Last week I needed to set up a new Dynamics 365 for Finance and Supply Chain environment and I for a strange error message which took some time to figure out.
AADSTS50011: The redirect URI 'https://enadvdemo01.operations.eu.dynamics.com/' specified in the request does not match the redirect URIs configured for the application '00000015-0000-0000-c000-000000000000'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

(since I am not an EntraID expert I might be some details wrong in the explanation but this is what I think the issue is)
The issue here is that when you are working with D365FO, which is a Microsoft Saas-ish service, there is a Service Principal created for Microsofts application in your Entra ID tenant. When you set up a new environment, the URL for that environment is added to that Service Principal as two ReplyUrls. One for the base URL and one for the OAuth endpoint.
Apparently there is a limit (255) for how many of these URLs you can have for the Service Principal. This means that when you have deployed enough environments the property fills up. I am guessing that there might be a clean-up routine for these but that it might sometimes fail.
The solution is to remove a couple of old ones and manually add the new ones.
1. Log into the Azure Portal
2. Start the Cloud Shell

3. In the Cloud Shell, run the following commands

connect-azuread
$AADRealm = "00000015-0000-0000-c000-000000000000"
Get-AzureADServicePrincipal -Filter "AppId eq '$AADRealm'"
Find old, retired URLs here and run the following
$EnvironmentUrl = "https://newenv.operations.eu.dynamics.com"
$OLDEnvironmentUrl = "https://retired env.operations.eu.dynamics.com"
$SP = Get-AzureADServicePrincipal -Filter "AppId eq '$AADRealm'"
$SP.ReplyUrls.Remove("$OLDEnvironmentUrl")
$SP.ReplyUrls.Remove("$OLDEnvironmentUrl/oauth")
$SP.ReplyUrls.Add("$EnvironmentUrl")
$SP.ReplyUrls.Add("$EnvironmentUrl/oauth")
Set-AzureADServicePrincipal -ObjectId $SP.ObjectId -ReplyUrls $SP.ReplyUrls
This will remove the retired URLs and add the ones for the new environment
Links:
Error AADSTS50011 – The reply URL specified in the request does not match the reply URLs configured for the application <GUID>. | Microsoft Learn
Solved: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘00000015-0000-0000-c000-000000000000’.
Leave a Reply