Handling Dynamic Subdomains for Redirect URIs in Azure AD

Question

Hello Azure Community,

I am developing a web project management application and integrating OneDrive through Azure AD. In our application, each workspace is created with a unique subdomain, and this subdomain is dynamically generated.

I understand that Azure AD does not support wildcard Redirect URIs due to security concerns. Given this, I am looking for a solution to handle the OAuth2 redirect for multiple dynamic subdomains.

One solution I've considered is programmatically adding each new subdomain as a redirect URI using the Microsoft Graph API. However, this could be cumbersome if we end up with a large number of subdomains.

Another potential solution is to create a single "authentication" subdomain, and route all authentication through this subdomain. However, this approach seems to have its own security implications.

I would greatly appreciate any advice or best practices on how to handle dynamic subdomains for OAuth2 redirects with Azure AD.

Thank you in advance for your help!

Best regards,
John

Answer 1

Hello @John Walter , Azure AD supports a maximum of 100 and 250 redirect URI for apps supporting personal accounts and work accounts respectively. That being said you can try storing the specific dynamic redirect URI or an identifier in the state param during an authentication request so that it can be retrieved after authentication and used to do a final redirect. Flow would be like this:

1. Client send authentication requests for subdomain xyz.constoso.com and stores it or an identifier in state param.
2. Authentication requrests end with Azure AD redirecting to default redirect URI. Eg. https://contoso.com/callback
3. Client application read returned state param and based on its value redirects to https://xyz.contoso.com

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.