question

Reuben-7481 avatar image
0 Votes"
Reuben-7481 asked AnshulKumarMINDTREELIMITED-5501 commented

Testing Azure Front Door for Azure B2C URLs in preparation for a Custom Domain

Similar to https://docs.microsoft.com/en-us/answers/questions/331830/unable-to-configure-custom-domains-for-azure-activ.html, I am trying to set up a Custom Domain for an Azure AD B2C tenant using Azure Front Door. I added a comment to the question, but I should ask my own question, so here we go.

There is a step in the instructions where it suggests I ought to be able to test the Front Door by accessing a URL on the azurefd.net domain directly.

Since this is a Azure AD B2C tenancy, and I don't get a lot of choice of what URLs to use, so I am testing the Open ID Configuation URL (https://b2cuatotw.b2clogin.com/b2cuatotw.onmicrosoft.com/B2C_1A_signup_signin/v2.0/.well-known/openid-configuration) and comparing with what I think the azurefd.net counterpart should be (https://b2cuatotw.azurefd.net/b2cuatotw.onmicrosoft.com/B2C_1A_signup_signin/v2.0/.well-known/openid-configuration).

However, I'm only getting 404 responses from the azurefd.net URL and enabling diagnostics for the Azure Front Door is also only showing 404 responses for my requests.

Is this a reasonable test for ensuring the front door has been set up properly before I start changing policies and applications to use the custom domain name?

azure-ad-b2cazure-front-door
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

Reuben-7481 avatar image
0 Votes"
Reuben-7481 answered AaronTownley-9545 commented

This item is solved via a support request.

The first item that needed correcting was Domain verification needs to be on the Azure B2C tenant, not the tenant that you may be hosting the Front Door with.

As a part of the support resolution, we skipped the azurefd.net to b2clogin.com test and went straight to the custom domain. However, our company internal DNS was not propagating the CNAME entry through to the VPN that I was using to log into our work environment.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Reuben,

Hoping you might be able to assist - I'm in the exact same situation you explained in your initial post, but don't quite understand exactly what feature/setting you're referring to when you say "domain verification needs to be on the Azure B2C tenant".

After experiencing 404's with my custom domain I too have taken it back to basics, expecting that the azurefd.net host would "just work" after completing all the documented steps however I can't get passed the 404 errors.

Interesting if I point AzureFD at any other backend service it loads correctly which strongly suggests there's something within B2C which needs to be tweaked for this to work.

Thanks in advance,
Aaron

0 Votes 0 ·
Reuben-7481 avatar image Reuben-7481 AaronTownley-9545 ·

We still have a Frontend configured in the Front Door Designer, but it still doesn't work as intended. The Frontend for the custom domain is using a Front Door managed TLS 1.2 certificate. I do remember that appeared to take while to generate. As it is now, we have all green ticks for Submitting request, Domain validation, Certificate provisioning and Complete steps.

With regards to the last comment, the only thing in the B2C setup that mentions the custom domain is the Redirect URIs used to process the authentication responses. i.e. https://custom-domain.com.au/b2cuatotw.onmicrosoft.com/oauth2/authresp for two of the Identity Experience Framework apps. Because we're also using custom templates, the custom domain gets a mention in the Resource Sharing (CORS) section of the Azure Storage account that has been set up on the corporate tenancy.

I hope any of that helps. We're about to start setting up our actual production B2C tenancy, but will be using a new B2C tenancy, Storage subscription and Front Door subscription, so we still get to mess around with the other one, if we need to.

Part 2 of 2

1 Vote 1 ·

Thanks for taking the time to reply to my query Reuben.

Interestingly Microsoft have since updated their documentation to include a troubleshooting section which addresses the specific error I was experiencing (the prerequisite of having the custom domain added and verified on the B2C directory).

Thanks again, I hope your deployment goes well.

0 Votes 0 ·
Reuben-7481 avatar image Reuben-7481 AaronTownley-9545 ·

In our setup, we have our main corporate Azure AD Domain and we created a new tenancy to host the Azure B2C tenant.

During the initial setup, we perform domain verification for our custom domain against the Azure B2C tenancy, but as a part of the Azure Front Door setup, which was put on the corporate Azure tenancy, that domain verification was moved. However, since the custom domain was being used with the Azure B2C tenancy, we moved it back to that Azure B2C tenancy instead of the main corporate one.

Unfortunately, I was not an active participant in the support call with Microsoft, so I didn't get a chance to ask if using azurefd.net directly should "just work". Instead, they went straight for setting up the actual custom domain on the Azure Front Door.

Part 1 of 2

0 Votes 0 ·