing customers who have already consented to the web application may now be unable to sign in to the web application.
- Explicitly specify the reply URL in the application code. This is the recommended solution. The app developer should update the code for the authentication request to explicitly specify the reply URL (depending on the protocol used, as described in the "Cause" section).
- Use PowerShell to overwrite the reply address. The company administrator should run the following Azure AD PowerShell cmdlets to overwrite the old reply address with the new reply address:
- $r = New-MsolServicePrincipalAddresses -Address <app’s_new_reply_address> –AddressType “reply”
- Set-MsolServicePrincipal –AppPrincipalId <app’s_clientId> -Addresses $r