I'm working on integrating Azure Active directory B2C for sign-up and sign-in process. By default, when a user clicks the login button, it has to redirect the user to a different domain (microsoftonline.com) such that the URL for sign-up and sign-in page is in the following format:
https://login.microsoftonline.com/te/tenant-name.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize.......
However, I think this is a bad user experience for users redirecting them to other domain for signing in.
So I'd like to use my own domain (e.g. example.com) so that the URL should be like below.
https://login.example.com/te/tenant-name.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize.......
I've done some research on Azure documentation and found out that it does not currently support setting up the custom URL for sign-up and sign-in page.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
However, the case study from Azure B2C mentioned that the Real Madrid offical home page also uses Azure AD B2C for user management (https://customers.microsoft.com/en-ca/story/real-madrid).
However, the domain in the URL for sign-in page is not microsoftonline.com but their own domain, realmadrid.com, like below
https://pro.login.realmadrid.com/rmglndpdaadfans.onmicrosoft.com/oauth2/authorize?p=B2C_1_SignInSignUpWeb&client_id=8a943960-87f9-4e22-bc2a-40099d584719&redirect_uri=http%3A%2F%2Fwww.realmadrid.com%2Fcs%2FSatellite%3Fpagename%3DRealMadridResponsive%2FPage%2FRM_IDPRespuesta&resource=https%3A%2F%2Frmglndpdaadfans.onmicrosoft.com%2Fwebapi&response_mode=fragment&response_type=token+id_token&scope=openid&nonce=defaultNonce&idpmode=0&lang=en&_ga=2.211460117.1443111640.1554916216-543571806.1554916216
I've checked the following pages but none of them helped..
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/B2C-with-custom-login-URL/td-p/44040
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
So how can I achieve this as Real Madrid home page did with Azure AD B2C?
Currently, you are able to use the your-tenant-name.b2clogin.com domain (recommended) or the login.microsoftonline.com domain, latter of which is being deprecated.
Work for support of customer-owned domains has been started.
The capability to use a custom domain for your B2C tenant is now available in public preview
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow
Related
We are implementing an Azure B2B application that was given in the GitHub sample
https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web,
which was working as expected. After the redemption from the mail, the user was redirected to the b2b application(profile page), but we want to redirect to another web app(azure ad application) with Microsoft identity.
I tried to changes the redirect URLs of the b2b applications (Admin app and B2b pre-auth app) as mentioned in the above solution.
Can anyone suggest, how to achieve the same.
In the B2B sample application, I see the inviteRedirectUrl (profile URL) in two places, where profile URL is mentioned in the code. Did you change in both the places?
SiteConfig.cs
PreApprovalController.cs
I'm building an ASP Net Core 2.1 website using Azure AD B2C based on this example code. However, I am using the Microsoft-recommended b2clogin.com domain because the microsoftonline.com domain is being deprecated.
During signup, after the identity provider authenticates successfully, it should redirect the user to an Azure AD B2C generated page where the user fills in some additional fields. Those fields drawn from the standard attributes offered by Azure AD B2C (i.e., I haven't defined any custom attributes). Everything works as expected with Microsoft Account authentication.
However, when authenticating against Google, there is no redirect back to that Azure AD B2C generated page. Instead, the user is sent to the default page of the site.
I thought I set the proper redirect uri in the Google Cloud Console:
But since the redirect is not working, I'm wondering if I need to set it somewhere else.
Turns out the problem was caused by the fact that I had completely filled out the custom attributes page when logging in via the Google identity provider, but not the Microsoft Account identity provider. So all Google cared about was authenticating me, and then tossing me back to my app.
Microsoft, OTOH, needed me to fill out all the required custom fields, so it sent me to the custom attribute page.
I had mistakenly assumed authentication always took me to the custom attribute page, but that's not the case.
I am using Azure 'B2C', and users are creating successfully in B2C. And I am using dynamic web apps. ie, there is number of web apps are present.
sssss01.example.com
sss2.example.com
wwwss2.example.com........
When a user want to login using B2C, it's successfully login, but it reply url is not correct. I checked in azure, B2C app not supporting wildcard(*). So Is there any option to add wildcard, or any other method to manage pragmatically ?
Sign in reply url is different for different web apps.
Wildcard redirect URLs are not supported in OAuth2. See: why are redirect URLs fully qualified.
Unfortunately, we can't manage B2C programmatically.
You can upvote this item on User Voice and subscribe to stay updated: https://feedback.azure.com/forums/169401-azure-active-directory
Others have suggested this same feature but the User Voice forum appears to be down right now.
Question: How can I custom brand my Azure AD application login page? (note: NOT my org's login page; see below)
I have a web application hosted in Azure where users can log in using accounts that are created and managed within the application. Since my application is used by many big organizations, I have added the capability for customers to also sign in using their account that's managed by their organization (single sign on). This was done using Azure Active Directory, which syncs the local AD accounts into Azure where cloud authentication occurs. Since this application is used by many organizations all with their own separate ADs, I created the Active Directory application within Azure as multi-tenanted. With all of this done, the new login process works perfectly, however, I can't figure out how to brand the Microsoft hosted application sign in page.
Please keep in mind the distinction between the application login page and the organization's tenant login page. There is ample documentation about how to brand the organization's tenant login page, but not the application login page. Consider the application flow to understand the difference:
User goes to my app's login page, and chooses "Login with your existing organization account".
The user is redirected to a Microsoft hosted login page for my application. At this point, Microsoft/Azure Ad only knows which application this is for; it doesn't yet know who is logging in or which tenant (organization) they belong to. This is the login page I need help branding (logo & page background).
After the user enters their email address (and even before they enter their password), the user is redirected to a different login page--the login page for the user's organization (i.e. their tenant). This page shows that organization's custom branding if it was setup. This is not the login page I wish to brand; it is my customer's responsibility to brand their org if they desire.
After the user enters their password on their organization's login page, the user submits the form. Azure then successfully authenticates them and redirects them back to my application where they are now authenticated as well.
NOTE: this should be possible as you can see Microsoft is doing it on all of their cloud apps as well (Office 365, Visual Studio, Azure Portal)
NOTE: this question was asked over 3 years ago, but only 1 misdirected answer was given, and Azure and Azure AD has changed drastically since then. See: Azure Active Directory Custom Branded login page dont work with third party application. Also, the Microsoft documentation only covers the branding of the tenant login page, not the application login page like I am seeking. See: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-add-company-branding.
What you observe is only possible for Microsoft owned applications.
The customers can only brand their organisation login page.
What you can do however, is to redirect the user to your org login page. Then the first thing the user will see is your company branding. After they enter their login name, they may see their custom org login page (if the organisation has customized the login experience).
If you such a feature (per app custom login page) is something worth looking at, you can create a feature request on the UserVoice site - http://mygreatwindowsazureidea.com/
Just as a note - per app custom login page is today only possible on Azure AD B2C via custom policy implementation.
Microsoft Recently added the new "sign-up or sign-in" policy to Azure AD B2C.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-policies/#create-a-sign-up-or-sign-in-policy
By default when we direct a user to that page it shows the sign-in workflow.
Sometimes I may want to take a user directly to the sign-up workflow instead.
I don't want to configure two policies (i.e. upload the same banners, templates, backgrounds, redirects, special messages etc) when the content is going to be exactly the same for both.
Is it possible to pass a parameter (or some otherworldly trickery) so that it shows the "sign-up" workflow instead?
Currently there isn't a query parameter or policy setting that will take the user straight to the local account sign-up pages in a SignUporSignIn policy. Today you would need a separate sign-up policy to direct them directly to sign up.
You can use hello.js for Azure B2C with some customization in initialization, which is build for external authentication of google facebook etc. You can also look into the sample from microsoft which works !! Azure B2C