StratoLens LogoStratoLens

Quick Start: Set Up a Custom Domain

Replace the default *.azurecontainerapps.io hostname with your own domain (for example, app.contoso.com) and update the StratoLens settings that depend on it.

What this guide covers

Binding the custom domain and certificate to the Container App is a standard Azure step — we won't repeat it here. Use Microsoft's docs for that part:

Once Microsoft's steps are complete, the Custom domains blade on your Container App should show your hostname bound with a valid certificate:

Container App → Custom domains. The expected state after completing Microsoft's custom-domain binding steps, before making any StratoLens changes.

With the domain bound, StratoLens needs four updates so authentication and email links use the new hostname:

  1. Add the new URL to the main App Registration (SPA redirect URIs).
  2. Add the new email callback URL to the Notifications App Registration (Web redirect URIs).
  3. Update WEBSITE_HOSTNAME on the StratoLens Container App.
  4. Update WEBSITE_HOSTNAME on the StratoLens Container App Job.

Keep the original URL during cutover

Don't remove the original *.azurecontainerapps.io redirect URI right away. Leaving it in place gives you a working fallback if anything goes wrong during the switch.

1Add the new URL to the main App Registration

In the Azure Portal, go to Microsoft Entra ID → App registrations. Switch the filter at the top to All applications and search for StratoLens— you should see two app registrations:

  • StratoLens — the main app registration (used in this step).
  • StratoLens Notifications — the email-sending app registration (used in step 2).
Microsoft Entra IDApp registrationsAll applications, filtered to StratoLens.

Open the StratoLens app registration. Then:

  1. Click Authentication in the left sidebar.
  2. Find the Single-page application row and click Edit.
  3. In the box that appears, add your custom URL on a new line below the existing *.azurecontainerapps.io URI — for example https://app.contoso.com (replace with your domain).
  4. Click Configure at the bottom right of the page to save.

Leave the existing https://ca-{company}-stratolens.{region}.azurecontainerapps.io entry in place for now.

StratoLensAuthenticationSingle-page applicationEdit. Add the custom domain URL on a new line below the existing one.

It must be the SPA section, not Web

The main StratoLens app registration uses the Single-page application redirect type.

2Add the email callback URL to the Notifications App Registration

Go back to App registrations and open the StratoLens Notifications app registration. Then:

  1. Click Authentication in the left sidebar.
  2. Find the Web row (not Single-page application this time) and click Edit.
  3. In the box that appears, add your custom email callback URL on a new line below the existing *.azurecontainerapps.io/auth/email-callback URI — for example https://app.contoso.com/auth/email-callback (replace with your domain).
  4. Click Configure at the bottom right of the page to save.
StratoLens NotificationsAuthenticationWebEdit. Add the /auth/email-callback URL on the new domain below the existing one.

Web, not SPA — this one's different

The Notifications app registration uses the Web redirect type.

3Update WEBSITE_HOSTNAME on the Container App

StratoLens reads the WEBSITE_HOSTNAMEenvironment variable to build the auth redirect URI it sends to Microsoft Entra and the "View in StratoLens" deep links in emails. It needs to match your new domain.

In the Azure Portal, open the StratoLens web app — the Container App named ca-{company}-stratolens. Then:

  1. Click Containers in the left sidebar.
  2. Click the Environment variables tab.
  3. Find the WEBSITE_HOSTNAME row and replace its value with your custom hostname — for example app.contoso.com (replace with your domain). Hostname only, no https://.
  4. Click Save as new revision.
ca-{company}-stratolensContainersEnvironment variables. Replace the value of WEBSITE_HOSTNAME with your custom hostname.

The Container App creates a new revision automatically, which picks up the updated value.

4Update WEBSITE_HOSTNAME on the Container App Job

Scheduled reports and background notifications are sent by a separate Container App Job named job-{company}-stratolens. It needs the same update so the deep links in scheduled emails point at the new domain.

Open the Container App Job in the Azure Portal. Then:

  1. Click Containers in the left sidebar.
  2. Click the container name Scheduler to open its settings.
  3. Click the Environment variables tab.
  4. Find the WEBSITE_HOSTNAME row and replace its value with the same hostname you used in step 3 (for example, app.contoso.com).
  5. Click Save.
  6. Click Apply at the bottom left of the screen to commit the change to the job.
job-{company}-stratolensContainersEnvironment variables. Match the hostname from step 3.

Don't skip the job

If you only update the Container App, scheduled report emails will keep linking to the old *.azurecontainerapps.io URL. The job runs on its own revision and reads its own environment variables.

5Verify

Once both revisions are running, confirm the switch worked:

  • Sign-in: open https://app.contoso.com in a new browser session and sign in. You should land in StratoLens without a redirect-URI error.
  • Email OAuth: go to Settings → Email Notifications, run the OAuth connect flow, and confirm it completes without an AADSTS50011 redirect-mismatch error.
  • Email links:trigger a test notification or scheduled report and verify the "View in StratoLens" button in the email points at the new hostname.

You're on your custom domain

Sign-in, email OAuth, and email deep links are all using the new hostname. Once you've confirmed everything works, you can remove the original *.azurecontainerapps.io redirect URI from both app registrations.

Where to next

Run your first scan

Kick off the initial scan and seed historical data.

Installation guide

The full deployment walkthrough, from Marketplace to first sign-in.

← Back to Quick StartsDocumentation home