Azure AD App Registration limits Redirect URIs to 256

Question

Is it possible to use a single Redirect URI for multiple tenants and multiple web applications using a single Azure AD App Registration?

I have reached the limit of 256 URIs in my Azure multi tenant App Registration where each registered tenant have their own set of redirect URIs.

The redirect URIs follow this pattern

After reading Use a state parameter I had the idea to create a new web app that only authenticates and then redirects the user to the originally requested URI. But it is not possible to configure the OpenId CallbackPath to the new auth/authorize/redirect app.

How should I solve this?

ASP.NET Core
authenticationBuilder.Services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureAzureOptions>();
authenticationBuilder.AddOpenIdConnect();

private class ConfigureAzureOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
   public void Configure( string name, OpenIdConnectOptions options )
   {
      options.ClientId     = "555-xxx";
      options.Authority    = "https://login.microsoftonline.com/common";
      options.CallbackPath = "https://mydomain/myauth-redir-app/signin-iodc" // this is not allowed
      options.Events       = new OpenIdConnectEvents
      {
         OnRedirectToIdentityProvider = ctx => 
         {
             // remember the URL the user requested, to be picked upp later after AAD auth
             ctx.ProtocolMessage.SetParameter("state", "set_org_url"); 
         }
         OnTokenValidated = ctx =>
         {
            // this code should run in myauth-redir-app and pick up the state 
            // and redirect the user to the originally requested URL
            var stateValue = ctx.ProtocolMessage.GetParameter("state");
         }
      }
   }
}

Rejected solutions

Using wildcards in the URI is no longer supported
Creating an App Registration for each Web Application still limits me to 256 tenants, which is too few.
Creating new App Registrations for each tenant is too cumbersome to maintain and configure.
I do not want to register the Redirect URI in the tenants Service Principal, I must be able to add and remove URIs without the customer having to take action.

Hey MatiasK, I find myself in a very similar situation, did you have any solution to this problem? — Ovenkoek, Apr 07 '21 at 14:02
@Ovenkoek I ended up making the web apps multitenant and thereby the redirect uris were reduced to one per web app instead of a multiple of customer and web app. I use the tenant id claim to identify the customer after they are authenticated. — MatiasK, Apr 09 '21 at 05:53

score 0 · Answer 1 · answered Nov 12 '19 at 08:16

Did that make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory ?

With multi-tenant application you just need one redirect url( the original one) . For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.

See document : https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant

Yes the registration is multi tenant and currently serves multiple web apps and multiple consumer tenants. The problem is that I can only define 265 redirect urls and I need 7 urls per consuming tenant (protocol://a.com/consumer[1..x]/webapp[1..7]/signin-oidc). I am limited to 36 consuming tenants. — MatiasK, Nov 13 '19 at 09:46

Azure AD App Registration limits Redirect URIs to 256

1 Answers1

Linked