Επεξεργασία

Κοινή χρήση μέσω


Custom URL domains in external tenants (Preview)

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

A custom URL domain allows you to brand your application’s sign-in endpoints with your own custom URL domain instead of Microsoft’s default domain name.

Important

This feature is currently in preview. See the Universal License Terms for Online Services for legal terms that apply to Azure features and services that are in beta, preview, or otherwise not generally available.

Screenshot demonstrates an External ID custom URL domain user experience.

Using a verified custom URL domain has several benefits:

  • It provides a more consistent user experience. From the user's perspective, they remain in your domain during the sign in process rather than redirecting to the default domain <tenant-name>.ciamlogin.com.
  • You mitigate the effect of third-party cookie blocking by staying in the same domain for your application during sign-in.

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the "Custom domain name” use case.

How a custom URL domain works

A custom URL domain lets you use your verified custom domain names as your applications' sign-in authentication endpoints. When you add a new custom domain name, you can associate it with a custom URL domain. Then a reverse proxy service, such as Azure Front Door, can use the custom URL domain to direct sign-ins to your application.

The following diagram illustrates Azure Front Door integration:

Diagram showing Azure Front Door integration with External ID.

  1. From an application, a user selects the sign in button, which takes them to the sign in page. This page specifies a custom URL domain.
  2. The web browser resolves the custom URL domain to the Azure Front Door IP address. During Domain Name System (DNS) resolution, a canonical name (CNAME) record with a custom URL domain points to your Front Door default front-end host (for example, contoso-frontend.azurefd.net).
  3. The traffic addressed to the custom URL domain (for example, login.contoso.com) is routed to the specified Front Door default front-end host (contoso-frontend.azurefd.net).
  4. Azure Front Door invokes content using the <tenant-name>.ciamlogin.com default domain. The request to the endpoint includes the original custom URL domain.
  5. External ID responds to the custom URL domain request by displaying the relevant content and the original custom URL domain.

Azure Front Door passes the user's original IP address, which is the IP address you see in the audit reporting.

Important

If the client sends an x-forwarded-for header to Azure Front Door, External ID will use the originator's x-forwarded-for as the user's IP address for Conditional Access evaluation and the {Context:IPAddress} claims resolver.

Considerations and limitations

When using custom URL domains:

  • You can set up multiple custom domains. For the maximum number of supported custom domains, see Microsoft Entra service limits and restrictions for Microsoft Entra, and Azure subscription and service limits, quotas, and constraints for Azure Front Door.
  • You can use Azure Front Door, which is a separate Azure service that incurs extra charges. For more information, see Front Door pricing. Your Azure Front Door instance can be hosted in a different subscription than your external tenant.
  • After you configure custom URL domains, users will still be able to access the default domain name <tenant-name>.ciamlogin.com.
  • If you have multiple applications, migrate them all to the custom URL domain because the browser stores the session under the domain name currently being used.

Important

  • The connection from the browser to Azure Front Door should always use IPv4 instead of IPv6.
  • Custom URL domains don't currently support social identity providers. Users who want to sign up or sign in using a social identity provider will need to use the default endpoint, <tenant-name>.ciamlogin.com, instead of the custom URL domain endpoint.

Next steps

Enable custom URL domains for Microsoft Entra External ID.