Today we announce that Microsoft Entra External ID Custom URL Domains are now generally available (GA)! Initially released in May in Public Preview, custom URL domains allow you to add verified custom domains within Microsoft Entra external ID. This means you can brand your authentication endpoints with your own domain name, creating a seamless and recognizable login experience for your users.

What are custom URL domains?

Custom URL domains enable organizations to customize the authentication experience by using their own domain names. Instead of seeing the default Microsoft tenant URL, users see a branded URL. This provides a more consistent experience, strengthening brand identity, making applications feel more professional and secure.

Key features

• Customization and branding: You can use your own domain name on authentication pages unifying the login experience. Users will see a URL that reflects your brand, such as login.contoso.com, instead of the default Microsoft tenant URL.

• Additional security enhancements:

  • Standard URL domain blocking: You can now secure your tenant from various security attacks, such as bot attacks, DDOs, etc., by blocking access to the default endpoint when a custom URL domain is active. This feature is available on request. Enrol your tenant here to activate this feature.
  • Third-party web application firewall (WAF) integration: Custom URL domains are configured with Azure Front Door (AFD), allowing you to add additional WAF rules to your tenant, by adding third-party WAF integrations, such as Cloudflare or Akamai, in front of AFD.

  Note: Third-party integrations without AFD, such as Cloudflare and Akamai, are coming in future product releases.

Key considerations when configuring custom URL domains

• Multiple domains allowed: There can be multiple custom URL domains in a single tenant.
• Impact on metadata endpoint: Changing a custom URL domain will also affect the metadata endpoint.
• Single domain use: Once verified and added in one tenant, a custom URL domain cannot be added in another tenant.
• Token issuer: The token issuer remains on the default endpoint, i.e. “iss”: “https://.ciamlogin.com//v2.0”.
• Top-level domain: Avoid using your top-level domain. Using a root domain for custom URL domains can complicate the user experience and the setup process. It is generally recommended to use subdomains for custom URL domains to avoid these issues.
  • Example:
    • Correct domain: ‘login.contoso.com’
    • Incorrect domain: ‘contoso.com’

Setting up custom URL domains

Prerequisites

• An external tenant
• A valid custom domain
• An Azure Front Door subscription

Configure Microsoft Entra External ID

• You need to verify domain ownership by adding your custom URL domain to your external tenant. Go to Microsoft Entra admin centre > Domain Names > Custom domain names > Add domain
• Add your DNS information to the domain registrar

Note: It might take up to 72 hours for a domain to be verified.

Associate Custom domain names with Custom URL Domains

You’ll need to associate custom domain names with custom URL domains. Navigate to the Microsoft Entra admin center > Domain names > Custom URL domains

Configure Azure Front Door

• Add an AFD instance (if you don’t have one setup).
• Associate your custom URL domain with this AFD and enable the route.

Configure features to use custom URL domains

• Microsoft Authentication Library (MSAL): MSAL is compatible with custom URL domains. Make changes according to your development language. For guidance, see an example of MSAL.js

• Social Identity providers: Update your IDP list of redirect URIs to include your custom domains.

Stay connected and informed

To learn more or test out features in the Microsoft Entra portfolio, visit our developer centre. Make sure you subscribe to the Identity developer blog for more insights and to keep up with the latest on all things Identity. And follow us on YouTube for video overviews, tutorials, and deep dives.

We encourage you share your feedback and tell us what you think, or suggest new enhancements to make custom URL domains even better. Also, please join our research panel to receive occasional invites to participate in customer research.