Access Microsoft graph resources with an auth0 login

I’m having difficulties finding documentation for auth0 and microsoft graph integration. There are a lot if similar posts on this site with no answers, so I am unsure if this is possible at all.

My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.

As I’ve understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:

  • I login with a SPA auth0 app (using a microsoft identity)
  • This is then used to authenticate to a backend server using a api registration in auth0
  • The backend has its seperate machine-to-machine app in auth0
  • Backend api uses this seperate app to get access token to auth0 management api
  • Current user is fetched (based on the logged in user from front end app login) from management api,
  • Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
  • Token does not work to call graph, I am unsure of where to send it next.

I am aware that the above is probably completely wrong, that’s why I am here :slight_smile:

My questions are:

  1. Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend? 2) Does anyone have a link that discusses this, ideally with some code samples.

Hey @jsorensen.m.
I would say that, overall, you are pretty close. The missing piece is letting Auth0 know that the access token you need from Microsoft should have additional scopes (whatever you need to access through Microsoft’s Graph API).
By default, Auth0 only requests scopes to identify the user, because that’s the only piece it needs. If you need more scopes (e.g. “Files.Read” to access a user’s OneDrive) you’ll have to configure the connection for that.
If you are using the Microsoft Account social connection, you can do so directly from the connection settings:

If you are using Azure AD enterprise connections, the connection setup dialog does not have an option to specify additional scopes, but you can get the same results if you are willing to work with the Management API v2 a bit. The process is described here: Pass Parameters to Identity Providers

You’ll essentially need to PATCH the connection object with an upstream_params entry that looks like this:

PATCH /api/v2/connections/{connection_id}

  "options" : {
    [...], //you'll need to put all existing options here, there is no automatic merge
      "scope": {
        "value":"openid profile email Files.Read"

Leave profile email in there to make sure Auth0 gets the user information, and replace Files.Read with the actual scopes you need to request for the Graph API.
It might probably be a good idea to set the Identity API to Microsoft Identity Platform (v2) in the connection settings.

Another option is to add the connection_scope parameter in the /authorize request. This lets you specify the scope dynamically from a specific application instead of hardcoding the values in the connection. If you have multiple applications you’ll need to be careful about this, as the access token is stored always in the same “slot” regardless of which application requested it, so the last login with Azure AD will overwrite whatever was there before.
Finally, take into consideration that if Auth0 sees a session for the user it might not go back to Azure AD to get a new authentication, so the access token stored in the user profile might be expired by the time you retrieve it. You can always force a new authentication with a specific upstream identity provider by using the connection=<connection_name> in the /authorize request.

Sorry for the wall of text, hopefully it points you in the right direction. :+1: