Changes to the Reply-URL List in Exchange Online PowerShell
Published Feb 03 2021 08:10 AM 22.5K Views

Update 5/7/2021: Expanded the WW URL section

A redirect URI, or Reply-URL, is where an authorization server sends a user once their app has been successfully authorized and granted an authorization code or access token. We are updating the Reply-URL list in Exchange Online PowerShell. We’ve found that one of the reply URLs in the existing lists is unsafe and we are replacing it with a new Reply-URL list by the end of March 2021.

We have already released a new version of the Exchange Online PowerShell MFA module that uses the new Reply-URL list, and we strongly recommend moving to this newer version of the module as soon as possible.

If you are an admin of an Exchange Online tenant with any of the following configurations, you are affected by this issue:

  • Admins using a version of MFA PowerShell module/EXO V2 Module earlier than 1.0.1;
  • Developers / Admins who create automation with ModernAuth using Reply-URL to acquire OAuth token and then invoke a New-PSSession; or
  • Hybrid customers HCW versions earlier than 17.0.5785.0.

The Reply-URL being deprecated (by the end of March 2021) is ietf:wg:oauth:2.0:oob. The new Reply-URLs that should be used are:

Environment

Reply-URL

WW/PROD

https://login.microsoftonline.com/organizations/oauth2/nativeclient (if using MSAL)

 

https://login.microsoftonline.com/common/oauth2/nativeclient

GCC High

https://login.microsoftonline.us/organizations

US Gov DoD

https://login.microsoftonline.us/organizations

Office 365 China

https://login.chinacloudapi.cn/organizations

Office 365 Germany

https://login.microsoftonline.de/organizations

Hybrid Configuration Wizard errors

Because of the change to the Reply-URL list, you might see the following error after entering admin credentials in the HCW:

ADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'a0c73c16-a7e3-4564-9a95-2bdf47383716'.

If you see this error, download the latest HCW from https://aka.ms/hybridwizard and restart the wizard to resolve the problem.

EXO MFA PowerShell module or EXO MFA v2 module errors

Because of the change to the Reply-URL list, you might see the following error when using Exchange Online PowerShell v2:

Sorry, but we're having trouble signing you in.
ADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fb78d390-0c51-40cd-8e17-fdbfab77341b'.

ReplyURL01.jpg

Simply update to the latest version of the module to resolve this error.

Exchange Online Admin Team

10 Comments
Co-Authors
Version history
Last update:
‎May 07 2021 05:58 AM
Updated by: