When connecting to an Azure VPN Gateway using the Azure VPN Client, many admins encounter this error:
Provider Error -895352828: AADSTS650057: Invalid resource.
The client has requested access to a resource which is not listed
in the requested permissions in the client's application registration.This happens when the audience (resource) requested by the VPN client does not match the permissions in Microsoft Entra ID (Azure AD) app registration. Let’s walk through why this occurs and how to fix it.
Why Does This Error Happen?
The Azure VPN Client requests a token for a resource (audience). If that resource isn’t properly registered or allowed in Microsoft Entra ID, the request fails with AADSTS650057: Invalid resource.
This usually happens due to:
- Mismatched Audience value (Gateway vs. App registration)
- Issuer missing trailing slash
- Azure VPN Client app not authorized for the resource
- Outdated VPN profile still pointing to old values
Fix 1: Use Microsoft’s Registered Azure VPN App (Recommended)
The easiest and most reliable option is to use Microsoft’s built-in Azure VPN application instead of a custom resource.
- In Azure Portal → Virtual Network Gateway → Point-to-site configuration:
- Tunnel type: OpenVPN (SSL)
- Authentication type: Microsoft Entra ID
- Tenant:
https://login.microsoftonline.com/<TenantID>- Audience:
c632b3df-fb67-4d84-bdcf-b95ad541b5c8- Issuer:
https://sts.windows.net/<TenantID>/(Don’t forget the trailing slash /.)
- Save configuration.
- Download a fresh VPN client profile.
- Import it into the Azure VPN Client on each user’s machine.
This setup requires no custom app registration and avoids 90% of Invalid Resource errors.
Fix 2: Configure a Custom Resource App Correctly
Some organizations prefer to use a custom app registration as the resource. In that case:
- Microsoft Entra ID → App registrations → Your resource app:
- Go to Expose an API.
- Set an Application ID URI (e.g.,
api://<guid>). - Add a scope like
user_impersonation. - Under Authorized client applications, add the Azure VPN Client App ID:
c632b3df-fb67-4d84-bdcf-b95ad541b5c8- Gateway → Point-to-site configuration:
- Tenant:
https://login.microsoftonline.com/<TenantID> - Audience: Your Application ID URI
- Issuer:
https://sts.windows.net/<TenantID>/
- Tenant:
- Save changes.
- Re-download the VPN profile and re-import it.
Fix 3: Check Common Gotchas
Even small missteps break the flow. Double-check these:
- Audience mismatch – The Audience in gateway settings must match what’s inside the client XML profile.
- Issuer must end with
/– Missing the trailing slash onhttps://sts.windows.net/<TenantID>/causes failure. - Old profiles – If you made config changes, always download and import a new profile.
- Authorized client apps – If you use a custom resource, the Azure VPN Client app ID must be explicitly authorized.
- Permissions – If you created your own client app, ensure it has API permissions (like
user_impersonation) to the resource, and click Grant admin consent.
Fix 4: Local Client Troubleshooting
If the server-side looks fine but the error persists:
- In Azure VPN Client → Settings → … → Diagnose, run the Prerequisites tool to confirm local config.
- Sign out of the Azure VPN Client to clear cached tokens, then sign back in.
- Remove & re-import the VPN profile.
- Use Azure CLI to verify your settings:
az network vnet-gateway show \
--name <GatewayName> \
--resource-group <RG> \
--query pointToSiteConfiguration Ensure the aadTenant, aadAudience, and aadIssuer match what you configured.
Fix 5: Migrating from Legacy Config
Some older guides use different audiences such as 41b23e61-6c1e-4545-b367-cd054e0ed4b4. If your setup follows those, migrate to the new Microsoft-registered Azure VPN app (Fix 1). It reduces complexity and avoids Invalid Resource errors in new tenants.
See also: Enable MFA for Tenant in Azure Before October 2025
The AADSTS650057 Invalid resource error isn’t a bug—it’s a configuration mismatch between your VPN Gateway, app registration, and client profile.
- Best option: Use Microsoft’s default Azure VPN App ID (
c632b3df-fb67-4d84-bdcf-b95ad541b5c8). - Alternative: If using a custom app, make sure you’ve exposed an API, set scopes, and authorized the VPN client.
- Always: Download and re-import the VPN profile after changes.
Once the Audience, Issuer, and Tenant values are aligned, the error disappears and your users can connect successfully.
