Program management cloud task sync fails with MS Project integration OAuth redirect issues

PLM Aras Innovator
, , , , , , , ,
1

We’re trying to sync program tasks from MS Project Online to Aras 13.0 cloud program management module and hitting OAuth authentication failures. The initial connection seems to work, but when trying to sync tasks we get redirect errors.

Error message we’re seeing:


OAuth redirect URI mismatch
Provided: https://our-instance.aras.cloud/auth/callback
Expected: https://our-instance.aras.cloud/callback

We’ve registered the OAuth app in Azure AD and configured the redirect URI, but something isn’t matching up. The OAuth app registration seems correct with the right permissions (Tasks.ReadWrite, Project.Read), but the redirect URI configuration in Aras doesn’t seem to align with what Azure expects.

Our Azure AD integration was working fine for user authentication, but this MS Project integration is a different beast. Has anyone successfully configured MS Project Online sync with Aras cloud? What redirect URI format should we be using?

2

The redirect URI mismatch is a common issue with cloud OAuth integrations. You need to register multiple redirect URIs in your Azure AD app - both the /auth/callback and /callback endpoints. Azure AD allows multiple redirect URIs per application, so add both variations to be safe.

3

I’ve worked on similar integrations. The issue often stems from how Aras cloud handles OAuth flows versus on-premise installations. In cloud deployments, there’s an additional proxy layer that can modify the callback URL. Check your Aras cloud instance settings for the OAuth callback base URL configuration. It might be set to a different value than your actual instance URL. Also verify that your Azure AD app is configured for web application type, not single-page application, as the redirect flow is different.

4

Check if your cloud instance is behind a load balancer or CDN. We had a similar issue where the SSL termination was happening at the load balancer level, and the redirect URI was being rewritten from HTTPS to HTTP internally. This caused Azure AD to reject the callback because the protocol didn’t match. You might need to configure X-Forwarded-Proto headers properly so Aras sees the correct protocol in the redirect URI.

5

Your OAuth redirect issue requires addressing all three key areas systematically.

OAuth App Registration: In Azure AD, your app registration needs these exact settings:


Application Type: Web
Redirect URIs:
  - https://your-instance.aras.cloud/oauth/callback
  - https://your-instance.aras.cloud/auth/msproject/callback
API Permissions:
  - Microsoft Graph: Tasks.ReadWrite, Project.Read
  - Grant admin consent: Yes

The MS Project connector uses a specific callback path that’s different from general OAuth flows. You need both URIs registered because Aras cloud uses different paths for initial auth versus refresh token flows.

Redirect URI Configuration: In your Aras cloud instance, navigate to Administration > OAuth Providers and configure the MS Project integration:


Provider: Microsoft Project Online
Client ID: {your-azure-app-id}
Client Secret: {your-azure-secret}
Redirect URI: https://your-instance.aras.cloud/auth/msproject/callback
Tenant ID: {your-azure-tenant-id}

Critical point: The redirect URI in Aras MUST exactly match one of the URIs registered in Azure AD, including the protocol (HTTPS), domain, and path. Case sensitivity matters.

Azure AD Integration: The MS Project integration requires additional Azure AD configuration beyond basic authentication:

  1. Enable ID tokens in Azure AD app manifest:

"oauth2AllowIdTokenImplicitFlow": true

  1. Configure token version to v2.0 for better compatibility with cloud services

  2. Add the Microsoft Graph API with delegated permissions (not application permissions) - this is crucial for accessing user-specific Project data

  3. Grant admin consent at the tenant level, not just user level

For the specific error you’re seeing, the mismatch between /auth/callback and /callback suggests your Aras OAuth configuration is using a generic callback path instead of the MS Project-specific one. Update your OAuth provider configuration to use the correct path: /auth/msproject/callback.

Also verify in your Azure AD app’s Authentication settings that you’ve enabled “Access tokens” and “ID tokens” under Implicit grant and hybrid flows. MS Project integration requires both token types.

If you’re still seeing issues after these changes, check the Aras server logs for the exact redirect URI being sent to Azure. There might be a proxy or load balancer rewriting the URL. You can verify this by capturing the actual OAuth request with browser developer tools - compare the redirect_uri parameter in the authorization request to what’s registered in Azure AD.

One final note: After updating Azure AD settings, there’s sometimes a propagation delay of 5-10 minutes before changes take effect globally. Clear your browser cache and test the OAuth flow again after waiting a bit.

6

Thanks both. I’ve added multiple redirect URIs in Azure AD but still getting the same error. The OAuth callback base URL in Aras settings matches our instance URL. Could this be related to how the MS Project connector specifically handles authentication versus general Azure AD auth?

7

Yes, the MS Project connector uses a different OAuth flow than standard Azure AD authentication. It requires specific API permissions and a different token endpoint. Make sure you’ve granted admin consent for the API permissions in Azure AD - the connector needs delegated permissions, not just application permissions. Without admin consent, the OAuth flow can fail at the redirect stage even if the URIs are correct.