We have: a .NET Framework 4.7 ASP.NET application hosted as an app service in Azure fronted by Front Door using Authentication and Authorization features to specify company Azure AD config The app reg redirect URI is set to the Front Door URL. The app service allowed external redirect URL is set to the Front Door URL. After users authenticate, they are being redirected back to the app service URL, rather than the Front Door URL Is there some other means I'm missing by which we can force the redirect URI to point to Front Door rather than the app service?

Yes it's possible. For that you need a custom domain configured at both the app service apps and the frontdoor frontend . Also, in the frontdoor backend pool you need to add the custom domain as headers sent to each backend (app service) and enable/select the custom frontend (domain) for routing and finally, as you already did, register the custom domain based callback URL as an app registration reply URL.

For Webapp verification use TXT record and map cname entry to FrontDoor

Is it possible to change an app service authentication flow's redirect URI so that login flow does not attempt to redirect the user directly to the underlying app service?

Andy Badera 1 Microsoft Employee

We have:

a .NET Framework 4.7 ASP.NET application
hosted as an app service in Azure
fronted by Front Door
using Authentication and Authorization features to specify company Azure AD config
The app reg redirect URI is set to the Front Door URL.
The app service allowed external redirect URL is set to the Front Door URL.

After users authenticate, they are being redirected back to the app service URL, rather than the Front Door URL Is there some other means I'm missing by which we can force the redirect URI to point to Front Door rather than the app service?

2 answers

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points

2020-07-09T14:16:37.547+00:00

Yes it's possible. For that you need a custom domain configured at both the app service apps and the frontdoor frontend. Also, in the frontdoor backend pool you need to add the custom domain as headers sent to each backend (app service) and enable/select the custom frontend (domain) for routing and finally, as you already did, register the custom domain based callback URL as an app registration reply URL.
Please sign in to rate this answer.

1 person found this answer helpful.
Andy Badera 1 Reputation point Microsoft Employee

2020-07-09T14:30:52.87+00:00

Thanks Alfredo for the quick reply. I'm getting some DNS requests in place and will give it a try ASAP!

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points

2020-08-03T22:25:07.487+00:00

Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

Andy Badera 1 Reputation point Microsoft Employee

2020-08-04T15:14:27.62+00:00

Hi Alfredo. Nice timing. It took ages to get a corporate IT org to register Front Door as an app reg for us for getting a cert for SSL out of Key Vault, and I finally completed config this morning. I think. I have customSubdomainA registered for Front Door, and customSubdomainB registered for the app service, both configured for SSL. The redirect now wants to go to customSubdomainB, whereas we want it going to customSubdomainA in order to filter through a WAF before hitting the app service. The app service itself has access restricted only to Front Door, so the redirect currently lands us on the Azure 403 Forbidden page.

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points

2020-08-04T22:49:07.647+00:00

anonymous user you need a custom domain configured at both the app service apps and the frontdoor frontend. Is it a requirement to have customSubdomainB registered in the webapps?

Andy Badera 1 Reputation point Microsoft Employee

2020-08-05T12:19:47.823+00:00

@alfredo-revilla-msft Are you saying the same domain must map to Front Door and the app service? If so, I don't understand how you do that with CNAMEs.

Adam Hoffmeister 1 Reputation point

2020-08-05T20:29:42.277+00:00

In the same boat as Andy, it's a requirement to have booth custom domains configured for both the app service and the frontdoor frontend.

kalyan kalapala 1 Reputation point

2021-02-17T12:19:37.54+00:00

When more than 1 web app sits behind the front door however, I was seeing the page not rendering correctly, giving different versions of the page. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL.

kalyan kalapala 1 Reputation point

2021-02-17T12:20:13.17+00:00

When more than 1 web app sits behind the front door however, I was seeing the page not rendering correctly, giving different versions of the page. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL.
Sign in to comment
Manish Pandey 1 Reputation point

2020-12-05T15:06:56.03+00:00

For Webapp verification use TXT record and map cname entry to FrontDoor
Please sign in to rate this answer.
kalyan kalapala 1 Reputation point

2021-02-17T12:20:41.847+00:00

That really helped but When more than 1 web app sits behind the front door however, I was seeing the page not rendering correctly, giving different versions of the page. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL. Also when the authentication and authorisation is enabled, the frontdoor URL is exposing or redirecting to the backend pool (webapps) URL.
Sign in to comment