Share via

Microsoft Entra ID – Callback URL Blocked by APIM / Application Gateway

Anoop Issac (G10X, IND) 0 Reputation points
2026-02-21T12:31:01.99+00:00

We have integrated OpenID Connect (OIDC) authentication with Microsoft Entra ID in our web portal.

During the login flow:

  1. The user authenticates successfully with Microsoft Entra ID.
  2. After authentication, Entra ID redirects the request to our backend callback API with a code query parameter.
  3. However, this callback request is being blocked by Azure API Management (APIM) / Application Gateway and is not reaching our backend application (hosted in Azure Container Apps).

Example callback URL:

https://domain/path/back-end/application/callBack?code=1.xxxxxxx

Observations

• The code query parameter length is approximately 2319 characters.

• After multiple tests, we identified that the issue occurs only when the query parameter length exceeds ~2200 characters.

• If the length is below 2200 characters, the request successfully reaches the backend.

Questions

• Is there a URL/query string length limit in APIM or Application Gateway that could be causing this?

• Are there any configuration changes required to allow longer query parameters?

• Has anyone encountered a similar issue with Microsoft Entra ID authorization code flow?

Any guidance would be greatly appreciated.

Thank you.

Azure App Configuration
Azure App Configuration

An Azure service that provides hosted, universal storage for Azure app configurations.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 6,560 Reputation points Microsoft External Staff Moderator
    2026-02-24T15:38:54.0733333+00:00

    Hi @Anoop Issac (G10X, IND) ,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Yes, APIM imposes a ~2 KB query-string limit which is being exceeded. The fix is to use Azure AD’s supported form_post response mode so the code is sent in the body, not the URL. No APIM/AppGW setting can increase the URL length limit – the solution is to change the OAuth flow accordingly.

    Reference for limits:

    Recommended Solution: Use response_mode=form_post The most robust and secure way to fix this is to change the way Entra ID sends the authorization code back to your application. Instead of using the default query mode (which puts the code in the URL), you should use form_post.

    • How it works: When you initiate the login request to Entra ID, add the parameter response_mode=form_post.
    • Benefits: * Bypasses URL Limits: The authorization code is sent in the HTTP POST body, which has a much higher limit (up to 2MB or more on WAF) than the URL query string.
      • Security: Tokens and codes are not stored in browser history or server access logs because they are not part of the URL.
    • Requirement: Your backend (Azure Container App) must be configured to accept a POST request on your callback/redirect URI (e.g., /callBack).
    • Reference: Microsoft Identity Platform Response Modes

    0 comments
  2. Q&A Assist
    2026-02-21T12:32:44.5066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In Azure API Management (APIM) and Application Gateway, there are indeed limits on the length of URLs and query strings. While the specific limits can vary based on configurations and the version of the services, it is common for these services to impose a maximum URL length that can be around 2048 characters. Given your observation that the issue arises when the query parameter length exceeds approximately 2200 characters, it is likely that this is causing the blocking behavior you are experiencing.

    To address your questions:

    1. URL/query string length limit: Yes, APIM and Application Gateway have URL length limits that could be causing the issue you are encountering.
    2. Configuration changes: You may need to consider breaking up the query parameters into smaller segments or using POST requests instead of GET requests for passing large amounts of data. Additionally, reviewing the configuration settings in APIM and Application Gateway for any specific limits or settings related to query string lengths would be beneficial.
    3. Similar issues: While I cannot provide specific cases, it is not uncommon for users to encounter issues with long query strings in various authentication flows, including those involving Microsoft Entra ID. It may be helpful to check community forums or support channels for similar experiences.

    For further assistance, reviewing the official documentation on APIM and Application Gateway might provide additional insights into configuration options and limitations.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.