Configuring a Single Azure Enterprise Connection for AD Azure Members and Social Accounts in Auth0

Overview

This article describes how to require only one Azure enterprise connection with Auth0 for Active Directory (AD) Azure members and social accounts, rather than having separate enterprise connections for AD Azure users and social login for personal Microsoft accounts.

Solution

To configure a single Azure enterprise connection in Auth0 for both AD Azure members and social accounts, follow these steps:

Enable the Common Endpoint:

1. Navigate to the Azure Enterprise connection settings in Auth0.
2. Set the control to use “https://login.windows.net/common” instead of the default endpoint (“https://login.windows.net/{your_domain}”).
3. Ensure the field is set to “sub” before enabling this feature.
   

Modify the Microsoft Azure Manifest:

1. Go to the Azure portal and access the App Registrations section.
2. Locate the relevant application and open its Manifest.
3. Update the signInAudience flag to AzureADandPersonalMicrosoftAccount.

These steps will configure the flow to use a single Azure enterprise connection for both AD Azure members and social accounts, simplifying the setup and user experience.

Related References

• Validation differences by supported account types (signInAudience)
• Connect Your App to Microsoft Azure Active Directory