Azure AD or Azure AD B2C Redirection URL for multiple subdomains

Sayan Ghosh 311 Reputation points Microsoft Employee
2021-12-06T00:21:06.78+00:00

We have a client who runs a single tenant SaaS and all the tenants are subdomains. They need to configure their Azure app registrations individually for each tenant (client1.SaaSurl.com, client2.SaaSurl.com, etc.). They are looking to get a wildcard redirect to redirect clients to their client specific sub-domain. This is obviously not supported in AAD / AAD B2C (apparently supported in Auth0 which the client previously used and were a bit unhappy to find this). We are exploring other solutions which might not be as onerous.

We were thinking of using a state parameter or Azure front door to help with this issue but thought we would see if any of the experts here would know of a smarter way of doing it?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,562 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,556 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,206 Reputation points
    2021-12-06T06:43:24.417+00:00

    Hi @Sayan Ghosh • Thank you for reaching out.

    When the application is registered using one of the below-highlighted options, the reply URL can be set with * (wildcard character) via the App Manifest.

    155147-image.png

    For this purpose, you need to navigate to Azure Active Directory > App Registrations > Search your app and click on Manifest > Update the reply URL as highlighted below:

    155184-image.png

    You can then go to the Authentication blade of the application to confirm the reply URL is updated with the wildcard, as highlighted below:

    155203-image.png

    Note: Wildcard URIs like https://*.jwt.ms may seem convenient, but should be avoided due to security implications. According to the OAuth 2.0 specification (section 3.1.2 of RFC 6749), a redirection endpoint URI must be an absolute URI.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Sankalp Abhale 0 Reputation points
    2023-04-06T09:22:53.06+00:00

    Hi,
    I have similar kind of problem. Our multitenant application has URLs like

    1. {domain-name}/axera/{tenant-name1}
    2. {domain-name}/axera/{tenant-name2}

    so I tried to configure it like {domain-name}/axera/* but its saying like below Failed to update axera ERP application. Error detail: One or more of your reply urls is not valid. [6w5VtmotNt3Kue/9X356XB].  Can you help me how to register this kind of urls in application?

    0 comments No comments