When the app developer changes the reply URL through the Azure Management Portal, the web application is deployed with a new endpoint to match the new reply URL. The web application no longer services any requests that come to the old reply URL endpoint.
This issue occurs in the following scenario:
- The web application uses any of the Azure AD–supported authentication protocols (OpenID Connect, WS-Federation or SAML 2.0).
- The associated application object is configured in Azure AD with a single reply URL.
- When the service provider (web application)–initiated authentication request for sign-in is made, the web application does not specify the optional “reply URL” query string parameter in the request.
Note This query string parameter differs for each supported protocol, as follows:
| Protocol | Optional parameter |
| OpenID Connect | redirect_uri |
| WS-Federation | wreply |
| SAML 2.0 | AssertionConsumerServiceURL |
Instead, the application relies on Azure AD by using the configured reply URL from the application object (as in the second item in the preceding bulleted list) when the authentication request does not specify a reply URL.
Then, the app developer makes a change to the web application configuration (through the Azure Management Portal) by changing the reply URL. The app developer also deploys the web application at a new endpoint (to match the new reply URL) and no longer services any requests that come to the old reply URL endpoint. In this situation, all existing customers who have already consented to the web application may now be unable to sign in to the web application.