Azure Front Door custom domain with Power Pages causing ExternalAuthenticationFailed during Azure AD login

Question

Azure Front Door custom domain with Power Pages causing ExternalAuthenticationFailed during Azure AD login

Sumayyah Shamsudeen 0

I am trying to configure a custom subdomain for a Power Pages website using Azure Front Door as the entry point. The DNS is managed externally.

Setup

Power Pages site has the default URL: *.powerappsportals.com
A custom subdomain is configured to access the portal through Azure Front Door.
Azure Front Door uses the Power Pages URL as the origin.
Front Door managed TLS certificate is enabled for the custom domain.

Configuration Completed

Created Azure Front Door profile.
Added the Power Pages default domain as the origin.
Configured origin group and routing rules.
Added the custom domain in Azure Front Door.
Verified domain ownership using the TXT record provided by Azure.
Added the TXT record in the DNS provider.
Added a CNAME record pointing the subdomain to the Front Door endpoint.
Enabled Front Door managed TLS certificate.
Verified DNS resolution using nslookup, the subdomain correctly resolves to the Front Door endpoint.
Added the custom domain redirect URIs in Azure App Registration.

Issue

When accessing the custom subdomain:

1.The request successfully routes through Azure Front Door.
2.The portal loads and immediately redirects to Microsoft Entra ID for login.
3.Authentication fails with: ExternalAuthenticationFailed

When inspecting the login request to Microsoft Entra ID, the redirect_uri parameter still points to the default Power Pages domain instead of the custom subdomain.

Example:

redirect_uri = https://

Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-09T03:51:46.7466667+00:00

Hello @ Sumayyah Shamsudeen,

Thanks for reaching out to Microsoft Q&A.

If the custom domain is configured only in Azure Front Door, Microsoft Power Pages will continue to recognize and use the default *.powerappsportals.com domain. As a result, the authentication request generates the redirect_uri with the default domain, which can lead to authentication failures when users access the site through the custom subdomain.

To resolve this issue, the custom domain must also be configured directly in Power Pages. Once the domain is registered there, Power Pages will recognize it as a valid hostname and generate the correct redirect_uri using the custom domain. Azure Front Door can still be used as the entry point with managed TLS; however, the domain must also exist in Power Pages for authentication to work properly.

The custom domain should be configured in both locations:

On the Power Pages site

On Azure Front Door

This configuration ensures that cookies and site URLs are generated correctly for the custom domain. The custom domain should first be added in Power Pages so the portal recognizes the hostname, after which DNS can be configured to point the CNAME record to the Front Door endpoint.

Reference Document:

https://learn.microsoft.com/en-us/power-pages/configure/azure-front-door

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T05:12:18.32+00:00

Thank you for the clarification @Ravi Varma Mudduluru

That explanation about Power Pages needing to recognize the custom domain for generating the correct redirect_uri is helpful.

However, when I attempt to configure the custom domain directly in Power Pages using Connect custom domain, the portal requires me to upload an SSL certificate manually. My initial goal in introducing Azure Front Door was to avoid manual certificate management and instead use the managed TLS certificate provided by Azure Front Door, which automatically handles renewal.

This raised a few follow-up questions for me:

If I configure the custom domain in both Power Pages and Azure Front Door, does that mean there will effectively be two SSL certificates for the same domain (one uploaded in Power Pages and one managed by Front Door)?

Is it possible for Power Pages to use the managed TLS certificate from Azure Front Door, or must a certificate always be uploaded manually when connecting a custom domain in Power Pages?

If manual certificate upload is required in Power Pages, what is the recommended way to automate certificate renewal so that the certificate does not need to be manually replaced every time it expires?

My main objective is to ensure the portal works correctly with the custom domain while also avoiding manual certificate renewal and upload if possible.

Any guidance on the recommended approach for automating this setup would be greatly appreciated.
Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-09T11:19:33.4766667+00:00
Hello @ Sumayyah Shamsudeen,

However, when I attempt to configure the custom domain directly in Power Pages using Connect custom domain, the portal requires me to upload an SSL certificate manually. My initial goal in introducing Azure Front Door was to avoid manual certificate management and instead use the managed TLS certificate provided by Azure Front Door, which automatically handles renewal.

If you choose the certificate type as AFD managed, the certificate will be renewed automatically.

Reference:

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T16:31:53.0966667+00:00
Thank you for the response @Ravi Varma Mudduluru

I understand that when configuring a custom domain in Azure Front Door, selecting AFD managed certificate allows the TLS certificate to be issued and renewed automatically. That part of the configuration has already been completed successfully on my side.

My confusion is related to the Power Pages configuration step you mentioned earlier when you said that “the custom domain must also be configured directly in Power Pages so that it is recognized as a valid hostname.”

When I go to Power Platform Admin Center → Power Pages site(Private site) → Connect custom domain, the portal asks me to upload an SSL certificate manually for the custom domain. Here's the screenshot attached:

This appears to be a separate certificate requirement from the AFD managed TLS certificate that is already configured in Azure Front Door.

Currently the setup is:

Custom domain added and validated in Azure Front Door

AFD managed TLS certificate enabled for the custom domain

DNS configured so the subdomain resolves to the Front Door endpoint

Redirect URIs for the custom domain added in Azure AD App Registration

When accessing the custom domain, the request flows through Azure Front Door and an intermediate authentication URL appears similar to:

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...&redirect_uri=https://<powerpages-default-domain>/

After authentication, the portal redirects to:

https://<portal>.powerappsportals.com/Account/Login/ExternalAuthenticationFailed

Ideally the login flow should return to something like:

https://<custom-domain>/SignIn?ReturnUrl=%2F
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T16:50:52.55+00:00
So I want to clarify the following:

When you say the custom domain must also be configured in Power Pages, are you referring specifically to the “Connect custom domain” step in the Power Platform Admin Center?

If so, does that mean a separate SSL certificate must always be uploaded in Power Pages, even when Azure Front Door already has a managed TLS certificate for the same domain?

Is there any supported way for Power Pages to use the Azure Front Door managed certificate, or must the certificate always be managed separately in Power Pages?

Additionally, if configuring the custom domain inside Power Pages is not required, could you please clarify what additional configuration might be needed to resolve the ExternalAuthenticationFailed issue, given that the DNS, routing, and Azure Front Door setup are already functioning correctly?

My main goal is to ensure the custom domain works correctly with authentication while avoiding manual certificate upload and renewal if possible.
Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-10T14:50:16+00:00

Hello @Sumayyah Shamsudeen,

Thank you for reaching out with your follow-up questions.

As we do not see any issue with Azure Front Door, we request you to please raise an issue on the forum below so the Power Pages team can review it and provide clarification from their side.

Power pages related is currently not supported in the Q&A forums, the supported products are listed over here Supported products on MS Q&A (more to be added later on).

You can ask the experts in the dedicated MS Power platform community forum.

Can you please open as a new thread in MS Power platform community Find Answers | Microsoft Power Platform Community

I hope it helps! and do let me know if you have further queries.

Reference document: https://learn.microsoft.com/en-us/power-pages/getting-started/community

1 answer

Your answer

Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-09T03:51:46.7466667+00:00

Hello @ Sumayyah Shamsudeen,

Thanks for reaching out to Microsoft Q&A.

If the custom domain is configured only in Azure Front Door, Microsoft Power Pages will continue to recognize and use the default *.powerappsportals.com domain. As a result, the authentication request generates the redirect_uri with the default domain, which can lead to authentication failures when users access the site through the custom subdomain.

To resolve this issue, the custom domain must also be configured directly in Power Pages. Once the domain is registered there, Power Pages will recognize it as a valid hostname and generate the correct redirect_uri using the custom domain. Azure Front Door can still be used as the entry point with managed TLS; however, the domain must also exist in Power Pages for authentication to work properly.

The custom domain should be configured in both locations:

On the Power Pages site

On Azure Front Door

This configuration ensures that cookies and site URLs are generated correctly for the custom domain. The custom domain should first be added in Power Pages so the portal recognizes the hostname, after which DNS can be configured to point the CNAME record to the Front Door endpoint.

Reference Document:

https://learn.microsoft.com/en-us/power-pages/configure/azure-front-door

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T05:12:18.32+00:00

Thank you for the clarification @Ravi Varma Mudduluru

That explanation about Power Pages needing to recognize the custom domain for generating the correct redirect_uri is helpful.

However, when I attempt to configure the custom domain directly in Power Pages using Connect custom domain, the portal requires me to upload an SSL certificate manually. My initial goal in introducing Azure Front Door was to avoid manual certificate management and instead use the managed TLS certificate provided by Azure Front Door, which automatically handles renewal.

This raised a few follow-up questions for me:

If I configure the custom domain in both Power Pages and Azure Front Door, does that mean there will effectively be two SSL certificates for the same domain (one uploaded in Power Pages and one managed by Front Door)?

Is it possible for Power Pages to use the managed TLS certificate from Azure Front Door, or must a certificate always be uploaded manually when connecting a custom domain in Power Pages?

If manual certificate upload is required in Power Pages, what is the recommended way to automate certificate renewal so that the certificate does not need to be manually replaced every time it expires?

My main objective is to ensure the portal works correctly with the custom domain while also avoiding manual certificate renewal and upload if possible.

Any guidance on the recommended approach for automating this setup would be greatly appreciated.
Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-09T11:19:33.4766667+00:00

Hello @ Sumayyah Shamsudeen,

However, when I attempt to configure the custom domain directly in Power Pages using Connect custom domain, the portal requires me to upload an SSL certificate manually. My initial goal in introducing Azure Front Door was to avoid manual certificate management and instead use the managed TLS certificate provided by Azure Front Door, which automatically handles renewal.

If you choose the certificate type as AFD managed, the certificate will be renewed automatically.

Reference:

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T16:31:53.0966667+00:00

Thank you for the response @Ravi Varma Mudduluru

I understand that when configuring a custom domain in Azure Front Door, selecting AFD managed certificate allows the TLS certificate to be issued and renewed automatically. That part of the configuration has already been completed successfully on my side.

My confusion is related to the Power Pages configuration step you mentioned earlier when you said that “the custom domain must also be configured directly in Power Pages so that it is recognized as a valid hostname.”

When I go to Power Platform Admin Center → Power Pages site(Private site) → Connect custom domain, the portal asks me to upload an SSL certificate manually for the custom domain. Here's the screenshot attached:

This appears to be a separate certificate requirement from the AFD managed TLS certificate that is already configured in Azure Front Door.

Currently the setup is:

Custom domain added and validated in Azure Front Door

AFD managed TLS certificate enabled for the custom domain

DNS configured so the subdomain resolves to the Front Door endpoint

Redirect URIs for the custom domain added in Azure AD App Registration

When accessing the custom domain, the request flows through Azure Front Door and an intermediate authentication URL appears similar to:

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...&redirect_uri=https://<powerpages-default-domain>/

After authentication, the portal redirects to:

https://<portal>.powerappsportals.com/Account/Login/ExternalAuthenticationFailed

Ideally the login flow should return to something like:

https://<custom-domain>/SignIn?ReturnUrl=%2F
Sumayyah Shamsudeen 0 Reputation points

2026-03-09T16:50:52.55+00:00

So I want to clarify the following:

When you say the custom domain must also be configured in Power Pages, are you referring specifically to the “Connect custom domain” step in the Power Platform Admin Center?

If so, does that mean a separate SSL certificate must always be uploaded in Power Pages, even when Azure Front Door already has a managed TLS certificate for the same domain?

Is there any supported way for Power Pages to use the Azure Front Door managed certificate, or must the certificate always be managed separately in Power Pages?

Additionally, if configuring the custom domain inside Power Pages is not required, could you please clarify what additional configuration might be needed to resolve the ExternalAuthenticationFailed issue, given that the DNS, routing, and Azure Front Door setup are already functioning correctly?

My main goal is to ensure the custom domain works correctly with authentication while avoiding manual certificate upload and renewal if possible.
Ravi Varma Mudduluru 11,875 Reputation points Microsoft External Staff Moderator

2026-03-10T14:50:16+00:00

Hello @Sumayyah Shamsudeen,

Thank you for reaching out with your follow-up questions.

As we do not see any issue with Azure Front Door, we request you to please raise an issue on the forum below so the Power Pages team can review it and provide clarification from their side.

Power pages related is currently not supported in the Q&A forums, the supported products are listed over here Supported products on MS Q&A (more to be added later on).

You can ask the experts in the dedicated MS Power platform community forum.

Can you please open as a new thread in MS Power platform community Find Answers | Microsoft Power Platform Community

I hope it helps! and do let me know if you have further queries.

Reference document: https://learn.microsoft.com/en-us/power-pages/getting-started/community

Answer 1

Yes. The custom domain must also be configured directly on the Power Pages site, not only on Azure Front Door and in DNS.

Power Pages generates its authentication URLs (including redirect_uri) based on the site’s configured host name. If the site only knows about the default *.powerappsportals.com domain, it will continue to use that in the Entra ID redirect, even when requests arrive through Azure Front Door.

To fix the ExternalAuthenticationFailed and ensure redirect_uri uses the custom subdomain:

Configure the custom domain on the Power Pages site itself (Connect/Add Custom Domain) so that the site recognizes the custom host name as valid for the portal.
Then follow the documented pattern for Azure Front Door with Power Pages:
- Use the Power Pages default domain as the origin host name in Front Door.
- After the custom domain is added to Power Pages, update DNS so the CNAME for the custom domain points to the Azure Front Door endpoint (not directly to Power Pages).
- Configure the same custom domain on the Azure Front Door endpoint and complete domain validation / TLS.
Confirm with nslookup that the custom domain’s CNAME now points to the Front Door endpoint and that browsing the custom domain shows the Power Pages site.

This sequence ensures that:

Power Pages accepts the custom domain and sets cookies and authentication URLs for it.
Azure Front Door fronts that custom domain and forwards traffic to the Power Pages origin.

Without adding the custom domain in Power Pages, the portal continues to use the default domain in the Entra ID redirect, which leads to the ExternalAuthenticationFailed behavior described.

References:

Share via

Azure Front Door custom domain with Power Pages causing ExternalAuthenticationFailed during Azure AD login

1 answer

Your answer