Azure AD App Registration limits Redirect URIs to 256

Question

Is it possible to use a single Redirect URI for multiple tenants and multiple web applications using a single Azure AD App Registration?

I have reached the limit of 256 URIs in my Azure multi tenant App Registration where each registered tenant have their own set of redirect URIs.

The redirect URIs follow this pattern

• http://example.com/consumer1/webapp1/signin-oidc
• http://example.com/consumer1/webapp2/signin-oidc
• http://example.com/consumer2/webapp1/signin-oidc
• http://example.com/consumer2/webapp2/signin-oidc

After reading Use a state parameter I had the idea to create a new web app that only authenticates and then redirects the user to the originally requested URI. But it is not possible to configure the OpenId CallbackPath to the new auth/authorize/redirect app.

How should I solve this?

ASP.NET Core
authenticationBuilder.Services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureAzureOptions>();
authenticationBuilder.AddOpenIdConnect();

private class ConfigureAzureOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
   public void Configure( string name, OpenIdConnectOptions options )
   {
      options.ClientId     = "555-xxx";
      options.Authority    = "https://login.microsoftonline.com/common";
      options.CallbackPath = "https://mydomain/myauth-redir-app/signin-iodc" // this is not allowed
      options.Events       = new OpenIdConnectEvents
      {
         OnRedirectToIdentityProvider = ctx => 
         {
             // remember the URL the user requested, to be picked upp later after AAD auth
             ctx.ProtocolMessage.SetParameter("state", "set_org_url"); 
         }
         OnTokenValidated = ctx =>
         {
            // this code should run in myauth-redir-app and pick up the state 
            // and redirect the user to the originally requested URL
            var stateValue = ctx.ProtocolMessage.GetParameter("state");
         }
      }
   }
}

Rejected solutions

1. Using wildcards in the URI is no longer supported
2. Creating an App Registration for each Web Application still limits me to 256 tenants, which is too few.
3. Creating new App Registrations for each tenant is too cumbersome to maintain and configure.
4. I do not want to register the Redirect URI in the tenants Service Principal, I must be able to add and remove URIs without the customer having to take action.

Answer 1

It's the protocol limitation not an Azure AD issue, please check: https://stackoverflow.com/a/812962/1384539

To solve this, you need to redirect to an intermediate page which will handle the right place to redirect your user. As far as I know, there's no other way.

Answer 2

Did that make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory ?

With multi-tenant application you just need one redirect url( the original one) . For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.

See document : https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant