Add stepup when authentication is done via AD

Problem statement

We have a specific area that we would like to ask for a step-up or a re-authenticate to access it. We are currently using our Active Directory connected to Auth0 to authenticate our users. We found documentation on how to achieve this requirement without AD but not a lot of information on what our options are when using AD. Can you please assist?

Solution

There is no ‘out of the box’ way to do this. The most common scenario assumes that users are authenticating via a database connection ( Add Step-up Authentication ).

  1. There is no ‘out of the box’ way to provide step-up functionality for users who have authenticated via Azure AD.
  2. It is possible to provide this functionality via a Rule.
    – Take note that the Rule ‘template’ rule will be ‘migrated’ to Actions, so be on the look out for that update.

You should also be aware of a couple of potential risks:

  • If a user doesn’t have MFA enabled in Azure AD for a reason, and the account is compromised, a malicious user could then register an MFA device in Auth0 and access MFA-restricted parts of an application.
  • Auth0 is not the intended audience for the Azure AD access token.