web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Power Pages custom dom...
Power Pages
Suggested Answer

Power Pages custom domain login failure with Azure Front Door

(0) ShareShare
ReportReport
Posted on by CU11030551-0 Microsoft Employee

I am trying to configure a custom subdomain for a Power Pages portal using Azure Front Door as the entry point. The goal is to access the portal through the custom domain while using Azure Front Door managed TLS to avoid manual SSL certificate management.

Setup
  • Power Pages site currently uses the default URL : https://<portal>.powerappsportals.com
  • A custom subdomain has been created to access the portal.
  • Traffic is routed through Azure Front Door.
  • Azure Front Door uses the Power Pages default domain as the origin.
  • AFD managed TLS certificate is enabled for the custom domain.
Configuration Completed
So far the following steps have been completed:
  • Created an Azure Front Door profile
  • Added the Power Pages default domain as the origin
  • Configured origin group and routing rules
  • Added the custom domain in Azure Front Door
  • Verified domain ownership using the TXT record provided by Azure
  • Added the TXT record in the DNS provider
  • Added a CNAME record pointing the subdomain to the Front Door endpoint
  • Enabled Front Door managed TLS certificate
  • Verified DNS resolution using nslookup (the subdomain resolves correctly to the Front Door endpoint)
Issue
When accessing the custom domain URL, the request successfully routes through Azure Front Door and the site loads.
Since the website is private, it redirects to Microsoft Entra ID authentication.

During the login process an intermediate authentication URL appears similar to:
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...&redirect_uri=https://<powerpages-default-domain>/

After authentication, the portal redirects to:
https://<portal>.powerappsportals.com/Account/Login/ExternalAuthenticationFailed

Instead, the expected behavior would be for the login flow to return to something like:
https://<custom-domain>/SignIn?ReturnUrl=%2F

Additional Context
I initially raised this question in the Azure Front Door support forum. The Azure team reviewed the configuration and indicated that there does not appear to be an issue with the Azure Front Door configuration.

They suggested that the custom domain must also be recognized by Power Pages so that the portal generates the correct URLs during authentication.

However, when attempting to configure the custom domain in Power Platform Admin Center → Power Pages site → Connect custom domain, the portal requires uploading an SSL certificate manually(screenshot attached).

My intention in introducing Azure Front Door was to avoid manual certificate management by using Azure Front Door managed TLS, which automatically handles certificate issuance and renewal.

Questions
I would appreciate clarification on the following points:
  1. Is it mandatory to configure the custom domain directly inside Power Pages even when Azure Front Door is used as the entry point?
  2. If the domain must be added in Power Pages using Connect custom domain, does this always require uploading a separate SSL certificate, even when Azure Front Door already has a managed TLS certificate for the same domain(does that mean two SSL certificates for the same domain - one uploaded in Power Pages and one managed by Front Door)?
  3. Is there any supported architecture where Power Pages can rely on the Azure Front Door managed TLS certificate, rather than requiring manual certificate upload in Power Pages?
  4. If configuring the domain inside Power Pages is not required, what configuration would typically resolve the ExternalAuthenticationFailed issue where authentication redirects back to the default powerappsportals.com domain?

The goal is to successfully access the Power Pages site through the custom domain behind Azure Front Door, while ensuring authentication works correctly and certificate management can remain automated.

Any guidance on the recommended approach for this architecture would be greatly appreciated.

 
Screenshot 2026-03-09 214703.png
Categories:
Security
I have the same question (0)
  • Suggested answer
    Jerald Felix Profile Picture
    Jerald Felix 358 Super User 2026 Season 1 on at
    Hello CU11030551-0 
     
    Thanks for raising this question in the Power Platform Community forum.
     
    Your analysis is completely correct and your Azure Front Door configuration itself has no issues — the ExternalAuthenticationFailed error and the wrong redirect_uri are caused by a fundamental requirement of Power Pages that you cannot bypass. Here is a clear answer to each of your four questions followed by the recommended architecture.
     
    Answer to Question 1 : Yes, the custom domain MUST be configured in Power Pages
    Power Pages generates all authentication URLs — including the redirect_uri sent to Microsoft Entra ID — based on the hostname that Power Pages itself recognizes as valid for the portal. If the custom domain is only configured in Azure Front Door but not in Power Pages, the portal will always use the default *.powerappsportals.com domain in its OAuth redirect, regardless of what domain the user accessed. This is why your login flow redirects back to the default domain. There is no workaround for this — Power Pages must be told about the custom domain directly.
     
    Answer to Question 2 : Yes, Power Pages requires its own certificate, but it can be a free auto-managed one
    When you add a custom domain in Power Platform Admin Center → Power Pages site → Connect custom domain, Power Pages does require an SSL certificate bound to that domain. However, this is separate and independent from the Azure Front Door managed TLS certificate — you will effectively have two certificates for the same domain. The good news is that Power Pages will attempt to automatically generate and bind a free SSL certificate for the custom domain during the "Connect custom domain" wizard. In many cases, no manual upload is needed — the auto-bind succeeds without you uploading a PFX. If it fails, you have options (see below).
     
    Answer to Question 3 : No direct relay of AFD certificate to Power Pages, but automation is possible
    There is no supported architecture where Power Pages uses the Azure Front Door managed TLS certificate directly. They are separate TLS termination points. However, you can achieve full certificate automation using one of these approaches:
    • Azure Key Vault + automated renewal — store a certificate in Azure Key Vault with auto-renewal policy, reference it from both Azure Front Door and Power Pages custom domain
    • Let's Encrypt automation — use a CI/CD pipeline (GitHub Actions or Azure DevOps) to renew Let's Encrypt certificates and automatically upload them to Power Pages via Power Platform CLI
     
    Answer to Question 4 : Configuring the domain in Power Pages IS required
    There is no configuration that resolves ExternalAuthenticationFailed without adding the custom domain to Power Pages. The fix must include Power Pages recognizing the custom hostname.
    Complete Working Architecture
     
    Follow these exact steps in this order:
    Step 1 — Temporarily point CNAME directly to Power Pages (required for validation)
    During the Power Pages custom domain setup, the CNAME must point directly to the Power Pages default domain (not to Azure Front Door) because Power Pages validates ownership by checking DNS:
    text
    subdomain.yourdomain.com → CNAME → yourportal.powerappsportals.com

    Step 2 — Add and validate the custom domain in Power Pages
    Go to Power Platform Admin Center → your Power Pages site → Custom domains → Add domain:
    • Enter your custom subdomain
    • Power Pages will verify the CNAME record
    • Allow Power Pages to auto-generate and bind the SSL certificate (wait 5–10 minutes)
    • If auto-bind fails, upload a PFX certificate for the domain manually
     
    Step 3 — Switch CNAME to Azure Front Door endpoint (after Power Pages validation)
    Once the custom domain is successfully registered in Power Pages, update your DNS CNAME to point to Front Door:
    text
    subdomain.yourdomain.com → CNAME → yourprofile.azurefd.net

    Step 4 — Update App Registration redirect URIs
    In Microsoft Entra ID → App Registrations → your app → Authentication → Redirect URIs, add:

    https://subdomain.yourdomain.com/signin-oidc
    https://subdomain.yourdomain.com/Account/Login/ExternalLoginCallback

    Step 5 — Verify Power Pages site settings
    In Power Pages Management → Site Settings, verify:
    Authentication/OpenIdConnect/Primary/RedirectUri = https://subdomain.yourdomain.com/signin-oidc
    After completing all steps, your flow will work as expected:

    User → subdomain.yourdomain.com → Azure Front Door (TLS termination + WAF) → 
    Power Pages (origin, recognizes custom domain) → Entra ID login → 
    redirect_uri = https://subdomain.yourdomain.com ✓

    If it helps kindly accept the answer.
     
    Best Regards,
    Jerald Felix
  • CU11030550-0 Profile Picture
    CU11030550-0 2 on at

    Hello @Jerald Felix,

    Thank you for the detailed explanation, it really helped clarify the overall architecture and why the issue is occurring.

    I am currently trying to follow Step 2 (Add and validate the custom domain in Power Pages), but I’m facing some confusion with the UI and would appreciate your guidance here.

    In Power Platform Admin Center → Power Pages site, I do not see an option like “Custom domains → Add domain” as mentioned. Instead, the only option available to me is “Connect custom domain”(Screenshot attached for the same).

    When I select this option, the very first step requires me to upload an SSL certificate (PFX). Only after uploading the certificate does it allow me to proceed to the next step where I can enter the hostname.

    Because of this, I am unable to reach a stage where Power Pages can:

    • Validate the CNAME first, or
    • ​Automatically generate and bind the SSL certificate

    This seems different from the flow you described where auto SSL binding happens without manual upload.

    Could you please help clarify:

    1. Am I looking at the correct place for adding the custom domain in Power Pages?
    2. Is there a different UI or flow where “Add domain” appears before certificate upload?
    3. At what exact step does the automatic SSL certificate binding happen in Power Pages?
    4. Is this behavior because my site is configured as a private Power Pages site?
    5. If possible, could you share a screenshot or reference of the expected UI for this step?

    At the moment, I am blocked because the portal requires a manual certificate upload upfront, and I’m unable to proceed further to complete the domain validation step.

    Thanks again for your help; I really appreciate your guidance on this.

    Screenshot 2026-03-09 214703.png

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
11manish Profile Picture

11manish 64

#2
Valantis Profile Picture

Valantis 46

#3
rezarizvii Profile Picture

rezarizvii 43

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans