Problem statement
We have some applications that have external and internal users. For internal users, we have configured Azure AD, however, we want to allow users to use their username/password for login or use federation. In the current setup, as soon as users enter an email with the configured domain, they are forced to use federation.
Solution
You may enable the Identifier+Password option from Authentication => Authentication Profile section. This can help to see the enterprise connections as a button, and the users may click this button to log in with the upstream Azure Ad and use the username/password field to log in with Auth0’s regular database. However, this feature isn’t customizable application level. It works tenant-level, so all of the applications in the tenant will be affected.
For this particular use case, you need to make two changes;
1- In your application code, you may add a new button that starts the login with the enterprise connection. The code attached to the button that needs to redirect the user to the /authorize endpoint while passing the connection name with the “connection” parameter. This parameter helps to skip the hosted Auth0 login page. The other button can help to redirect to Auth0’s hosted login page as usual.
2- On the enterprise connection that you want to avoid identifier first login, in the “Login Experience” tab of the connection, make sure to remove the email domain you were using previously.