We have an application that we want to host only once but allow 2 different domains to direct to the one instance then we change the branding based on the incoming host. For instance https://app.abc.com points the same instance as https://app.def.com.
So they are not subdomains but rather independent domains. This would mean they also share the same Azure registered application but different return url's https://app.abc.com/auth/openid/return and https://app.def.com/auth/openid/return.
The Azure portal, however, gives the error
"You may not use more than 1 external domain(s)"
.
Is there any way around this without having to host 2 instances of the same application, each with the own Azure application/client id?
As Wayne mentioned, it is not currently possible to reply to multiple domains.
However, one workaround is to build a proxy in one of the websites. You always redirect to this proxy, which then redirects to the proper site. You could use the state parameter to store which "site" the user clicked "sign in" from, and then based on that redirect properly. You would have to be careful in making sure the token is passed through securely.
Unfortunately, you cannot achieve this.
Reply URLs must all belong to the same domain. And Redirect URIs must all belong to the same domain .This is a limitation for AAD B2C application Registration.
You can also see this note in Azure portal:
Is there any way around this without having to host 2 instances of the
same application, each with the own Azure application/client id?
For Web API or Web App, as I known, there is no way to achieve this for now.
I suggest you can upvote this idea in this Uservoice Page, AAD B2C Team will review it.
Hope this helps!
In case anyone stumbles across this issue as I did today, I found a workaround for this.
Caution: This method is not officially supported by MS according to a warning from MS in the Azure portal (see the second screenshot)
1) In your B2C tenant, navigate "All services --> search for "App registrations" --> click "App Registrations"
All services --> App registrations screenshot
2) Find your application in the application list and click on it. Note the warning from MS (see screenshot)
App registration list screenshot
3) Click on "Authentication" and add your Redirect URIs to the list. This is the same UI as non-B2C tenants.
Redirect URI list screenshot
It allowed me to enter redirect URIs with different domains. It doesn't appear to have the limitation as the "Azure AD B2C" blade. I had to wait a minute for the change to propagate, but it worked for me. I'm not going live with this anytime soon, so I'm ok with doing this for now. When I do decide to go live I'll probably find some other way of doing what I want if MS still hasn't green-lit this method.
Again, MS warns against using this at the moment, but hopefully they'll officially support it soon.
Related
I would like your feedback and opinion about using { FrontDoor + Appservices + Authentication + restrict access to FD only }
I do confirm I can set up all of this thanks to all contribution/ forums / blog found on the net. I can use my custom domain which request AD authentication and I am correctly redirect to my appservices (in browser: I see my custom domain name and never see any *.azurefdnet or *azurewebsites.net as expected).
The only problem is that I needed to use a custom domain to make it works. For production purpose it is acceptable to have a custom domain but for dev or test I wonder if we can do it without custom domain by simply keeping original address like *.azurefd.net and *.azurewebsites.net
I struggle to make it works without custom domain. I keep getting “too many redirection” message or ‘403 sites blocked’.
Does anyone success to do it ? My general configuration looks like
My backend is linked with my appservices
Details of my backend is:
I think my problem is with BackendHostHeader but not sure. When i used custom domain for my production it works. But remind i do not want to use custom domain for dev and test.
My route looks like
And finally my appservices is secure to allow frontdoor only
When my user goes to stackoverflo.azurefd.net they get AD authentication which is good but just after i get redirection to xxx.azurewebsites.net with 403 forbidden (which looks normal because of restriction to FD only).
I tried to change the backend host header by replacing by FD value but in this case i get a error with loop redirection.
Is it a feasible scenario without custom domain ?
Regards
PS: i configured Azure ADApp to allow reply url to my FD like stackoverflo.azurefd.net/.auth/login/aad/callback
Yes, you can Restrict the access to website without using Custom Domain.
Goto the Application you want to restrict the access in Azure Portal and select the Networking from left Pane, now click on Access Restrictions.
For complete information you can go through this Microsoft Documentation.
When adding Reply URLs in an Azure B2C Application, the UI shows the following information:
Redirect URIs must all belong to the same domain
And until recently this was enforced by the UI: no way to save a list with multiple different URLs with the exception of localhost.
But just today I found out that right now it's possible to add any domain as Reply URL, which is pretty awesome for my use case. Is this going to stay and the info is outdated or is this a bug (which would be a shame, because this makes multi-domain apps a lot easier)?
BTW, it's not just that the list can be saved, the redirects work as one would expect.
Yes, the restriction has been removed. But the tip on Azure portal hasn't been updated.
I'm trying to include Terms of Service and/or Privacy Statement links to Azure AD web application consent screen according to documentation.
I can see and test the consent screen just fine when appending &prompt=consent on login URL https://login.microsoftonline.com/TENANT_ID/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=CLIENT_ID&scope=openid+profile+email&response_mode=form_post&nonce=NONCE&state=redir%3D%252F&sso_reload=true&prompt=consent but for some reason ToS/PS links are not shown where they should be (please see documentation link above).
Here's how I have defined them on app manifest:
Is there something else in addition to defining the URLs that is required for the links to be shown on consent screen?
I can reproduce your issue. After changing the application to multi-tenant. It works.
This is my test result.
Then I check the document again.
The terms of service and privacy statement are especially critical for
user-facing multi-tenant apps--apps that are used by multiple
directories or are available to any Microsoft account.
Hope it helps.
I've been tasked with figuring out a way to make a certain set of Azure users authenticate to a Web Application by accepting/denying a warning message that should be presented before the users are directed to the application itself. The users that should not go through this process are in-network users.. they should be able to input the URL and be presented with a sign-in page and from there they will have access into the application. This has already been configured via Azure AD but the previous issue for out of network users is what i'm having issues with.
My current thoughts on this is to create an a simple authorization page created by an azure function that out of network users will be directed to because the IP addresses will be placed in a conditional access rule to do so. From the simple page the user will be directed to the application or logged out if they choose cancel.
This is just a thought but definitely open to suggestions. Thoughts?
For those who may have been interested in an answer for this question I have figured it out. In order to do this I had to create a "Terms Of Use" within Azure Active Directory. This Terms of use consisted of a pdf file containing the information my user needed to view before accept/deny could be clicked. On the "Terms Of Use" was created I then created a custom conditional access policy which included users needing to accept the "Terms Of Use" before being able to access our Portal or Applications. Hope this helps
I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.