Today's blog post was written by Neil Erickson, Development Principal at Sonoma Partners.
Our team at Sonoma Partners have been using Microsoft’s mobile applications for a few years, including the native phone and tablet clients. Over this past weekend we received reports from a few users that they were now unable to sign in properly. After investigating, we determined that Microsoft recently updated their apps to reflect the most recent version, Dynamics 365. After these updates made their way to user’s phones, the follow error was shown.
Looking closer, when the new apps try to authenticate the following error is logged on the ADFS server.
Microsoft.IdentityServer.RequestFailedException: MSIS9236: The OAuth authorization request contains invalid client or redirect URI. Failed to process the request. ---> Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidClientRedirectUriException: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'ce9f9f18-dd0c-473e-b9b2-47812435e20d'. Received redirect_uri: 'ms-auth-dynamicsxrm://com.microsoft.dynamics.iphone.moca'.
This error tells us that the new version includes some RedirectUri's that were not present in previous versions, and are now required for proper authentication.
So, you will need to add these RedirectUri's to the ADFS client even if your Dynamics CRM / Dynamics 365 server version has not changed. This can be accomplished by removing the existing ADFS Client and adding it back with the cmdlet currently on this TechNet article.