Custom Branding for Login on a Azure AD Multi-Tenant App

Question

Question: How can I custom brand my Azure AD application login page? (note: NOT my org's login page; see below)

I have a web application hosted in Azure where users can log in using accounts that are created and managed within the application. Since my application is used by many big organizations, I have added the capability for customers to also sign in using their account that's managed by their organization (single sign on). This was done using Azure Active Directory, which syncs the local AD accounts into Azure where cloud authentication occurs. Since this application is used by many organizations all with their own separate ADs, I created the Active Directory application within Azure as multi-tenanted. With all of this done, the new login process works perfectly, however, I can't figure out how to brand the Microsoft hosted application sign in page.

Please keep in mind the distinction between the application login page and the organization's tenant login page. There is ample documentation about how to brand the organization's tenant login page, but not the application login page. Consider the application flow to understand the difference:

1. User goes to my app's login page, and chooses "Login with your existing organization account".

   

2. The user is redirected to a Microsoft hosted login page for my application . At this point, Microsoft/Azure Ad only knows which application this is for; it doesn't yet know who is logging in or which tenant (organization) they belong to. This is the login page I need help branding (logo & page background).

   

3. After the user enters their email address (and even before they enter their password), the user is redirected to a different login page--the login page for the user's organization (ie their tenant). This page shows that organization's custom branding if it was setup. This is not the login page I wish to brand; it is my customer's responsibility to brand their org if they desire .

   

4. After the user enters their password on their organization's login page, the user submits the form. Azure then successfully authenticates them and redirects them back to my application where they are now authenticated as well.

NOTE: this should be possible as you can see Microsoft is doing it on all of their cloud apps as well (Office 365, Visual Studio, Azure Portal)

NOTE: this question was asked over 3 years ago, but only 1 misdirected answer was given, and Azure and Azure AD has changed drastically since then. See: Azure Active Directory Custom Branded login page dont work with third party application . Also, the Microsoft documentation only covers the branding of the tenant login page, not the application login page like I am seeking. See: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-company-branding .

Answer 1

What you observe is only possible for Microsoft owned applications. The customers can only brand their organisation login page. What you can do however, is to redirect the user to your org login page. Then the first thing the user will see is your company branding. After they enter their login name, they may see their custom org login page (if the organisation has customized the login experience). If you such a feature (per app custom login page) is something worth looking at, you can create a feature request on the UserVoice site - http://mygreatwindowsazureidea.com/

Just as a note - per app custom login page is today only possible on Azure AD B2C via custom policy implementation.