Merge pull request #209236 from mmacy/msid-ado-1922716-msa-no-query-param

prmerger-automator[bot] · web-flow · commit 9ac958b0c060 · 2022-08-26T17:37:12.000Z
[msid][accuracy] no redirect URI query params for MSA (ADO-1922716)
diff --git a/articles/active-directory/develop/reply-url.md b/articles/active-directory/develop/reply-url.md
@@ -1,15 +1,14 @@
 ---
-title: Redirect URI (reply URL) restrictions | Azure AD
+title: Redirect URI (reply URL) restrictions
 description: A description of the restrictions and limitations on redirect URI (reply URL) format enforced by the Microsoft identity platform.
 author: madansr7
-ms.author: saumadan
 manager: CelesteDG
-ms.date: 09/03/2021
-ms.topic: conceptual
-ms.subservice: develop
-ms.custom: contperf-fy21q4-portal, aaddev
+ms.author: saumadan
+ms.date: 08/25/2022
+ms.reviewer: marsma
 ms.service: active-directory
-ms.reviewer: marsma, lenalepa, manrath
+ms.subservice: develop
+ms.topic: reference
 ---
 
 # Redirect URI (reply URL) restrictions and limitations
@@ -56,6 +55,19 @@ You can use a maximum of 256 characters for each redirect URI you add to an app
 * Always add redirect URIs to the application object only.
 * Do not add redirect URI values to a service principal because these values could be removed when the service principal object syncs with the application object. This could happen due to any update operation which triggers a sync between the two objects.
 
+## Query parameter support in redirect URIs
+
+Query parameters are **allowed** in redirect URIs for applications that *only* sign in users with work or school accounts.
+
+Query parameters are **not allowed** in redirect URIs for any app registration configured to sign in users with personal Microsoft accounts like Outlook.com (Hotmail), Messenger, OneDrive, MSN, Xbox Live, or Microsoft 365.
+
+| App registration sign-in audience                                                                                                  | Supports query parameters in redirect URI                            |
+|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
+| Accounts in this organizational directory only (Contoso only - Single tenant)                                                      | :::image type="icon" source="media/common/yes.png" border="false"::: |
+| Accounts in any organizational directory (Any Azure AD directory - Multitenant)                                                    | :::image type="icon" source="media/common/yes.png" border="false"::: |
+| Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) | :::image type="icon" source="media/common/no.png" border="false":::  |
+| Personal Microsoft accounts only                                                                                                   | :::image type="icon" source="media/common/no.png" border="false":::  |
+
 ## Supported schemes
 
 **HTTPS**: The HTTPS scheme (`https://`) is supported for all HTTP-based redirect URIs.
