Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Create and configure Microsoft Entra (Azure AD) app registrations, scopes, and service principals
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/troubleshooting.md
1# Troubleshooting Microsoft Entra App Registration2This guide helps you diagnose and fix common issues with app registrations and authentication.4## Table of Contents6- [Authentication Errors](#authentication-errors)8- [Token Issues](#token-issues)9- [Permission Problems](#permission-problems)10- [Redirect URI Issues](#redirect-uri-issues)11- [Application Configuration](#application-configuration)12- [Debugging Tools](#debugging-tools)13## Authentication Errors15### Redirect URI Mismatch17**Error message:**19```20AADSTS50011: The redirect URI 'http://localhost:3000' specified in the request21does not match the redirect URIs configured for the application.22```23**Cause:** The redirect URI in your authentication request doesn't exactly match what's registered.25**Solutions:**271. **Check exact match** (case-sensitive, trailing slash matters):29```30Registered: https://myapp.com/callback31Request: https://myapp.com/callback/ ❌ (trailing slash)32Request: https://MyApp.com/callback ❌ (case difference)33Request: https://myapp.com/callback ✅34```352. **Add URI to app registration:**37```bash38# Portal: Authentication → Add redirect URI39# CLI:40az ad app update --id $APP_ID \41--web-redirect-uris "http://localhost:3000" "https://myapp.com/callback"42```433. **Check platform type:**45- Web URIs go in "Web" platform46- SPA URIs go in "Single-page application"47- Desktop/mobile URIs go in "Public client/native"48### Invalid Client Secret50**Error message:**52```53AADSTS7000215: Invalid client secret provided.54Ensure the secret being sent in the request is the client secret value, not the client secret ID.55```56**Causes:**58- Client secret expired59- Wrong secret value (copied secret ID instead of value)60- Secret doesn't match app registration61**Solutions:**631. **Check expiration:**65```bash66az ad app credential list --id $APP_ID67```682. **Create new secret:**69```bash70az ad app credential reset --id $APP_ID --years 171```72Copy the `password` value (not the `keyId`)73### User Consent Required75**Error message:**77```78AADSTS65001: The user or administrator has not consented to use the application79```80**Causes:**82- Application permissions require admin consent83- User hasn't consented to delegated permissions84- Consent was revoked85**Solutions:**871. **Grant admin consent (if admin):**89```bash90az ad app permission admin-consent --id $APP_ID91```922. **Request user consent (interactive flow):**94This requires the client app to have access to UI such as browser, terminal window, etc. Follow the best practices of your client app to implement the interactive flow.953. **Check API permissions in portal:**97- Ensure permissions are added98- Look for green checkmarks (granted)99- Yellow warning means not granted100### Grant Declined102**Error message:**104```105AADSTS70000: The request was denied because one or more permissions have been declined106```107**Cause:** User or admin explicitly denied consent.109**Solutions:**1111. **Re-request with explanation:**113- Explain why permissions are needed114- Request only necessary permissions1152. **Check if admin consent is required:**117- Some organizations disable user consent118- Contact your admin to grant consent1193. **Reduce permission scope:**121- Request minimal permissions initially122- Use incremental consent for additional features123### Application Not Found125**Error message:**127```128AADSTS700016: Application with identifier '{app-id}' was not found in the directory129```130**Causes:**132- Wrong application ID133- Wrong tenant ID134- Service principal not created135- App in different tenant136**Solutions:**1381. **Verify application ID:**140```bash141az ad app list --display-name "MyApp" --query "[].{Name:displayName, AppId:appId}"142```1432. **Verify tenant ID:**145```bash146az account show --query tenantId -o tsv147```148### Application Doesn't have a Service Principal150**Error message:**152```153The app is trying to access a service 'your_app_id'(your_app_name) that your organization 'your_tenant_id' lacks a service principal for154```155**Causes:**157- Your tenant is not configured to automatically provision the service principal for app registrations in it.158**Solutions:**1601. **Create service principal:**162```bash163az ad sp create --id $APP_ID164```165### Missing Required Field167**Error message:**169```170AADSTS90014: The required field 'client_id' is missing from the request171```172This can happen if the client you are using isn't compatible with Entra. Consult the owner of your client app to see if it supports Entra.174## Token Issues176Unless the the access token is encrypted, you can decode and view its claims securely at https://jwt.ms. **Don't** use any other website to decode an access token. Compare the claims in the token with the app registration's configuration to identify issues.178## Debugging Tools180### JWT Token Decoder182**Tool:** https://jwt.ms184**How to use:**1861. Copy your access token1872. Paste into jwt.ms1883. Review claims:189- `aud` - Audience (should match your API)190- `iss` - Issuer (should be login.microsoftonline.com)191- `scp` - Delegated permissions192- `roles` - Application permissions193- `exp` - Expiration timestamp194- `oid` - User object ID195---197### Fiddler199**Use for:** Inspecting HTTP requests/responses201**What to check:**203- Authorization header format: `Bearer {token}`204- Token is being sent205- Response status codes and error messages206### Entra Sign-in Logs208**Access:** Azure Portal → Microsoft Entra ID → Sign-in logs210**What to check:**212- Failed sign-in attempts213- Error codes and messages214- User consent status215- Conditional Access policy failures216## Common Error Codes Reference218| Error Code | Meaning | Common Cause |220|------------|---------|--------------|221| AADSTS50011 | Redirect URI mismatch | URI not registered or doesn't match |222| AADSTS50020 | Invalid tenant | Wrong tenant in authority URL |223| AADSTS50034 | User not found | User doesn't exist in tenant |224| AADSTS50053 | Account locked | Too many failed attempts |225| AADSTS50055 | Password expired | User needs to reset password |226| AADSTS50057 | Account disabled | User account disabled |227| AADSTS50058 | Silent sign-in failed | Interactive auth required |228| AADSTS50059 | Tenant not found | Invalid tenant ID |229| AADSTS65001 | Consent required | User/admin hasn't consented |230| AADSTS70000 | Grant declined | User denied consent |231| AADSTS70001 | App disabled | App registration disabled |232| AADSTS700016 | App not found | Invalid app ID or wrong tenant |233| AADSTS7000215 | Invalid client secret | Wrong/expired secret |234| AADSTS90014 | Missing field | Required parameter not sent |235| AADSTS90072 | Consent needed | Admin consent required |236## Best Practices for Troubleshooting238### Systematic Approach2401. **Collect information:**242- Exact error message and code243- When it started happening244- What changed recently245- Environment (dev/test/prod)2462. **Check basics first:**248- App ID and tenant ID correct249- Permissions added and consented250- Redirect URIs configured251- Secrets/certificates valid2523. **Use debugging tools:**254- Decode tokens (jwt.ms)255- Check sign-in logs256- Enable MSAL logging257- Use network inspector2584. **Test incrementally:**260- Test with minimal permissions261- Add permissions one at a time262- Test different flows separately263## Getting Help265### Microsoft Resources267- [Microsoft Q&A](https://learn.microsoft.com/answers/)269- [Microsoft Identity Platform Documentation](https://learn.microsoft.com/entra/identity-platform/)270