Authorization Extension Mapping does not Create a Group in Auth0

Overview

This article explains why groups do not get created when creating mappings in the Authorization Extension in order to map groups coming from Entra ID, despite the user profile having the groups.

Solution

Groups will not be created but will be available at runtime after the mappings.

  • Group Mappings only affect runtime. If a mapping is applicable for a user, during rule execution, the mapping will add the (extra) group information for that user to user.groups.
  • The user will have the group during the rule execution. The mapping will dynamically decide on users’ groups on each login.

However, the groups calculated by the mappings are not permanent and the user will not appear as a member of the group.

An example of this is one where the AD Group of a user is changed from “Admin” to “Restricted”. Due to the dynamic and unpersisted nature of Group Mappings, next time user logins, the user will not get any mappings provided by “Admin”."