Set redirect URLs to b2clogin.com for Azure Active Directory B2C

When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) application, you need to specify a redirect URL. You should no longer reference login.microsoftonline.com in your applications and APIs. Instead, use b2clogin.com for all new applications, and migrate existing applications from login.microsoftonline.com to b2clogin.com.

Benefits of b2clogin.com

When you use b2clogin.com as your redirect URL:

  • Space consumed in the cookie header by Microsoft services is reduced.
  • Your redirect URLs no longer need to include a reference to Microsoft.
  • JavaScript client-side code is supported (currently in preview) in customized pages. Due to security restrictions, JavaScript code and HTML form elements are removed from custom pages if you use login.microsoftonline.com.

Overview of required changes

There are several modifications you might need to make to migrate your applications to b2clogin.com:

  • Change the redirect URL in your identity provider's applications to reference b2clogin.com.
  • Update your Azure AD B2C applications to use b2clogin.com in their user flow and token endpoint references.
  • Update any Allowed Origins that you've defined in the CORS settings for user interface customization.

Change identity provider redirect URLs

On each identity provider's website in which you've created an application, change all trusted URLs to redirect to your-tenant-name.b2clogin.com instead of login.microsoftonline.com.

There are two formats you can use for your b2clogin.com redirect URLs. The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name:

https://{your-tenant-name}.b2clogin.com/{your-tenant-id}/oauth2/authresp

The second option uses your tenant domain name in the form of your-tenant-name.onmicrosoft.com. For example:

https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp

For both formats:

  • Replace {your-tenant-name} with the name of your Azure AD B2C tenant.
  • Remove /te if it exists in the URL.

Update your applications and APIs

The code in your Azure AD B2C-enabled applications and APIs may refer to login.microsoftonline.com in several places. For example, your code might have references to user flows and token endpoints. Update the following to instead reference your-tenant-name.b2clogin.com:

  • Authorization endpoint
  • Token endpoint
  • Token issuer

For example, the authority endpoint for Contoso's sign-up/sign-in policy would now be:

https://contosob2c.b2clogin.com/00000000-0000-0000-0000-000000000000/B2C_1_signupsignin1

Microsoft Authentication Library (MSAL)

ValidateAuthority property

If you're using MSAL.NET v2 or earlier, set the ValidateAuthority property to false on client instantiation to allow redirects to b2clogin.com. This setting is not required for MSAL.NET v3 and above.

ConfidentialClientApplication client = new ConfidentialClientApplication(...); // Can also be PublicClientApplication
client.ValidateAuthority = false; // MSAL.NET v2 and earlier **ONLY**

If you're using MSAL for JavaScript:

this.clientApplication = new UserAgentApplication(
  env.auth.clientId,
  env.auth.loginAuthority,
  this.authCallback.bind(this),
  {
    validateAuthority: false
  }
);