UPDATE 15.08.2019:
The issue described here in my blog post has been resolved in the Azure docs with the following pull request.
-> https://github.com/MicrosoftDocs/azure-docs/pull/37045
Back in June Microsoft announced an URL change affecting the Azure Monitor for containers real-time container logging solution.
-> https://azure.microsoft.com/en-us/updates/azure-monitor-for-containers-updates-to-live-data-settings/
-> https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-live-logs#configure-aks-with-azure-active-directory
The URL that needs to be added in the AAD client application as Redirect URI is https://afd.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html
.
During some tests on my AKS cluster at the weekend I stumbled over the following issue.
I received the error message AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{Application ID}'
and I could not sign into the real-time container logging solution.
After some debugging, I found out that the expected URL is https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html
.
So, the URL in the request https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html
does not match what is documented in Azure docs and configured in the AAD client application.
The current fix for the issue is to add the URL as a Redirect URI in the AAD client application.
Immediately after adding the correct URL, the sign-in is working again.
Only Azure Kubernetes Service cluster with enabled AAD integration are affected.
The discussion about the issue is ongoing in the closed GitHub issue.
-> https://github.com/MicrosoftDocs/azure-docs/issues/33129#issuecomment-520256708