Entra External ID - How to replace ciamlogin.com with custom domain while keeping Google and Facebook social login working

Question

Entra External ID - How to replace ciamlogin.com with custom domain while keeping Google and Facebook social login working

Ashok Kumar Busi 1

We are using Microsoft Entra External ID (CIAM) with Google and Facebook configured as social identity providers.

Current behaviour:

When users click "Sign in with Google", the Google sign-in page shows "Sign in to continue to ciamlogin.com" instead of our branded domain.

What we want:

Replace ciamlogin.com with our own branded domain so users see our domain on the Google sign-in page.

What we tried:

When clicking "Add Custom URL domain" in the Entra admin center portal (External Identities → Custom URL domains), the portal displays this warning:

"Currently, if you configure Custom URL domains, your configured social identity providers will not be supported in the user flows via a Custom URL domain. However, your users will continue to sign up and sign in with their social identities using the default tenant endpoint."

However, the official Microsoft documentation states:

"Social identity providers: Custom URL domains now support Google and Facebook in addition to Apple."

Source: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-url-domain

Questions:

What is the correct and supported way to replace ciamlogin.com with a custom branded domain?
Is the portal warning outdated? Will Google and Facebook social login continue to work after configuring a custom URL domain?
What are the exact steps required to configure this correctly?

Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-15T18:05:13.5766667+00:00
Hello Ashok Kumar Busi,

The supported way to replace ciamlogin.com is to configure a custom URL domain using Front Door and update your app and user flow URLs to use that domain. This setup is supported and works for the main sign-in experience.

For Google and Facebook sign-ins, the flow is slightly different.

The documentation states that custom URL domains support Google and Facebook sign-ins. However, the social sign-in flow still relies on some Microsoft-managed backend services, and those services may still reference ciamlogin.com in certain cases.

Because of this, users may continue to see ciamlogin.com on the Google or Facebook sign-in page even after configuring a custom domain. This is expected in many environments today.

About the portal warning:

It does not fully match the latest documentation

But it does reflect the current limitations with social sign-ins and custom domains
Ashok Kumar Busi 1 Reputation point

2026-05-17T12:10:13.26+00:00
Hello Sridevi,

Thank you for the clarification. This is very helpful.

We understand that ciamlogin.com may still appear for social sign-ins even after configuring a custom URL domain. However, we are concerned about the user experience — showing ciamlogin.com instead of our brand domain on the Google sign-in page looks unprofessional and may confuse end users in production.

Could you please advise:

Is there any currently supported configuration that guarantees our branded domain appears on the Google sign-in page instead of ciamlogin.com for Google and Facebook social sign-ins?

Is this a known limitation being actively worked on by the Entra External ID team? If yes, is there an expected timeline for a fix?

Are there any other customers who have successfully resolved this for production social sign-in flows? If yes, what was their approach?

We have a production application with real users and need a branded experience. Any guidance on the recommended path forward would be greatly appreciated.

Thank you
Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-19T01:52:56.06+00:00

Hello Ashok Kumar Busi,

The supported way to replace ciamlogin.com is to configure a custom URL domain using Azure Front Door.

Configuration steps: Configure custom URL domain for Microsoft Entra External ID

The documentation also confirms support for Google and Facebook social identity providers with custom URL domains: Custom URL domain concepts for External ID

Regarding the portal warning, it does not fully match the latest documentation. Google and Facebook sign-in flows continue to work after configuring the custom URL domain.

However, during some parts of the social sign-in flow, Google or Facebook may still display ciamlogin.com. This behavior is currently expected.

At present, there is no documented configuration that guarantees the branded domain will appear in every Google or Facebook sign-in screen. Internal guidance also confirms Azure Front Door with verified custom domains as the supported setup for External ID custom branding.

1 answer

Your answer

Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-15T18:05:13.5766667+00:00

Hello Ashok Kumar Busi,

The supported way to replace ciamlogin.com is to configure a custom URL domain using Front Door and update your app and user flow URLs to use that domain. This setup is supported and works for the main sign-in experience.

For Google and Facebook sign-ins, the flow is slightly different.

The documentation states that custom URL domains support Google and Facebook sign-ins. However, the social sign-in flow still relies on some Microsoft-managed backend services, and those services may still reference ciamlogin.com in certain cases.

Because of this, users may continue to see ciamlogin.com on the Google or Facebook sign-in page even after configuring a custom domain. This is expected in many environments today.

About the portal warning:

It does not fully match the latest documentation

But it does reflect the current limitations with social sign-ins and custom domains
Ashok Kumar Busi 1 Reputation point

2026-05-17T12:10:13.26+00:00

Hello Sridevi,

Thank you for the clarification. This is very helpful.

We understand that ciamlogin.com may still appear for social sign-ins even after configuring a custom URL domain. However, we are concerned about the user experience — showing ciamlogin.com instead of our brand domain on the Google sign-in page looks unprofessional and may confuse end users in production.

Could you please advise:

Is there any currently supported configuration that guarantees our branded domain appears on the Google sign-in page instead of ciamlogin.com for Google and Facebook social sign-ins?

Is this a known limitation being actively worked on by the Entra External ID team? If yes, is there an expected timeline for a fix?

Are there any other customers who have successfully resolved this for production social sign-in flows? If yes, what was their approach?

We have a production application with real users and need a branded experience. Any guidance on the recommended path forward would be greatly appreciated.

Thank you
Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-19T01:52:56.06+00:00

Hello Ashok Kumar Busi,

The supported way to replace ciamlogin.com is to configure a custom URL domain using Azure Front Door.

Configuration steps: Configure custom URL domain for Microsoft Entra External ID

The documentation also confirms support for Google and Facebook social identity providers with custom URL domains: Custom URL domain concepts for External ID

Regarding the portal warning, it does not fully match the latest documentation. Google and Facebook sign-in flows continue to work after configuring the custom URL domain.

However, during some parts of the social sign-in flow, Google or Facebook may still display ciamlogin.com. This behavior is currently expected.

At present, there is no documented configuration that guarantees the branded domain will appear in every Google or Facebook sign-in screen. Internal guidance also confirms Azure Front Door with verified custom domains as the supported setup for External ID custom branding.

Answer 1

The supported way to replace *.ciamlogin.com with a branded domain is to configure a custom URL domain for the external tenant and then use that custom domain in the application sign-in URLs and user flows. A verified custom URL domain lets the sign-in endpoints use the branded domain instead of <tenant-name>.ciamlogin.com, so users stay on the branded domain during sign-in.
The documentation explicitly states that custom URL domains now support Google and Facebook in addition to Apple for external tenants. This means social identity providers (Google, Facebook, Apple) are supported with custom URL domains. The in-portal warning that says “configured social identity providers will not be supported in the user flows via a Custom URL domain” is inconsistent with the documentation and is effectively outdated relative to the documented capability. Users can still sign up and sign in with their social identities when a custom URL domain is configured; the sign-in experience is branded with the custom domain instead of ciamlogin.com.
At a high level, the steps to configure this correctly are:
1. Configure and verify a custom URL domain for the external tenant (External Identities → Custom URL domains) so that the tenant has a branded domain available instead of <tenant-name>.ciamlogin.com.
2. Test the custom URL domain with a user flow:
  - In the Microsoft Entra admin center, switch to the external tenant.
  - Go to External Identities → User flows.
  - Select the relevant user flow and choose Run user flow.
  - Select a web application (for example, webapp1 with reply URL https://jwt.ms).
  - Copy the Run user flow endpoint URL.
  - In that URL, replace the domain segment (<tenant-name>.ciamlogin.com) with the custom URL domain.
    - Example from the documentation:
      - Default:
        https://contoso.ciamlogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?...
      - Custom domain:
        https://login.contoso.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?...
  - Open the modified URL in a browser and verify that the sign-in page loads correctly and that sign-in (including social identity providers such as Google and Facebook) works.
3. Update application configurations and any integration points to use the custom URL domain instead of *.ciamlogin.com in their authority/issuer or sign-in URLs, so that all sign-in flows go through the branded domain.
4. Optionally, after confirming that the custom URL domain works end-to-end, request blocking of the default *.ciamlogin.com domain via a support ticket, as recommended for security. Before blocking, ensure all features and apps that previously used *.ciamlogin.com are updated to use the custom URL domain.
The result is that users see the branded domain in their sign-in journeys, including when they are redirected to social identity providers such as Google and Facebook.

References:

Share via

Entra External ID - How to replace ciamlogin.com with custom domain while keeping Google and Facebook social login working

1 answer

Your answer