Wildcard in redirect URI seems to be unsupported even for "signInAudience": "AzureADMyOrg"

[jlian]

In the article it says

Wildcard URIs are allowed, however, for apps that are configured to sign in only work or school accounts in an organization's Azure AD tenant. To add redirect URIs with wildcards to app registrations that sign in work or school accounts, use the application manifest editor in App registrations in the Azure portal.

I tried doing this and I would get an error "Error detail: Invalid value specified for property 'replyUrlsWithType' of resource 'Application'. "

I checked and my app registration has "signInAudience": "AzureADMyOrg". Am I doing something wrong or is the documentation now outdated? I need to do this for the same reason as this StackOverflow post, so that I can get it to work with my CI/CD pipeline.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: cc4c5921-4070-a714-44e6-c4309fe5fd53
• Version Independent ID: c52c5c94-bb2e-10cb-9673-98aae4aa37d4
• Content: Redirect URI (reply URL) restrictions - Microsoft Entra
• Content Source: articles/active-directory/develop/reply-url.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @madansr7
• Microsoft Alias: saumadan

[shwetamathur7]

@jlian Thanks for your feedback. Could you please specify what value you are passing in redirect URI?

[jlian]

I'm trying to do https://static-string-*.centralus.1.azurestaticapps.net/.auth/login/aad/callback - for Azure Static Web App's pull request preview environment feature

[shwetamathur7]

@jlian Wildcards are allowed in redirect URI to sign in with work or school accounts. A wildcard ‘*’ should represents a valid tokens sequence and jointed by specific flag ‘.’ or ‘/’.

Belows examples are accepted as valid URLs:
https://static-string-/*centralus.1.azurestaticapps.net/.auth/login/aad/callback
https://static-string-/.*/centralus.1.azurestaticapps.net/.auth/login/aad/callback

[jlian]

Thanks, the manifest update goes through, but I can't get it to work.

The URL I have now is https://static-string-4.centralus.1.azurestaticapps.net/.auth/login/aad/callback

Patterns I've tried in the reply URL:

https://static-string-/*centralus.1.azurestaticapps.net/.auth/login/aad/callback
https://static-string-/.*/centralus.1.azurestaticapps.net/.auth/login/aad/callback
https://static-string-/*/centralus.1.azurestaticapps.net/.auth/login/aad/callback
https://static-string-/*/.centralus.1.azurestaticapps.net/.auth/login/aad/callback
https://static-string-/*.centralus.1.azurestaticapps.net/.auth/login/aad/callback

I always get "AADSTS50011: The redirect URI 'https://static-string-4.centralus.1.azurestaticapps.net/.auth/login/aad/callback' specified in the request does not match the redirect URIs configured for the application"

[shwetamathur7]

As this is not documented related issue. So, closing this issue here.

[jlian]

Sorry, I don't understand how this isn't a documentation issue. Shouldn't we make it clear in the docs how the user would add wildcards in the redirect URI?

BTW, after several hours of trial and error I got it to work with one pattern:

https://*.centralus.1.azurestaticapps.net/.auth/login/aad/callback

The first part cannot have any other characters at all. This is all currently undocumented.

[jlian]

@shwetamathur7 please reopen this issue as docs updates are still needed

[jdempcy]

I am running into this problem as well. The documentation states:

To add redirect URIs with wildcards to app registrations that sign in work or school accounts, use the application manifest editor in App registrations in the Azure portal.

However, I have been unable to get this to work in any capacity.

[gunnim]

Having the same issue, already tried a lot of the options here. Interestingly *.tld is accepted but adding a known subdomain with wildcard apex domain seems not to be

[kstynen]

Same issue here. Wildcard redirect uris are not working. I'm using the https://*.example.com/login/callback structure and even that is not working.
He always seems to return back to the last known redirect URI without a wildcard that was configured, even if that callback URI was deleted. I can save the URIs in the manifest but it seems they are completely ignored and I'm getting returned to an old URI that had no wildcards in it. Very strange.

[ransom4real]

Sorry, I don't understand how this isn't a documentation issue. Shouldn't we make it clear in the docs how the user would add wildcards in the redirect URI?

BTW, after several hours of trial and error I got it to work with one pattern:

https://*.centralus.1.azurestaticapps.net/.auth/login/aad/callback

The first part cannot have any other characters at all. This is all currently undocumented.

This is the only solution that worked.

[milesnash-sky]

@jlian thanks for persevering with this! I would've been totally stumped had it not been for this issue. Really ought to be reopened and the docs updated.

[echipachenko]

This should be re-opened, as it's not possible to add wildcard using portal UI, it is possible only by manual updating the manifest file, and there is NO any information on the MS Documentation related to this.

https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
this states:

Wildcard URIs are currently unsupported in app registrations configured to sign in personal Microsoft accounts and work or school accounts.

Wildcard URIs are allowed, however, for apps that are configured to sign in only work or school accounts in an organization's Microsoft Entra tenant.

So those two sentances already contradict each other.

Also, why you don't simple change the validation in the Azure Portal UI to allow adding wildcards for organization's Microsoft Entra tenant?