Is it possible to customise Azure AD login error messages?

Question

We have a Drupal site setup to login with Azure AD via a third party OpenID connect module. This is linked to an Azure AD app registration in single tenant mode. When a user visits the site whilst logged-in to an account that isn't in our tenant, they see an error message similar to this:

Message:AADSTS50020: User account '[email protected]' from identity provider 'https://sts.windows.net/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/' does not exist in tenant 'TENANT NAME' and cannot access the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(SITE NAME) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

This message is completely incomprehensible to most of our users. I'd like to change it to something more meaningful such as

Please login with an INSTITUTION NAME account to access this site e.g.: [email protected]

Is this something that can be configured within the Azure AD app registration? Or elsewhere in our tenancy configuration?

Answer 1

In case of azure ad B2C you can create a custom error page using a technical profile based on localization or a custom policy error page. But in case of regular Azure AD (B2B), there is no way to specify custom error messages or error pages.

If there is any case where the error message is passed back to your application. there may be a possibility to deal with it as you can configure through code as required but there isn't any guidance regarding error passed to backend .