How are verified publisher domain and OAuth reply URLs related?

Nikolay Belaevski 26 Reputation points
2020-07-16T06:05:52.67+00:00

Hello,

We are setting up application to be able to use modern (OAuth-based) authentication and today I have realized that we can configure redirect/reply that does NOT belong to the verified publisher domain for the application. If I'm reading this right, there should be such enforcement in place, however for some reason it's not working for my application.

Here is how published domain and configured redirect URLs look like:

12615-2020-07-15-22-51-42-sign-in-to-your-account.png

Note that publisher domain name and redirect URL domains are different, though they are sharing the same higher level domain. I've masked portion of publisher domain fore security. Is this really expected to be working or am I missing something here? Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,561 Reputation points
    2020-07-16T08:13:25.777+00:00

    Hello @NikolayBelaevski-3026

    In the document, that you are referring to, it is not mentioned that publisher domain name and redirect/reply URL domains cannot be different. The restrictions that you are referring to are with respect to multiple Reply URLs in the same app.

    Just to clarify the confusion:

    If the publisher on Multi-tenant app is Null, you cannot add Reply URLs with different top level domains, such as:

     https://contoso.com
 https://fabrikam.com

    You can NOT register below Reply URLs to same application, as they register common root (contoso.com)

     https://app1.contoso.com
 https://app2.contoso.com

    But if you add contoso.com as verified publisher domain, you can add these Reply URLs to the same app. If you don't want to add contoso.com as verified publisher domain, you would need to add 3rd reply url with value: https://contoso.com. This will allow you to have https://app1.contoso.com and https://app2.contoso.com registered as reply urls to the same app.

    Moreover, the Reply URL is to specify the url where the token should be posted after successful authentication. So, if there will be a restriction that the reply url must match with publisher domain, you will not be able to federate those applications with Azure ad, which are hosted in different domains than the verified domains in Azure.

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nikolay Belaevski 26 Reputation points
    2020-07-16T15:50:20.017+00:00

    @soumi-MSFT @amanpreetsingh-msft thank you much, I appreciate this!

    I think I've got confused by this sentence specifically: "Subdomains are allowed, but you must explicitly register the root domain". Was not completely sure what registration means here, but because it's part of the document describing publisher domain configuration, I thought that root domain has to be publisher domain as well, didn't realize it can simply be root domain URL.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.