I have followed the guide, and got my Auth0 tennant connected via Enterprise connection to our test Azure AD.
https://auth0.com/docs/connections/enterprise/azure-active-directory/v2
I have been able to login. At this time, this created a user in the user direction in my Auth0 tennant, under the relevant Enterprise connection.
This app has been working with Auth0 alone on username-password connection for some time. We don’t have a signup flow, we pre-administer the users manually, and register them to the Auth0 management API in the user-password directory. So that is, until explicitly assigned by us, they cannot login, or perform any action that would create them a user in Auth0.
Although the above Azure AD test was successful, I don’t want all members of the target AD to simply be able to login to the site. I want it as a list of pre-authorised users only, preferably our standard process.
Can it work this way? That the user is already created before allowing the federated authentication to say yes to allowing access / creating a user?
Alternately, is there a way in Azure AD to only allow certain AD users by group to access the application in AD? So AD would never grant authorisation in the first place?
Thanks