Power Platform Community Forum Thread Details

I am trying to configure a custom subdomain for a Power Pages portal using Azure Front Door as the entry point. The goal is to access the portal through the custom domain while using Azure Front Door managed TLS to avoid manual SSL certificate management.

Setup

Power Pages site currently uses the default URL : https://<portal>.powerappsportals.com
A custom subdomain has been created to access the portal.
Traffic is routed through Azure Front Door.
Azure Front Door uses the Power Pages default domain as the origin.
AFD managed TLS certificate is enabled for the custom domain.

Configuration Completed
So far the following steps have been completed:

Created an Azure Front Door profile
Added the Power Pages default domain as the origin
Configured origin group and routing rules
Added the custom domain in Azure Front Door
Verified domain ownership using the TXT record provided by Azure
Added the TXT record in the DNS provider
Added a CNAME record pointing the subdomain to the Front Door endpoint
Enabled Front Door managed TLS certificate
Verified DNS resolution using nslookup (the subdomain resolves correctly to the Front Door endpoint)

Issue
When accessing the custom domain URL, the request successfully routes through Azure Front Door and the site loads.
Since the website is private, it redirects to Microsoft Entra ID authentication.

During the login process an intermediate authentication URL appears similar to:
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...&redirect_uri=https://<powerpages-default-domain>/

After authentication, the portal redirects to:
https://<portal>.powerappsportals.com/Account/Login/ExternalAuthenticationFailed

Instead, the expected behavior would be for the login flow to return to something like:
https://<custom-domain>/SignIn?ReturnUrl=%2F

Additional Context
I initially raised this question in the Azure Front Door support forum. The Azure team reviewed the configuration and indicated that there does not appear to be an issue with the Azure Front Door configuration.

They suggested that the custom domain must also be recognized by Power Pages so that the portal generates the correct URLs during authentication.

However, when attempting to configure the custom domain in Power Platform Admin Center → Power Pages site → Connect custom domain, the portal requires uploading an SSL certificate manually(screenshot attached).

My intention in introducing Azure Front Door was to avoid manual certificate management by using Azure Front Door managed TLS, which automatically handles certificate issuance and renewal.

Questions

I would appreciate clarification on the following points:

Is it mandatory to configure the custom domain directly inside Power Pages even when Azure Front Door is used as the entry point?
If the domain must be added in Power Pages using Connect custom domain, does this always require uploading a separate SSL certificate, even when Azure Front Door already has a managed TLS certificate for the same domain(does that mean two SSL certificates for the same domain - one uploaded in Power Pages and one managed by Front Door)?
Is there any supported architecture where Power Pages can rely on the Azure Front Door managed TLS certificate, rather than requiring manual certificate upload in Power Pages?
If configuring the domain inside Power Pages is not required, what configuration would typically resolve the ExternalAuthenticationFailed issue where authentication redirects back to the default powerappsportals.com domain?

The goal is to successfully access the Power Pages site through the custom domain behind Azure Front Door, while ensuring authentication works correctly and certificate management can remain automated.

Any guidance on the recommended approach for this architecture would be greatly appreciated.