Bring Your Brand to Sign-Ins: Enable Custom Domains for External ID

What it is

This feature allows you to replace Microsoft’s default domain name with your own custom domain for your applications’ sign-in endpoints in Microsoft Entra External ID for external tenants. This enhances your brand consistency during user sign-in.

Important

  • This feature is currently in preview.
  • Prerequisites:
    • Existing external tenant
    • User flow for user sign-up/sign-in
    • Registered web application

Deployment Steps

Add and Verify a Custom Domain:

Associate the Domain with a Custom URL Domain:

Create an Azure Front Door Instance:

  • Sign in to the Azure portal.
  • Select the appropriate tenant and follow the steps in “Create Front Door profile – Quick Create” using the settings outlined in the article (Standard/Premium tiers, Custom origin type, etc.).

Configure Your Custom URL Domain on Azure Front Door:

  • Create a CNAME record with your domain provider to map your custom URL domain to the Azure Front Door default hostname obtained in step 3.
  • Within the Azure portal, ensure the “Host name” and “Origin host header” of your origin have the same value.

Set Up Your Custom URL Domain on Azure Front Door:

  • Sign in to your domain provider and create a CNAME record for your custom URL domain, pointing it to the Azure Front Door default hostname.
  • In the Azure portal, associate your custom URL domain with your Front Door instance and verify ownership through a TXT record.
  • Enable the “default-route” to direct traffic to your external tenant.

Testing and Configuration

  • Test your custom URL domain by signing in to the Microsoft Entra admin center, running a user flow, and replacing the default domain with your custom URL in the provided URL.

And add your custom domain like this.

  • Update your applications to use the custom URL domain in authentication endpoints.

Authentication Endpoints:

  • Replace the default domain name in your application’s authentication endpoints with your custom URL domain.
    • Supported formats include:
      • https://<your-custom-domain>/<tenant-name>/v2.0/.well-known/openid-configuration
      • https://<your-custom-domain>/<tenant-name>/oauth2/v2.0/authorize
      • https://<your-custom-domain>/<tenant-name>/oauth2/v2.0/token
    • Replace <your-custom-domain> with your actual domain (e.g., login.contoso.com) and <tenant-name> with your tenant name or ID.

SAML Service Provider Metadata (Optional):

  • Update your SAML service provider metadata to reflect the custom URL domain. The format might look like:https://<your-custom-domain>/<tenant-name>/Samlp/metadata

Using Tenant ID (Optional):

  • For a cleaner URL without “onmicrosoft.com,” replace the tenant name with your tenant ID GUID (found in the Azure portal or Microsoft Entra admin center).
    • Example: Change https://account.contosobank.co.uk/contosobank.onmicrosoft.com/ to https://account.contosobank.co.uk/<tenant-ID-GUID>/
    • Important: If using the tenant ID, update your identity provider’s OAuth redirect URIs accordingly. A valid format would be:https://login.contoso.com/00001111-aaaa-2222-bbbb-3333cccc4444/oauth2/auth

By updating your applications with these changes, you ensure they leverage the custom URL domain for a seamless and branded sign-in experience.

Additional Notes

  • The custom URL domain integration applies to authentication endpoints using External ID user flows.
  • You can optionally replace the tenant name with the tenant ID to remove all references to “onmicrosoft.com” in the URL.
  • Azure Front Door advanced configuration options like WAF are available but require specific considerations (matching tiers, avoiding managed rules).

Troubleshooting

The article provides guidance for troubleshooting common issues encountered when using custom URL domains, including:

  • Page not found errors
  • Service unavailable messages
  • Invalid domain errors
  • Specific error codes and their solutions

Closure

This functionality builds upon the familiar concept of custom domains previously available in Azure Active Directory B2C (Azure AD B2C). If you’ve already benefited from custom domains in B2C, you’ll appreciate the ease of bringing the same level of branding to your External ID environment.

Custom URL domains represent a step forward in personalizing the sign-in experience for users of your external applications. As Microsoft Entra External ID continues to evolve, this feature ensures your brand remains at the forefront of the user journey.

By implementing custom URL domains, you can significantly enhance your brand identity, user experience, and consistency across your external applications. So, don’t miss out on this valuable opportunity to elevate your sign-in process!

Author: Harri Jaakkonen