Fix: AADSTS650056: Misconfigured application in Azure AD

Facing error AADSTS650056: Misconfigured application in an Azure AD SSO application? I will explain in this post how to fix this.

Root cause

When you trouble shoot AADSTS650056, you will see in the error that it has something to do with the AAD Graph API permissions, identifier or an invalid certificate request. In the documentation from the 3rd party application you may see that the AAD Graph API permission in the app registration is not needed, the identifier is the same and the SSO certificate is valid. I had this in my situation.

You can paste the whole error into the test section from the SSO Application in Azure AD, to get a better understanding about the root cause on why you are getting AADSTS650056.

Request Id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Correlation Id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Timestamp: 2020-12-22T09:17:20Z
Message: AADSTS650056: Misconfigured application. ….

The resolution guide will tell you what happened with this failed login.

Resolution in my scenario

I was facing this error because the identifier did not match, but the documentation tells me it matched and the provider of the 3rd party application tells me also is matched. So what now, a Microsoft support case? No, you can get the right identifier with a SAML trace. I use a browser plugin for this called SAML-Tracer.

Download SAML-Tracer for:

When installed, reproduce the issue when the SAML-Tracer is running. You will see some logging while reproducing it, in some line you see SAML in an orange square. Click on that line, open the SAML section and look for the issuer in the line that starts with <saml2:Issuer>. The link that is visible, is the identifier that needs to be set in the SSO.

In my scenario the issuer had HTTP instead of HTTPS. After changing the identifier in the SSO, AADSTS650056 has been resolved.

Oh, and yes, I went back to provider of the 3rd Party registration and tell them why this was changed to a less secure HTTP connection.

Share this: