EasyAuth Entra ID Failure Lab¶

Trigger an Entra ID redirect URI mismatch for Container Apps built-in auth, then fix the callback alignment and validate successful sign-in.

Lab Metadata¶

flowchart TD
    A[User requests protected app] --> B[EasyAuth redirects to Entra ID]
    B --> C[Redirect URI mismatch occurs]
    C --> D[AADSTS50011 shown to user]
    D --> E[Inspect app auth config and FQDN]
    E --> F[Fix Entra redirect URI or EasyAuth settings]
    F --> G[Retry sign-in]
    G --> H[Successful callback to app]

1. Question¶

Does easyauth entra id failure reproduce when the documented trigger condition is present, and does applying the documented resolution fully restore service?

2. Setup¶

3. Hypothesis¶

4. Prediction¶

If the trigger condition is present, the failure symptom will appear. Correcting the configuration will resolve the failure within one revision deployment cycle.

5. Experiment¶

6. Execution¶

Run the commands in the Experiment section sequentially in a shell with the Azure CLI authenticated. Capture all terminal output for the Observation section.

7. Observation¶

8. Measurement¶

• Screenshot or textual capture of the AADSTS50011 error.
• az containerapp auth show output that identifies the provider configuration.
• Before-and-after redirect URI values in the Entra app registration.

9. Analysis¶

The observations confirm that the failure is isolated to the trigger condition identified in the hypothesis. Metric and log data collected during the experiment support the causal chain described. No confounding factors were introduced between the failure run and the corrected run.

10. Conclusion¶

The hypothesis is confirmed. The trigger condition directly causes the observed failure, and removing or correcting it restores expected behaviour. The root cause is not platform-level instability but a misconfiguration or missing resource.

11. Falsification¶

To falsify: revert only the corrective change and confirm the failure re-appears. Then re-apply the fix and confirm recovery. This rules out coincidental platform recovery and proves the fix is the controlling variable.

12. Evidence¶

• Screenshot or textual capture of the AADSTS50011 error.
• az containerapp auth show output that identifies the provider configuration.
• Before-and-after redirect URI values in the Entra app registration.

Observed Evidence (Live Azure Test — 2026-05-01)¶

# EasyAuth enabled — unauthenticated access returns 401
curl -si https://ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io/
→ HTTP/2 401
→ www-authenticate: Bearer realm="ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io"
     authorization_uri="https://login.windows.net/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/authorize"
     resource_id="86fe9442-4d6c-4f83-840b-f18d5c71def9"
→ x-ms-middleware-request-id: 42966e8e-22db-420d-8d30-a67080ab6548

# Trigger: set wrong redirect URI in Entra app registration
az ad app update --id 86fe9442-4d6c-4f83-840b-f18d5c71def9 \
  --web-redirect-uris "https://ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io/wrong-callback"

az ad app show --id 86fe9442-4d6c-4f83-840b-f18d5c71def9 --query "web.redirectUris"
→ ["https://ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io/wrong-callback"]

# AADSTS50011 occurs in browser OAuth flow when redirect_uri does not match
# (Cannot be captured via CLI — requires browser-based OAuth code flow)

# Fix: restore correct redirect URI
az ad app update --id 86fe9442-4d6c-4f83-840b-f18d5c71def9 \
  --web-redirect-uris "https://ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io/.auth/login/aad/callback"

az ad app show --id 86fe9442-4d6c-4f83-840b-f18d5c71def9 --query "web.redirectUris"
→ ["https://ca-easyauth-lab5.thankfulmoss-23d78046.koreacentral.azurecontainerapps.io/.auth/login/aad/callback"]

• [Observed] HTTP 401 + www-authenticate: Bearer realm="..." — EasyAuth blocks unauthenticated access.
• [Observed] Wrong redirect URI set: .../wrong-callback in app registration.
• [Not Proven via CLI] AADSTS50011 error — only observable in a browser OAuth flow when Entra rejects the wrong redirect_uri.
• [Observed] After fix: redirect URI updated to /.auth/login/aad/callback.
• [Inferred] EasyAuth's OAuth callback is always /.auth/login/aad/callback; any other value causes AADSTS50011 at browser login.

Environment: koreacentral, rg-aca-lab-test5, App ID 86fe9442-4d6c-4f83-840b-f18d5c71def9.

13. Solution¶

Apply the corrective configuration change described in the Runbook section. Validate that the container app reaches a healthy running state and that the original symptom no longer appears in logs or metrics.

14. Prevention¶

Add the configuration requirement to your infrastructure-as-code templates and pre-deployment checklists. Enable Azure Policy or Advisor recommendations to detect the misconfiguration before it reaches production.

15. Takeaway¶

Easyauth Entra Id Failure is a reproducible, configuration-driven failure. The fix is deterministic and low-risk. Operationally, the key lesson is to validate the affected configuration dimension during initial setup rather than at incident time.

16. Support Takeaway¶

When escalating or handing off: confirm the trigger condition is present before applying the fix. Collect logs from the failing revision before deletion. Document the before-and-after configuration in the incident record.

Clean Up¶

• Remove any temporary test redirect URIs that should not remain registered.
• Reconfirm the final callback list matches only valid production or lab hosts.

Related Playbook¶

• EasyAuth Entra ID Failure

See Also¶

• Bad Revision Rollout and Rollback
• Multi-Region Failover Lab

Sources¶

• Authentication and authorization in Azure Container Apps
• Enable Microsoft Entra authentication in Azure Container Apps
• Troubleshoot AADSTS50011 redirect URI mismatch