Set redirect URLs to for Azure Active Directory B2C

When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) application, you need to specify a redirect URL. You should no longer reference in your applications and APIs. Instead, use for all new applications, and migrate existing applications from to

Benefits of

When you use as your redirect URL:

  • Space consumed in the cookie header by Microsoft services is reduced.
  • Your redirect URLs no longer need to include a reference to Microsoft.
  • JavaScript client-side code is supported (currently in preview) in customized pages. Due to security restrictions, JavaScript code and HTML form elements are removed from custom pages if you use

Overview of required changes

There are several modifications you might need to make to migrate your applications to

  • Change the redirect URL in your identity provider's applications to reference
  • Update your Azure AD B2C applications to use in their user flow and token endpoint references.
  • Update any Allowed Origins that you've defined in the CORS settings for user interface customization.

Change identity provider redirect URLs

On each identity provider's website in which you've created an application, change all trusted URLs to redirect to instead of

There are two formats you can use for your redirect URLs. The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name:


The second option uses your tenant domain name in the form of For example:


For both formats:

  • Replace {your-tenant-name} with the name of your Azure AD B2C tenant.
  • Remove /te if it exists in the URL.

Update your applications and APIs

The code in your Azure AD B2C-enabled applications and APIs may refer to in several places. For example, your code might have references to user flows and token endpoints. Update the following to instead reference

  • Authorization endpoint
  • Token endpoint
  • Token issuer

For example, the authority endpoint for Contoso's sign-up/sign-in policy would now be:

Microsoft Authentication Library (MSAL)

ValidateAuthority property

If you're using MSAL.NET v2 or earlier, set the ValidateAuthority property to false on client instantiation to allow redirects to This setting is not required for MSAL.NET v3 and above.

ConfidentialClientApplication client = new ConfidentialClientApplication(...); // Can also be PublicClientApplication
client.ValidateAuthority = false; // MSAL.NET v2 and earlier **ONLY**

If you're using MSAL for JavaScript:

this.clientApplication = new UserAgentApplication(
    validateAuthority: false