I have an Angular app that supports Azure AD authentication via a spring security backend. It supports anonymous (non-tenant) access but no other authentication methods.
On load, if there is no existing session, the app attempts to automatically sign in via Azure AD by performing a full page redirect to the backend's Azure endpoint (which redirects to Microsoft) which redirects back to the app when successful.
This all works fine and flows well for users that have existing accounts. However for non-tenant users who are unfamilar with the app, it might be a bit confusing to get redirected to a sign in page when they don't have an account and its not very intuitive on how to proceed.
My question is if it's possible to 'wrap' the Azure AD sign-in page with some branding / messaging (e.g. similar to an embedded iframe), or to add an extra step at the beginning of the process. Alternativly, is there a way to detect if the user is a non-tenant user in advance of performing a redirect? This way I can explain what the scary sign in screen means (or avoid it completely).
I have already tried to use an iframe for the Azure endpoint (seems to be blocked due to Microsoft security policy), and to use a popup window (blocked on the client since it's not invoked via user action).
I should mention that I am not using Microsoft's Azure AD JS library currently but no issue in adding it.
Appreciate any help!
My question is if it's possible to 'wrap' the Azure AD sign-in page with some branding / messaging (e.g. similar to an embedded iframe), or to add an extra step at the beginning of the process.
Yes it is possible to Customize the azure sign-in page with some branding/messaging by adding your organization logo and custom colour schemes on your azure AD sign-in page. This sign-in pages will appear when users sign in to your organization registered applications in which AzureAD is defined as the IDP. Custom branding for the Azure AD which you'll do for the sign-in page will take 15 minutes or more to appear after user sign-in.
Kindly Note that the sign-in page branding is does not apply to the personal Microsoft Account or personal accounts sign-in also.
To configure the branding for your Azure AD sign-in page kindly refer to the this MICROSOFT DOCUMENTATION for implementation.
Also for guidelines adding branding on Azure AD apps kindly refer to this MICROSOFT DOCUMENTATION .
Alternatively, is there a way to detect if the user is a non-tenant user in advance of performing a redirect?
Yes, there is a way to know if a user is non-tenant or not by configuring the home realm discovery mechanism home realm discovery is an authentication behaviour for federated users that use HRD policy . It uses auto -acceleration to skip the user name entry screen an automatically forward the users to Azure AD application endpoints. Thus to configure HRD policy for your Azure AD tenant kindly refer to this MICROSOFT DOCUMENTATION for implementation. Also to Prompt the user to login to your tenant using your tenant specific user name, you can add login_hint parameter in the authorization code of authentication request.
For details about the login_hint parameter in the authentication request kindly refer to this MICROSOFT DOCUMENTATION
For more information please refer this SO THREAD.