# Microsoft Login – Fix Redirect URI Mismatch (AADSTS50011) ## Error ``` AADSTS50011: The redirect URI 'https://app.roms.roqay.dev/auth/callback' specified in the request does not match the redirect URIs configured for the application. ``` ## Cause The redirect URI your app sends to Microsoft is **not** registered in the Azure AD app registration. Azure only allows redirects to URIs you explicitly add. ## Fix (Azure Portal) 1. Open **Azure Portal**: https://portal.azure.com 2. Go to **Microsoft Entra ID** (or **Azure Active Directory**) → **App registrations**. 3. Open the app with **Application (client) ID**: `423decc8-ffb2-46b8-93a1-977b160b4284` (or search by name if you know it). 4. In the left menu, click **Authentication**. 5. Under **Platform configurations** → **Web** (or **Single-page application** if you use SPA): - Click **Add URI** (or **Add** then choose **Web**). - Add exactly: **`https://app.roms.roqay.dev/auth/callback`** - No trailing slash; scheme must be `https` if your app uses HTTPS. 6. Save (**Save** at the top of the blade). ## Backend config - Redirect URI is read from **`MICROSOFT_REDIRECT_URI`** in `.env`. - If unset, it falls back to **`APP_URL` + `/auth/callback`** (from `config/services.php`). - The value sent to Microsoft **must be identical** to one of the URIs you added in Azure (same scheme, host, path, no extra query or trailing slash). Example for this app: ```env APP_URL=https://app.roms.roqay.dev MICROSOFT_REDIRECT_URI=https://app.roms.roqay.dev/auth/callback ``` ## Multiple environments For each environment (staging, production, local), add the corresponding redirect URI in the same Azure app (or in separate app registrations): - Staging: `https://app.roms.roqay.dev/auth/callback` - Production: `https://your-production-domain.com/auth/callback` - Local: `http://localhost:8000/auth/callback` (only if you use HTTP and Azure allows it) After adding and saving the URI in Azure, try **Sign in with Microsoft** again. ## Reference - Azure: https://aka.ms/redirectUriMismatchError - App registration → Authentication: where Redirect URIs are configured.