SAC/ZTNA Administrator created a number of Web applications where users can access these applications without issues.
After adding a new Web Application that requires Azure authentication, users were redirected to Azure but ended up with the following error AFTER entering their Azure credentials:
The ZTNA Application is defined with the HTTPS scheme internally and externally, yet the error reports the HTTP scheme.
Back end Application configured with an invalid redirect_uri.
Modify the backend application to accept multiple redirect URIs that included what was being sent in the URL.
Initially, the assumption was that the back end Web server was defined with HTTP scheme as the redirect into Azure showed HTTP
Using the Web APplication advanced options, the admin changed the redirect_uri scheme to 'https' without any change in application behaviour - we did confirm that the redirect_uri seen by Azure did specify https, but original error remained.
Since the redirect_uri URL is typically set when defining an OIDC/OAuth application, the ZTNA admin worked with the Application team to determine what redirect_uri had been configured. This confirmed that the uri_redirect defined did not match, and as one can add multiple domains to this redirect_uri application parameter, we added the ZTNA defined domain as a secondary entry.
As soon as this change was made, all started to work correctly.
For more details on redirect_uri application settings, check out the following Microsoft redirect_uri link.