Blog Post

Microsoft Entra Blog
5 MIN READ

Customize authentication experiences and URL domains for external apps

AnkurPatel's avatar
AnkurPatel
Icon for Microsoft rankMicrosoft
Jan 23, 2025

Learn how to set up OIDC authentication and URL customization in external-facing applications.

Creating secure, seamless, and branded user experiences in your external-facing applications, such as customer identity and access management (CIAM), is critical to growing your business. According to Verizon , cyberattacks, however, pose a significant threat to any business operating online, with common types including denial-of-service (DDoS) attacks, password spray attacks, Slow Loris attacks, and brute force attacks. In 24% of the breaches, stolen credentials were the number one cause of issues, underscoring the importance of strong passwords and usage of multifactor authentication (MFA). The next is malware with 23%, human errors with 21%, and phishing with 17%.  Having a strong end-to-end security strategy for your CIAM applications is essential to safeguard against these threats and ensure the integrity of your operations.

Following our previous blogs on security defaults, and branding enhancements, we are sharing with you that it’s now possible to have a seamless IAM experience while decreasing your chances to have a breach thus increasing significantly your security levels. In this blog, Mihai Popa, Principal Product Manager on the Microsoft Entra Product team, will talk about how we achieve all this with the release of OpenID Connect and Custom URL Domains that are now available in Microsoft Entra External ID.

Figure 1: End-to-end security for every application.

Hi everyone! Mihai here from the Authentication Product team in Microsoft. Today, I’m super excited to share with you some essential information about the new capabilitiesthat we’re bringing to the Microsoft Entra External ID world.

Today we’re announcing the public preview of OpenID Connect External ID provider support and the general availability of Custom URL Domains features. Both features are much awaited by External ID customers. The ability to add any Identity provider to identity experiences helps customers streamline the user sign-up and sign-in experience, and the solution supports all providers supporting OIDC. Customizing your domain URL for identity flows brings additional point-of-brand recognition and builds trust with end users. Plus, it adds an essential extra layer of security.

Here's a preview of the two features. Enjoy the reading!

OpenID Connect IdP support for Microsoft Entra External ID

Based on customer feedback, one key request that emerged was support for federation with external identity providers like Amazon, Auth0, Okta, and our predecessor product, Azure AD B2C, enabling customers to enrich their new External ID experiences by federating with their Azure AD B2C platform. Enabling users to access applications with existing accounts from other identity providers offers two key benefits: it enables partner integrations through identity federation, and it allows users to sign in using their existing identities instead of creating new credentials associated with their accounts.

Key scenarios for OIDC external identity providers

Microsoft Entra External ID’s OIDC external identity provider support enables several key scenarios:

  • Integrate with cloud identity providers: Integrate your sign-in and sign-up flows with cloud identity providers.
  • Federate with Azure AD B2C: Begin building new IAM experiences with Entra External ID while federating with existing Azure AD B2C tenants.
  • Sign in with partner identity providers: Enable federated authentication for partnership scenarios, such as partner employee discount programs.
  • Federate with government and citizen identity providers: Establish secure authentication with government and citizen identity providers.

Getting started with OIDC federation

OIDC federation enables users to sign up and sign in to applications using their existing accounts from external identity providers that support the OpenID Connect protocol. By adding an OpenID Connect identity provider to their user flow, users can authenticate registered applications defined in that user flow, using their credentials from the OIDC identity provider.

For guidance on configuring your OpenID Connect identity provider, adding it to your user flow, and integrating sign-in and sign-up experiences into your application, you can refer to these resources:

Microsoft Entra External ID Custom URL Domains

What are custom URL domains?

Custom URL domains enable organizations to customize the authentication experience by using their own domain names. Instead of seeing the default Microsoft tenant URL, users see a branded URL. This provides a more consistent experience by strengthening brand identity and making applications feel more professional and secure.  

Key features  

  1. Customization and branding: You can register your own domain name to be used on authentication pages unifying the login experience with the rest of the user flow. Users will see a URL that reflects your brand, such as login.contoso.com, instead of the default Microsoft tenant URL.  
  2. Multiple domains allowed: There can be multiple custom URL domains in a single tenant.  

Additional security enhancements:  

  1. Standard URL domain protection: You can now secure your tenant from various security attacks such as bot attacks and DDOs by blocking access to the default endpoint when a custom URL domain is active. This feature is available on request. Enroll your tenant to activate this feature.  
  2. Third-party web application firewall (WAF) integration: Custom URL domains must be configured with Azure Front Door (AFD), allowing you to add additional WAF rules to your tenant, by adding third-party WAF integrations, such as Cloudflare or Akamai, on top of AFD. 

Key considerations when configuring custom URL domains  

  • Impact on metadata endpoint: Changing a custom URL domain will also affect the metadata endpoint.  For example if the default endpoint is https://<tenantID>,ciamlogin.com/<tenantID>/.well-known/openid-configuration/v2.0 it will change to https://login.contoso.com//.well-known/openid-configuration/v2.0
  • Single domain use: Once verified and added in one tenant, a custom URL domain cannot be added in another tenant.
  • Token issuer: The token issuer remains on the default endpoint, such as “iss”: “https://<tenantID>.ciamlogin.com/<tenantID>/v2.0”.
  • Top-level domain: Avoid using your top-level domain. Using a root domain for Custom URL Domains can complicate the user experience and the setup process. It is generally recommended to use subdomains for Custom URL Domains to avoid these issues.  
    • Example: 
      • Correct domain: ‘login.contoso.com’ 
      • Incorrect domain: ‘contoso.com’ 

Stay connected and informed

To learn more or test out features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity developer blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

We encourage you to share your feedback and tell us what you think, or suggest new features to make external identities federation features even better. Also, please join our research panel to receive occasional invites to participate in customer research.

Stay tuned for our next deep-dive blog into Web Application Firewalls in external-facing apps, where we’ll explore best practices, implementation strategies, and much more.

 

Mihai Popa

Principal Product Manager

 

 

 

 

 

 

 

 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Updated Jan 21, 2025
Version 1.0
No CommentsBe the first to comment