I have setup an Azure frontdoor for a custom domain of my Azure AD B2C tenant using the following instructions:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow
This is all working fine, but I would like to add a redirect when somebody manually types the custom domain url, eg login.mydomain.com.
Now it lands on the same page as when you type my-tenant.b2clogin.com giving the following error:
The resource you are looking for has been removed, had its name
changed, or is temporarily unavailable.
Instead of that error I would like that it redirects to my login url like app.mydomain.com/authentication/login.
Any idea how to acomplish this in the Azure Frontdoor config or Azure AD B2C config?
So, turned out the Azure documentation had some missing and misleading steps.
Here are they:
In the 1st step of the documentation, you should make sure that you are adding the custom domain (e.g., login.contoso.com) not to the main tenant (where you have the subscription) but to the other B2C tenant where you want to replace the yourtenantname.b2clogin.com domain.
In the 3rd step of the documentation, you are asked to add a CNAME record for the domain login.contoso.com, but you won't be able to do that, as you've added a TXT record on the first step.
In this case, just feel free to remove the TXT record from the domain registrar (if you've successfully passed the validation of the first step) and then add the CNAME record (as mentioned in the third step).
Related
We are using Azure Active Directory B2C in combination with Azure Front door. When signing in with a password and username it works fine, but when signing in with a social provider it shows the wrong domain.
Before sign in:
After sign in with social provider (loading before continuing with, in this case localhost)
The difference here, is that before the sign-in we have login.timchermin.com/login.timchermin.com and after we have login.timchermin.com/lokaalaybler.onmicrosoft.com. I would prefer the onmicrosoft.com to also be login.timchermin.com.
I tried putting https://login.timchermin.com/login.timchermin.com/oauth2/authresp in the google cloud app setting. But this will give the following error.
(How) Can I make it so that my authresp also includes the domain in after the first / ?
I am also using custom policies, if that makes a difference.
The domain login.timchermin.com is also set as the primary domain.
Please make sure that you have all redirect URLs registered properly in your social IDP. This is my configuration for the Facebook login. I also use Front Door with Azure AD B2C:
Redirect URL should be aligned with this pattern when using custom domain:
https://your-custom-domain/name-of-your-ad-b2c-tenant.onmicrosoft.com/oauth2/authresp
I am creating user with gmail, Facebook and any business account with azure ad. It will not create a new account with this domain. It uses a its custom domain for create account that we created in azure costum domain .
The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.
My login feature is independent of domain, so how can this be resolved?
The domain portion of the userPrincipalName property is invalid. You
must use one of the verified domain names in your organization.
You might get this type of error when you added your custom domain in Azure AD tenant, but you haven’t verified that domain yet. Would suggest you to please verified that custom domain in Azure AD by adding TXT records of your domain.
Please refer this Microsoft Document to know how to verified domain.
Coming to your next problem you can add your Gmail or Facebook users in Azure AD by sending them Invitation as well as a guest user.
I'm trying to add Apple as an identity provider to my Azure B2C tenant, I have Microsoft and Google set up already and had no issues with either of those.
With Apple, I followed Microsoft's guide to the letter. I have a custom domain, for example's sake myapp.net. My tenant is named myapp.net rather than myapp.onmicrosoft.com and I have Azure Front Door enabling the domain https://login.myapp.net instead of https://myapp.b2clogin.com. As above, all of this works fine with Microsoft, Google and local sign up (directly to the B2C tenant), so I don't think the tenant, Front Door or the domain itself are to blame.
Within the Apple developer portal, I set the domain as login.myapp.net and the return URL as https://login.myapp.net/myapp.net/oauth2/authresp. I ran the user flow in Azure B2C, clicked the Apple sign-in button and get this:
Anybody know why this might be? Or at least how to debug maybe at Apple's side to find out what it thinks the return URL should be or the actual value it's getting?
Doc says Enter https://your-domain-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-tenant-name with the name of your tenant, and your-domain-name with your custom domain.
Should be
https://login.myapp.net/myapp.onmicrosoft.com/oauth2/authresp
Looking in the browser dev tools network trace will show the redirect_uri parameter AAD B2C generates as part of the url to Apple. That value is what needs to be registered at Apple.
We faced similar error. It was because of some uppercase letters in the redirect URI. After updating the redirect URI to lowercase in apple Apple ID application conf in apple developer portal, issue fixed.
When you create a B2C tenant and prompted to provide a temporary .onmicrosoft.com domain, the tooltip says that this can be changed later on to a domain our organization currently uses.
How do we go about accomplishing this and changing the domain?
Thanks!
Please refer to Add your custom domain to Azure AD.
After the custom domain is added, you may add a local account with it.
As per the FAQ:
"Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? For instance, can I change the URL from contoso.b2clogin.com to login.contoso.com?
Not currently. This feature is on our roadmap. Verifying your domain in the Domains tab in the Azure portal does not accomplish this goal. However, with b2clogin.com, we offer a neutral top-level domain, and thus the external appearance can be implemented without the mention of Microsoft".
In custom policy if I wanted to change Authorize & METADATA endpoint from login.microsoftonline.com to tenant.b2clogin.com
What should we use.
I get 404 for the endpoint
Your Case
I wanted to change Authorize & METADATA endpoint from login.microsoftonline.com to tenant.b2clogin.com
Solution
In your case you need to configure custom URI for your application. To do that please have a look on the following steps
Step to follow
When you set up an identity provider for sign-up and sign-in in your Azure Active Directory (Azure AD) B2C application, you need to specify a redirect URL.
In the past, login.microsoftonline.com was used, now you should be
using b2clogin.com.
For Example https://YourTenantName.b2clogin.com
Following settings that might need to change when using b2clogin.com
Set the redirect URLs in your identity provider applications to use
b2clogin.com.
Set your Azure AD B2C application to use b2clogin.com for user flow
references and token endpoints.
If you are using MSAL, you need to set the ValidateAuthority
property to false.
Make sure that you change any Allowed Origins that you have defined
in the CORS settings for user-interface customization.
Go to user policy of your b2c app. See the screen shot below:
Click on page layout like below:
Run your custom flow. Take a look below
Note:
You can use both the tenant name and the tenant GUID as follows:
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com
(which still refers to onmicrosoft.com)
https://your-tenant-name.b2clogin.com/your-tenant-guid (in which
case there is no reference to Microsoft at all)
Remember
You cannot use a custom domain for your Azure Active Directory B2C tenant, e.g.
https://your-tenant-name.b2clogin.com/your-custom-domain-name would
not work.
If you feel any problem during implementation you could refer official document here
For your more queries you can also refer here
Hoping this will help to figure out the way around. Thank you.