Forum Discussion

MustangProgrammer's avatar
MustangProgrammer
Copper Contributor
Oct 07, 2025

Creating SSO Application using Microsoft Graph

I'm attempting to create SSO applications using Microsoft Graph to migrate from ADFS.   "Microsoft.Graph.Models.Application requestBody = new Microsoft.Graph.Models.Application                 {  ...
Ankit365's avatar
Ankit365
Iron Contributor
Oct 08, 2025

this is a known quirk with the Microsoft Graph Applications endpoint that has been reported by multiple admins migrating from AD FS to Entra ID. As of October 2025, the Graph API validation rules for the IdentifierUris property still reject values that contain a trailing slash, even though the Azure Portal allows it and it works perfectly in practice.

Here’s what’s happening. When you submit an app registration through the Graph API, the backend enforces stricter normalization rules for the identifierUris field than the portal does. Trailing slashes are automatically trimmed or flagged as invalid because the system treats the URI as an identifier rather than a navigable endpoint. However, the portal UI uses a different validation layer that allows a trailing slash and later normalizes it internally. That is why creating the app manually in the portal works while the API call fails.

To handle this when bulk-creating hundreds of apps:

Programmatically omit the trailing slash in your Graph creation call for IdentifierUris, since it’s treated as a unique identifier. Example: use https://xxxx/aspx/xxxx instead of https://xxxx/aspx/xxxx/.

Include the trailing slash only in RedirectUris under the web object, because redirect URIs are allowed to have it. The sign-in redirect validation uses the web.redirectUris property, not the identifierUris value, during token issuance.

Once created, if your environment absolutely requires the trailing slash in the Identifier URI (for legacy compatibility), you can perform a PATCH operation via the portal or the Graph beta endpoint after creation, which relaxes that validation.
see below workaround, if it fixes your issue.

var app = new Application
{
    DisplayName = appName,
    IdentifierUris = new List<string> { appURL.TrimEnd('/') },
    Web = new WebApplication
    {
        RedirectUris = new List<string> { appURL } // keep the slash here
    }
};
await graphClient.Applications.PostAsync(app);

This allows you to automate creation of all 240 apps without triggering the invalid URI error. Afterward, if the trailing slash in the Identifier URI is still required for a few specific apps, you can patch those manually in the portal or via PowerShell (Set-AzureADApplication) where the enforcement is looser. Use the slash-free URI for IdentifierUris and keep the slash in RedirectUris to maintain compatibility until Microsoft aligns validation across Graph and the portal. Please hit like if you like the solution.

Resources