Changes to the Reply-URL List in Exchange Online PowerShell

Published 02-03-2021 08:10 AM 11.9K Views

Update 5/7/2021: Expanded the WW URL section

A redirect URI, or Reply-URL, is where an authorization server sends a user once their app has been successfully authorized and granted an authorization code or access token. We are updating the Reply-URL list in Exchange Online PowerShell. We’ve found that one of the reply URLs in the existing lists is unsafe and we are replacing it with a new Reply-URL list by the end of March 2021.

We have already released a new version of the Exchange Online PowerShell MFA module that uses the new Reply-URL list, and we strongly recommend moving to this newer version of the module as soon as possible.

If you are an admin of an Exchange Online tenant with any of the following configurations, you are affected by this issue:

  • Admins using a version of MFA PowerShell module/EXO V2 Module earlier than 1.0.1;
  • Developers / Admins who create automation with ModernAuth using Reply-URL to acquire OAuth token and then invoke a New-PSSession; or
  • Hybrid customers HCW versions earlier than 17.0.5785.0.

The Reply-URL being deprecated (by the end of March 2021) is ietf:wg:oauth:2.0:oob. The new Reply-URLs that should be used are:

Environment

Reply-URL

WW/PROD

https://login.microsoftonline.com/organizations/oauth2/nativeclient (if using MSAL)

 

https://login.microsoftonline.com/common/oauth2/nativeclient

GCC High

https://login.microsoftonline.us/organizations

US Gov DoD

https://login.microsoftonline.us/organizations

Office 365 China

https://login.chinacloudapi.cn/organizations

Office 365 Germany

https://login.microsoftonline.de/organizations

Hybrid Configuration Wizard errors

Because of the change to the Reply-URL list, you might see the following error after entering admin credentials in the HCW:

ADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'a0c73c16-a7e3-4564-9a95-2bdf47383716'.

If you see this error, download the latest HCW from https://aka.ms/hybridwizard and restart the wizard to resolve the problem.

EXO MFA PowerShell module or EXO MFA v2 module errors

Because of the change to the Reply-URL list, you might see the following error when using Exchange Online PowerShell v2:

Sorry, but we're having trouble signing you in.
ADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fb78d390-0c51-40cd-8e17-fdbfab77341b'.

ReplyURL01.jpg

Simply update to the latest version of the module to resolve this error.

Exchange Online Admin Team

6 Comments
Regular Contributor

Are the GUIDs mentioned above constant/persistent for all tenants or will we see different ones when our users report these kinds of errors?

Senior Member

Thanks for the update.

Microsoft

@Timothy Balk Those GUIDs would be the same for all, if they get errors in those particular spots (due to old versions).

Occasional Visitor

April 21, 2021. Got this error with Hybrid Configuration Wizard. Updating to the latest HCW did **NOT** fix the problem. 

 

Next steps?

Regular Visitor

We tested using the above reply-URL. It's not working. However, using

https://login.microsoftonline.com/common/oauth2/nativeclient

instead of 

https://login.microsoftonline.com/organizations/oauth2/nativeclient

was working.

 

What's up with that?

New Contributor

To fix the issue in Powershell running the HCW is not the fix.

The fix it to login to the O365 Classic Exchange Admin Center and select Hybrid \ Bottom Configure button (The Exchange Online Powershell Module supports multi-factor....)  and use Edge or IE as Chrome fails to run the Microsoft.Online.CSE.PSModule.Client.application

%3CLINGO-SUB%20id%3D%22lingo-sub-2113965%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113965%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F228093%22%20target%3D%22_blank%22%3E%40Timothy%20Balk%3C%2FA%3E%26nbsp%3BThose%20GUIDs%20would%20be%20the%20same%20for%20all%2C%20if%20they%20get%20errors%20in%20those%20particular%20spots%20(due%20to%20old%20versions).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113531%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113531%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112944%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112944%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20the%20GUIDs%20mentioned%20above%20constant%2Fpersistent%20for%20all%20tenants%20or%20will%20we%20see%20different%20ones%20when%20our%20users%20report%20these%20kinds%20of%20errors%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281009%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281009%22%20slang%3D%22en-US%22%3E%3CP%3EApril%2021%2C%202021.%20Got%20this%20error%20with%20Hybrid%20Configuration%20Wizard.%20Updating%20to%20the%20latest%20HCW%20did%20**NOT**%20fix%20the%20problem.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%20steps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2321992%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2321992%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20tested%20using%20the%20above%20reply-URL.%20It's%20not%20working.%20However%2C%20using%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient%3C%2FA%3E%3C%2FP%3E%3CP%3Einstead%20of%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Forganizations%2Foauth2%2Fnativeclient%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Forganizations%2Foauth2%2Fnativeclient%3C%2FA%3E%3C%2FP%3E%3CP%3Ewas%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20up%20with%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112735%22%20slang%3D%22en-US%22%3EChanges%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUpdate%205%2F6%2F2021%3A%3C%2FSTRONG%3E%20Corrected%20the%20WW%20URL%3C%2FP%3E%0A%3CP%3EA%20redirect%20URI%2C%20or%26nbsp%3B%3CSTRONG%3EReply-URL%3C%2FSTRONG%3E%2C%20is%20where%20an%20authorization%20server%20sends%20a%20user%20once%20their%20app%20has%20been%20successfully%20authorized%20and%20granted%20an%20authorization%20code%20or%20access%20token.%20We%20are%20updating%20the%20Reply-URL%20list%20in%20Exchange%20Online%20PowerShell.%20We%E2%80%99ve%20found%20that%20one%20of%20the%20reply%20URLs%20in%20the%20existing%20lists%20is%20unsafe%20and%20we%20are%20replacing%20it%20with%20a%20new%20Reply-URL%20list%20by%20the%20end%20of%20March%202021.%3C%2FP%3E%0A%3CP%3EWe%20have%20already%20released%20a%20new%20version%20of%20the%20Exchange%20Online%20PowerShell%20MFA%20module%20that%20uses%20the%20new%20Reply-URL%20list%2C%20and%20we%20%3CEM%3Estrongly%20%3C%2FEM%3Erecommend%20moving%20to%20this%20newer%20version%20of%20the%20module%20as%20soon%20as%20possible.%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20an%20admin%20of%20an%20Exchange%20Online%20tenant%20with%20any%20of%20the%20following%20configurations%2C%20you%20are%20affected%20by%20this%20issue%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAdmins%20using%20a%20version%20of%20MFA%20PowerShell%20module%2FEXO%20V2%20Module%20earlier%20than%201.0.1%3B%3C%2FLI%3E%0A%3CLI%3EDevelopers%20%2F%20Admins%20who%20create%20automation%20with%20ModernAuth%20using%20Reply-URL%20to%20acquire%20OAuth%20token%20and%20then%20invoke%20a%20New-PSSession%3B%20or%3C%2FLI%3E%0A%3CLI%3EHybrid%20customers%20HCW%20versions%20earlier%20than%2017.0.5785.0.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20Reply-URL%20being%20deprecated%20(by%20the%20end%20of%20March%202021)%20is%20%3CSTRONG%3Eietf%3Awg%3Aoauth%3A2.0%3Aoob%3C%2FSTRONG%3E.%20The%20new%20Reply-URLs%20that%20should%20be%20used%20are%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22618%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3E%3CSTRONG%3EEnvironment%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CSTRONG%3EReply-URL%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EWW%2FPROD%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Forganizations%2Foauth2%2Fnativeclient%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EGCC%20High%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.us%2Forganizations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.us%2Forganizations%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EUS%20Gov%20DoD%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.us%2Forganizations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.us%2Forganizations%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EOffice%20365%20China%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.chinacloudapi.cn%2Forganizations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.chinacloudapi.cn%2Forganizations%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EOffice%20365%20Germany%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22462%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.de%2Forganizations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.de%2Forganizations%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CH1%20id%3D%22toc-hId-1269959887%22%20id%3D%22toc-hId-1269959887%22%20id%3D%22toc-hId-1268978584%22%3EHybrid%20Configuration%20Wizard%20errors%3C%2FH1%3E%0A%3CP%3EBecause%20of%20the%20change%20to%20the%20Reply-URL%20list%2C%20you%20might%20see%20the%20following%20error%20after%20entering%20admin%20credentials%20in%20the%20HCW%3A%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3EADSTS50011%3A%20The%20reply%20URL%20specified%20in%20the%20request%20does%20not%20match%20the%20reply%20URLs%20configured%20for%20the%20application%3A%20'a0c73c16-a7e3-4564-9a95-2bdf47383716'.%3C%2FP%3E%0A%3CP%3EIf%20you%20see%20this%20error%2C%20download%20the%20latest%20HCW%20from%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fhybridwizard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fhybridwizard%3C%2FA%3E%20and%20restart%20the%20wizard%20to%20resolve%20the%20problem.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--537494576%22%20id%3D%22toc-hId--537494576%22%20id%3D%22toc-hId--538475879%22%3EEXO%20MFA%20PowerShell%20module%20or%20EXO%20MFA%20v2%20module%20errors%3C%2FH1%3E%0A%3CP%3EBecause%20of%20the%20change%20to%20the%20Reply-URL%20list%2C%20you%20might%20see%20the%20following%20error%20when%20using%20Exchange%20Online%20PowerShell%20v2%3A%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3ESorry%2C%20but%20we're%20having%20trouble%20signing%20you%20in.%3CBR%20%2F%3EADSTS50011%3A%20The%20reply%20URL%20specified%20in%20the%20request%20does%20not%20match%20the%20reply%20URLs%20configured%20for%20the%20application%3A%20'fb78d390-0c51-40cd-8e17-fdbfab77341b'.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ReplyURL01.jpg%22%20style%3D%22width%3A%20813px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251839iAA3B7AF9FB464B89%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ReplyURL01.jpg%22%20alt%3D%22ReplyURL01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESimply%20update%20to%20the%20latest%20version%20of%20the%20module%20to%20resolve%20this%20error.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EExchange%20Online%20Admin%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2112735%22%20slang%3D%22en-US%22%3E%3CP%3EA%20redirect%20URI%2C%20or%26nbsp%3B%3CSTRONG%3EReply-URL%3C%2FSTRONG%3E%2C%20is%20where%20an%20authorization%20server%20sends%20a%20user%20once%20their%20app%20has%20been%20successfully%20authorized%20and%20granted%20an%20authorization%20code%20or%20access%20token.%20We%20are%20updating%20the%20Reply-URL%20list%20in%20Exchange%20Online%20PowerShell.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2112735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2337945%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20the%20Reply-URL%20List%20in%20Exchange%20Online%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2337945%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20fix%20the%20issue%20in%20Powershell%20running%20the%20HCW%20is%20not%20the%20fix.%3C%2FP%3E%3CP%3EThe%20fix%20it%20to%20login%20to%20the%20O365%20Classic%20Exchange%20Admin%20Center%20and%20select%20Hybrid%20%5C%20Bottom%20Configure%20button%20(The%20Exchange%20Online%20Powershell%20Module%20supports%20multi-factor....)%26nbsp%3B%20and%20use%20Edge%20or%20IE%20as%20Chrome%20fails%20to%20run%20the%26nbsp%3BMicrosoft.Online.CSE.PSModule.Client.application%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎May 07 2021 05:58 AM
Updated by: