What causes AADSTS50011?

The redirect_uri sent by the client doesn't exactly match a Reply URL on the Microsoft Entra ID (Azure AD) app registration (case, trailing slash, http vs https all matter). SAML AssertionConsumerServiceURL in the SAML request differs from the Reply URL configured on the Entra Enterprise Application. App was moved between environments (dev/test/prod) or domains and the new hostname was never added to Reply URLs. Reply URL is registered under the wrong platform type (Web vs SPA vs Mobile/Desktop) on the app registration. Multi-tenant or white-labeled deployment where each tenant's callback URL wasn't added to the central app registration

How do I fix AADSTS50011?

Copy the exact reply URL shown in the error message (or capture redirect_uri from the failing request) — this is the value the client is sending. In the Entra admin center, open App registrations → your app → Authentication, and add that exact URL under Redirect URIs on the correct platform (Web for server apps, SPA for browser apps using PKCE). For SAML SSO apps: open Enterprise applications → your app → Single sign-on, and set the Reply URL to match the AssertionConsumerServiceURL from the SAML request. If you don't have permission to edit the app registration, send the exact URL to your Entra ID administrator (or the app vendor for third-party apps) and ask them to register it. After saving, wait ~1 minute for propagation, then retry the sign-in in a fresh browser session to avoid cached auth state

Medium severityauthentication

Power BI Error:
AADSTS50011

What does this error mean?

The redirect URI sent in the sign-in request doesn't match any Reply URL configured on the Entra ID app registration.

Common causes

1The redirect_uri sent by the client doesn't exactly match a Reply URL on the Microsoft Entra ID (Azure AD) app registration (case, trailing slash, http vs https all matter)
2SAML AssertionConsumerServiceURL in the SAML request differs from the Reply URL configured on the Entra Enterprise Application
3App was moved between environments (dev/test/prod) or domains and the new hostname was never added to Reply URLs
4Reply URL is registered under the wrong platform type (Web vs SPA vs Mobile/Desktop) on the app registration
5Multi-tenant or white-labeled deployment where each tenant's callback URL wasn't added to the central app registration

How to fix it

1Copy the exact reply URL shown in the error message (or capture redirect_uri from the failing request) — this is the value the client is sending
2In the Entra admin center, open App registrations → your app → Authentication, and add that exact URL under Redirect URIs on the correct platform (Web for server apps, SPA for browser apps using PKCE)
3For SAML SSO apps: open Enterprise applications → your app → Single sign-on, and set the Reply URL to match the AssertionConsumerServiceURL from the SAML request
4If you don't have permission to edit the app registration, send the exact URL to your Entra ID administrator (or the app vendor for third-party apps) and ask them to register it
5After saving, wait ~1 minute for propagation, then retry the sign-in in a fresh browser session to avoid cached auth state

Frequently asked questions

What does AADSTS50011 mean?

The reply address is missing, misconfigured, or doesn't match reply addresses configured for the app. As a resolution ensures to add this missing reply address to the Microsoft Entra application or ha

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50011-reply-url-mismatch