Azure AD B2C Custom Domain through CDN yields errors

Dan 11 Reputation points
2021-07-23T09:24:28.267+00:00

The Setup & Repro is pretty straight forward:

  • Create AD B2C Tenant
  • Add Custom Domain and verify & make primary
  • Add Google Provider (I guess any Social but I just used google)
  • Create App Registration following all the integration assistant steps for Web App
  • Setup https://jwt.ms as redirect target
  • Setup SignupSignin flow
  • Leave Claims empty for simplicity
  • Create CDN Endpoint to point to <tenant>.b2clogin.com
  • Disable Caching through global rules (bypass cache)
  • Add Custom domain to it & enable HTTPS
  • Wait for CDN to work (An hour or two perhaps?)
  • Verify https://login.custom.tld/<B2C-tenant-ID>/B2C_1_<UserFlowName>/v2.0/.well-known/openid-configuration returns correct data

Now you can try using:
https://<B2C-tenant-Name>.b2clogin.com/<B2C-tenant-ID>/oauth2/v2.0/authorize?p=B2C_1_<UserFlowName>&client_id=<AppID>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=code&prompt=login

This will work as it does not use the CDN.

But using the CDN will not work:
https://login.custom.tld/<B2C-tenant-ID>/oauth2/v2.0/authorize?p=B2C_1_<UserFlowName>&client_id=<AppID>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=code&prompt=login

Interestingly enough the user through Social does end up being created in AD but the user gets an error like:

Correlation ID: fe631c87-45be-4b67-bbe9-39dd575e4ca4
Timestamp: 2021-07-23 08:58:58Z
AADB2C: An exception has occurred.

The Audit Log to the ID yields:

Date 7/23/2021, 10:58 AM
Activity Type Evaluate conditional access policies
Correlation ID fe631c87-45be-4b67-bbe9-39dd575e4ca4
Category IdentityProtection
Status failure
Status reason N/A

It suggests some Conditional Access Policies but the brand new AD B2C Tenant has none.

Any Clues?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,876 Reputation points Moderator
    2021-08-06T03:53:43.707+00:00

    Hi @Dan · I have tried to explain it better in my answer below:

    Why it does not work with regular CDN (or even just a CNAME!)?

    The reason is, when you use CDN or a CName for B2C custom domain, the hostname in the cookies is not rewritten and navigation between B2C pages, with custom and default (b2clogin.com) domains would fail due to hostname mismatch in the cookies. As of now, Azure AD B2C Custom Domains are only compliant with Azure Front Door which supports this functionality.

    You may post your feedback regarding this at out Product Feedback portal, which is monitored by the product team for product enhancement.

    If you have any further question, feel free to tag me in your reply.

    1 person found this answer helpful.
    0 comments No comments

  2. AmanpreetSingh-MSFT 56,876 Reputation points Moderator
    2021-07-26T11:56:18.643+00:00

    Hi @Dan · Thank you for reaching out.

    If the whole purpose of this setup is to use a custom domain e.g. login.custom.tld instead of using yourtenant.b2clogin.com, I would suggest you to go with Azure Front Door rather than CDN, unless there is a specific reason for choosing CDN.

    To setup custom domain for B2C using Azure Front door, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-custom-policy .

    Below are the high level steps that you need to perform in order to enable custom domains for Azure AD B2C using Front Door:

    1. Add a custom domain name to your Azure AD B2C tenant
    2. Create a new Azure Front Door instance
    3. Set up your custom domain on Azure Front Door
    4. Configure CORS
    5. Test your custom domain
    6. Configure your identity provider
    7. Configure your application
    8. Block access to the default domain name

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.