{"id":2217,"date":"2024-12-02T07:51:08","date_gmt":"2024-12-02T15:51:08","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/identity\/?p=2217"},"modified":"2024-12-02T07:51:08","modified_gmt":"2024-12-02T15:51:08","slug":"custom-url-domains-ga","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/identity\/custom-url-domains-ga\/","title":{"rendered":"Microsoft Entra External ID Custom URL Domains\u2014now generally available"},"content":{"rendered":"<p>Today we announce that Microsoft Entra External ID <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/concept-custom-url-domain\">Custom URL Domains<\/a> are now generally available (GA)! Initially <a href=\"https:\/\/devblogs.microsoft.com\/identity\/custom-url-domains\/\">released in May in Public Preview<\/a>, custom URL domains allow you to add verified custom domains within Microsoft Entra external ID. This means you can brand your authentication endpoints with your own domain name, creating a seamless and recognizable login experience for your users.<\/p>\n<h2>What are custom URL domains?<\/h2>\n<p>Custom URL domains enable organizations to customize the authentication experience by using their own domain names. Instead of seeing the default Microsoft tenant URL, users see a branded URL. This provides a more consistent experience, strengthening brand identity, making applications feel more professional and secure.<\/p>\n<h2>Key features<\/h2>\n<ul>\n<li><strong>Customization and branding:<\/strong> You can use your own domain name on authentication pages unifying the login experience. Users will see a URL that reflects your brand, such as login.contoso.com, instead of the default Microsoft tenant URL. <\/li>\n<li>\n<p><strong>Additional security enhancements:<\/strong><\/p>\n<ul>\n<li><strong>Standard URL domain blocking:<\/strong> You can now secure your tenant from various security attacks, such as bot attacks, DDOs, etc., by blocking access to the default endpoint when a custom URL domain is active. This feature is available on request. <a href=\"https:\/\/forms.office.com\/r\/wNcMLXNiJ7\">Enrol your tenant here<\/a> to activate this feature.<\/li>\n<li><strong>Third-party web application firewall (WAF) integration:<\/strong> Custom URL domains are configured with Azure Front Door (AFD), allowing you to add additional WAF rules to your tenant, by adding third-party WAF integrations, such as <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/tutorial-configure-cloudflare-integration\">Cloudflare<\/a> or Akamai, in front of AFD.<\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> Third-party integrations without AFD, such as Cloudflare and Akamai, are coming in future product releases.<\/p>\n<\/blockquote>\n<\/li>\n<\/ul>\n<h2>Key considerations when configuring custom URL domains<\/h2>\n<ul>\n<li><strong>Multiple domains allowed:<\/strong> There can be multiple custom URL domains in a single tenant. <\/li>\n<li><strong>Impact on metadata endpoint:<\/strong> Changing a custom URL domain will also affect the metadata endpoint. <\/li>\n<li><strong>Single domain use:<\/strong> Once verified and added in one tenant, a custom URL domain cannot be added in another tenant. <\/li>\n<li><strong>Token issuer:<\/strong> The token issuer remains on the default endpoint, i.e. \u201ciss\u201d: \u201chttps:\/\/.ciamlogin.com\/\/v2.0\u201d. <\/li>\n<li><strong>Top-level domain:<\/strong> Avoid using your top-level domain. Using a root domain for custom URL domains can complicate the user experience and the setup process. It is generally recommended to use subdomains for custom URL domains to avoid these issues. \n<ul>\n<li><strong>Example:<\/strong> \n<ul>\n<li>Correct domain: \u2018login.contoso.com\u2019<\/li>\n<li>Incorrect domain: \u2018contoso.com\u2019 <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Setting up custom URL domains<\/h2>\n<h3>Prerequisites<\/h3>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/how-to-create-external-tenant-portal\">An external tenant<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/app-service\/manage-custom-dns-buy-domain\">A valid custom domain<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/frontdoor\/create-front-door-portal\">An Azure Front Door subscription<\/a> <\/li>\n<\/ul>\n<h3>Configure Microsoft Entra External ID<\/h3>\n<ul>\n<li>You need to verify domain ownership by adding your custom URL domain to your external tenant. Go to <strong>Microsoft Entra admin centre<\/strong> > <strong>Domain Names<\/strong> > <strong>Custom domain names<\/strong> > <strong>Add domain<\/strong><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/fundamentals\/add-custom-domain?branch=pr-en-us-5734#add-your-dns-information-to-the-domain-registrar\">Add your DNS information to the domain registrar<\/a> <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> It might take up to 72 hours for a domain to be verified.<\/p>\n<\/blockquote>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Custom-URL-domains-Add-domain.png\" alt=\"Custom URL domains - Add domain\" \/><\/p>\n<h3>Associate Custom domain names with Custom URL Domains<\/h3>\n<p>You&#8217;ll need to associate custom domain names with custom URL domains. Navigate to the <strong>Microsoft Entra admin center<\/strong> > <strong>Domain names<\/strong> > <strong>Custom URL domains<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Associate-custom-domain-and-custom-URL-domain.png\" alt=\"screenshot\" \/><\/p>\n<h2>Configure Azure Front Door<\/h2>\n<ul>\n<li>Add an <a href=\"https:\/\/login.microsoftonline.com\/organizations\/oauth2\/v2.0\/authorize?redirect_uri=https%3A%2F%2Fportal.azure.com%2Fsignin%2Findex%2F&amp;response_type=code%20id_token&amp;scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2Fuser_impersonation%20openid%20email%20profile&amp;state=OpenIdConnect.AuthenticationProperties%3DepNMUyT9NcwHRa8MV5NASdltUTN9JEvGt3sbVHvQqk918nWqjPcIFpyEOBwTcOrB8LBKnm20uWBQrrA2dRhM6zVLUF9vA6Z9FCN7_MnKIGwIle4znxnzX-01VRKyip_j90KFJduW5vMhpaEuTY86gp6aqB0xq2OOnh0XZ_SK7lzP8sDj92Fmsg8DEIDdIUmWp_iYYPtcDcJzK37BUQQ-oCRKccuvovy8OfxwHDLWz3q1M7I23hOhu10YEl2dTeawFOPEp9m9ncca0YMQQQpTShDCti055fncq3Se57TFS70dIwZG8TjGrsLiQ9udjH_969SG8tdPLNeWU68LMNCsMFuYy0_-ACEoKfy2ofPqOSwsbrmC9tQ4Y7181LHXJA5-1GFS47pNHSBWASasbTkLimIfXJaYYSJbrI8tCbysWGycf1HVGCezgJ7Tm0gROxImiCj8WLrOWTC3o-6feTydDtxj87nubjnP81-mA9cQyYQ&amp;response_mode=form_post&amp;nonce=638675261706689289.YTdjMTc2ZGUtMWRlMi00NDk1LTkzMjUtMjk1ODc4NTRmOThmNDI1YjEyMmItMjRiMC00ZjFlLWI4ODgtZjM4Nzc2ZTU4YjQy&amp;client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c&amp;site_id=501430&amp;client-request-id=f39c4217-6da6-4c5d-a99a-c92d4f7f5889&amp;x-client-SKU=ID_NET472&amp;x-client-ver=7.5.0.0\">AFD instance<\/a> (if you don\u2019t have one setup).<\/li>\n<li>Associate your custom URL domain with this AFD and enable the route.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Associate-custom-URL-domain-with-Azure-Front-Door.png\" alt=\"screenshot\" \/><\/p>\n<h3>Configure features to use custom URL domains<\/h3>\n<ul>\n<li>Microsoft Authentication Library (MSAL): MSAL is compatible with custom URL domains. Make changes according to your development language. For guidance, see an example of <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/tutorial-single-page-app-vanillajs-configure-authentication\">MSAL.js<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Configure-MSAL-for-custom-URL-domains.png\" alt=\"screenshot\" \/><\/p>\n<ul>\n<li>Social Identity providers: Update your IDP list of redirect URIs to include your custom domains. <\/li>\n<\/ul>\n<h2>Stay connected and informed<\/h2>\n<p>To learn more or test out features in the Microsoft Entra portfolio, visit our\u202f<a href=\"https:\/\/aka.ms\/dev\/external-id\">developer centre<\/a>. Make sure you subscribe to the\u202f<a href=\"https:\/\/aka.ms\/devblog\/external-id\">Identity developer blog<\/a>\u202ffor more insights and to keep up with the latest on all things Identity. And follow us on\u202f<a href=\"https:\/\/www.youtube.com\/@MicrosoftSecurity\/playlists\">YouTube<\/a>\u202ffor video overviews, tutorials, and deep dives.<\/p>\n<p>We encourage you share your feedback and\u202f<a href=\"https:\/\/forms.office.com\/r\/Mgzb2Z0TAN\">tell us what you think<\/a>,\u202for suggest new enhancements to make custom URL domains even better. Also, please\u202f<a href=\"https:\/\/ux.microsoft.com\/Panel\/MicrosoftEntraExternalID?utm_campaign=ExternalID&amp;utm_source=AppService&amp;utm_medium=Blog\">join our research panel<\/a>\u202fto receive occasional invites to participate in customer research.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discover Microsoft Entra External ID Custom URL Domains, now generally available (GA). Learn how to enhance the authentication experience by branding login endpoints with your own domain name, creating a seamless, secure, and familiar experience for users.<\/p>\n","protected":false},"author":158891,"featured_media":175,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[32,33],"tags":[38,16,47,50],"class_list":["post-2217","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-product-updates","tag-authentication","tag-entra","tag-external-id","tag-identity"],"acf":[],"blog_post_summary":"<p>Discover Microsoft Entra External ID Custom URL Domains, now generally available (GA). Learn how to enhance the authentication experience by branding login endpoints with your own domain name, creating a seamless, secure, and familiar experience for users.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/users\/158891"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/comments?post=2217"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2217\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media\/175"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media?parent=2217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/categories?post=2217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/tags?post=2217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}