Connect to Azure AD using an OIDC Enterprise connection

Question:

  • How can I connect to Azure AD using an Enterprise OIDC connection? Why would I?

Answer:

Auth0 offers the Azure AD connection type to connect to Azure AD domains. It works well, but you can also use a generic OIDC Enterprise connection to connect to Azure AD.

Here’s why you’d want to use an OIDC Enterprise connection instead of the built-in Azure AD connection:

  • The OIDC Enterprise connection uses the Implicit grant (*) by default. It does not require a client secret to be configured, which makes configuration easier (no secrets to keep secure).

(*) Auth0 requests an ID Token, with response_mode=form_post. You shouldn’t request an Access Token using the Implicit grant. Check Vittorio Bertocci’s wonderful blog post on the topic, OAuth2 Implicit Grant and SPA, for more information on these best practices.

Steps on Azure AD

  1. Create an application registration.
    This will work for single-tenant applications only (only users from the same directory will be able to log in).


    For the Redirect URI, keep “Web” as the type and use https://{your_tenant_domain}/login/callback. You can get your tenant’s domain by checking any application created in Auth0.
    If you use a custom domain, you can add a second Redirect URI later, after creating the app.

  2. Click “Register”. You’ll get a confirmation page. Grab the “Application (client) ID”, you’ll need them later.

  3. Click on the “Endpoints” button, and grab the OpenID Connect metadata document URL. It should look like this:

https://login.microsoftonline.com/729dfe76-e026-4b14-b5f8-947f2e2af950/v2.0/.well-known/openid-configuration
  1. Go to the “Authentication” section (on the left).

  2. (Optional) On the “Redirect URIs” section you can add a second callback URL if you use Custom Domains:

  3. Enable “ID Token” for implicit flow:

  4. Save the changes with the “Save” button at the top.

  5. Go to the “Token configuration” section on the left.

  6. Click on “Add optional claim”. Add “email” and other claims you might be interested in (“family_name” and “given_name” will be useful).
    When clicking on “Add” you’ll be asked for permissions for the Microsoft Graph. This is required, so accept this request.

  7. Optionally, click on “Add groups claim” to add group information to the ID Token (which Auth0 will store in the user profile).

Steps on Auth0

  1. Create an Enterprise OIDc connection.
  2. Give it a connection name.
  3. On the Issuer URL and Client ID text fields paste the “OpenID Connect metadata document URL” and “Application (Client) ID” values you grabbed before.
    If you lost them, grab them from the “Overview” section from the application registration in Azure AD.
  4. Click on Create.
  5. On the Applications tab for the connection, make sure you enable the connection for at least one application.
  6. Once the settings are saved, you can go back to the list of OIDC Enterprise connections and test the connection. Auth0 will store, in the Auth0’s user profile, everything that Azure AD included in the ID Token.
5 Likes