Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,488 questions
SSO and Concur application
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 32%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
(ADM) Lee, Jesse W
0
Reputation points
We are trying to setup our SSO for the SAP Concur Travel and Expense application.
The app previously worked but because of the fact that an enterprise application is now available and the sso cert for the application has expired we installed the enterprise application and are setting up SSO again.
We copied the metadata from concur and uploaded that. That setup our basic SAML config. Then we set our attributes and claims to use the user.mail account. After that we copied the federated metadata as an xml and imported that into Concur. When we test the application it passes but when we actually open the site and attempt to use sso we get this series of prompts then an error message.
The error that we are getting is an entra error message:
Request Id: e10fa9b2-98d5-4978-b884-9d0db7702e00
Correlation Id: debf666e-2891-41ff-894a-de5061378878
Timestamp: 2025-05-08T17:30:29Z
Message: AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: a9cb4399-b88d-45bb-a4e8-dad9182b9b35.
Flag sign-in errors for review: Enable flagging
If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.
We’ve been on the phone with Concur all day and they are saying the issue is with entra that with the metadata being imported that’s all concur can see. Concur support says this has been a common issue with entra in the last few months and that they have had the customers contact entra support and the issues have been resolved. Any idea what could be causing this?
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 4,720 Reputation points Microsoft External Staff Moderator2025-05-09T00:03:42.2433333+00:00 Hello @(ADM) Lee, Jesse W ,
I Understand that you are getting AADSTS650056 error there are two possible causes to this error:
Cause 1: OAuth Authentication flows - Application exists however there are no granted consents for this application for the requested resource.
Have a admin consent to the application. Or the app registration for the client did not add API permissions to the 'Resource'. At minimum you should at least have the Microsoft Graph User.Read delegated permission on the app registration for both the client and resource.Cause 2: SAML Authentication flows - The Issuer provided in the SAMLRequest is not valid.
Ensure that theIssuerattribute in the SAML request matches the Identifier value configured in Microsoft Entra ID.Verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error.
For more information about the Issuer attribute, see Single Sign-On SAML protocol.To resolve this, either change the Identifier for the Enterprise application to match or update the SaaS application configuration so that it passed the correct Issuer.
Additionally follow the trouble shooting guide: Problems signing in to SAML-based Single Sign-On configured apps , Single sign-on SAML protocol , https://blogs.aaddevsup.xyz/2019/11/aadsts650056-misconfigured-application/
Hope this information helps. Let us know if you have any additional queries. Happy to assist you further.
-
(ADM) Lee, Jesse W 0 Reputation points
2025-05-09T13:07:14.4666667+00:00 I've verified and gave the app permissions before testing. I still get the error. The SAML data is correct since I copied the metadata between the two (concur and entra). It appears to be some issue with Entra in general and the way it contacts Concur. I've got a ticket in with our secondary support. Concur support says this has become a common complaint but the users have had to contact microsoft entra support to get the solution.
-
Goutam Pratti 4,720 Reputation points Microsoft External Staff Moderator
2025-05-09T23:29:37.5066667+00:00 Hello @(ADM) Lee, Jesse W ,
Thank you for sharing the information. Did you created any support ticket?
Sign in to comment
Sign in to answer