Azure AD: Restrict users allowed to authenticate

I have followed the guide, and got my Auth0 tennant connected via Enterprise connection to our test Azure AD.

I have been able to login. At this time, this created a user in the user direction in my Auth0 tennant, under the relevant Enterprise connection.

This app has been working with Auth0 alone on username-password connection for some time. We don’t have a signup flow, we pre-administer the users manually, and register them to the Auth0 management API in the user-password directory. So that is, until explicitly assigned by us, they cannot login, or perform any action that would create them a user in Auth0.

Although the above Azure AD test was successful, I don’t want all members of the target AD to simply be able to login to the site. I want it as a list of pre-authorised users only, preferably our standard process.

Can it work this way? That the user is already created before allowing the federated authentication to say yes to allowing access / creating a user?

Alternately, is there a way in Azure AD to only allow certain AD users by group to access the application in AD? So AD would never grant authorisation in the first place?


I may have found a solution, via using Actions, specifically the pre-user-registration.
I will push ahead with this, and see if I can get it filtering on the users I want to allow.

Appreciate any comments if this is the standard best practice approach etc!

Hold up, nope, doesn’t seem that’s it.

I was hoping that action applied to all types of registration. It seems it’s for Database connections only, and isn’t applying to the Azure Enterprise connection.

Any guidance appreciated.