Azure B2C with custom domain unable to login anymore

wstaelens 41 Reputation points
2022-10-27T10:12:45.487+00:00

We are developing a web application using B2C.

ourcompany.com has an application called ourapplication.com.
Every user should use and login to our application via ourapplication.com.
We followed steps to use B2C and therefor needed to create a new tenant (ourapplication name tenant).

Which results in two tenants:

  • ourcompany name tenant
  • ourapplication name tenant

Everything was working fine, our application was accessible via https://ourapplication.azurewebsites.net and B2C login was working.

We own the custom domain "ourapplication.com".
Instead of using https://ourapplication.azurewebsites.net we wanted to link the ourapplication.com custom domain name.

We followed the steps to add a custom domain to an app service.

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli

and we added a free certificate:
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#create-a-free-managed-certificate

We did this in "ourcompany name" tenant, were we see our app service. (we don't see an app service in the tenant we needed to create for B2C).

Now when I log in to our other tenant: "ourapplication name" tenant.
Going to "Azure Active Directory" we see there is a menu item "Custom domain names". But our custom domain "ourapplication.com" is not listed there. We only see "ourapplicationname.onmicrosoft.com".

Since we tried to add a custom domain:

  1. we are sometimes unable to sign in again to our application via ourapplicaton.azurewebsites.net (b2c login fails, I guess redirect urls are confused with custom domain/dns issue?)
  2. we are unable to login when running our application via Visual Studio 2022 when debugging (we don't receive an access token anymore - AcquireSilentToken)
  3. What is the difference between "ourcompany tentant > app services > custom domain" and "ourapplication tenant> azure active directory > custom domain" ? what should be used, should they both be configured to ourapplication.com ? this is not clear.

Hopefully somebody could shine a light allowing us to sign in again via B2C and allowing us to use our custom domain name.

( I've seen Azure Front Door for B2C, but have not touched this, as this is I guess only to make the "login part" nicer that it stays on the same domain. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow )

We've also seen an error: AADB2C90018 The client id '<...>' specified in the request is not registered in tenant 'ourapplication.onmicrosoft.com'. When we navigate to "https://ourapplication.com"

Microsoft Entra
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2022-10-28T20:44:44.973+00:00

    Hi @wstaelens ,

    Thanks for your post! The custom domain feature in Azure AD B2C currently only works with Azure Front Door, since it supports hostname/URL rewrite in the cookies. If you try to use any other features such as a CName record that is not pointed to your Azure Front Door default frontend host, it will fail, as the hostname in the cookies will not be rewritten and navigation between B2C pages will fail due to hostname mismatch in the cookies.

    The Custom domain feature of Azure Front Door is included with both the standard and premium pricing tiers: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/tier-comparison#feature-comparison

    If you'd like support for custom domains to be added to B2C without the use of Azure Front Door, you can share feedback in the Ideas portal, which is monitored by the product team. I'm also happy to share your feedback if you would like to provide more details about your business case.

    See related threads:

    Configure Custom domains for Azure Active Directory B2C

    Frontdoor fallback URL

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.

    0 comments No comments

  2. wstaelens 41 Reputation points
    2022-11-02T08:35:39.353+00:00

    Thanks for the answer.

    Can you first clarify this, which of the followin is correct? or what am I missing?

    am I understanding it correctly:

    It is possible to use a custom domain name ourwebsite.com instead of having to use ourwebsite.azurewebsite.net.
    Only Azure Front Door is required when we want to keep the users on ourwebsite.com instead of redirecting them to yourtenant.b2clogin.com during login.

    Meaning this scenario will work?
    a) users goes to www.ourwebsite.com.
    b) user logs in, during login being redirected to yourtenant.b2clogin.com/... url.
    c) after being logged in, user gets back to www.ourwebsite.com.

    Azure Front Door is only required in B2C scenario where you want to keep the login part ([b)]) on the same domain.

    Is this correct or not?

    • Could you answer this also:

    1) "What is the difference between "ourcompany tentant > app services > custom domain" and "ourapplication tenant> azure active directory > custom domain" ?"

    (P.S.: link to ideas portal does not work)