Connect to Azure AD using an OIDC Enterprise connection

Question:

  • How can I connect to Azure AD using an Enterprise OIDC connection? Why would I?

Answer:

Auth0 offers the Azure AD connection type to connect to Azure AD domains. It works well, but you can also use a generic OIDC Enterprise connection to connect to Azure AD.

Here’s why you’d want to use an OIDC Enterprise connection instead of the built-in Azure AD connection:

  • The OIDC Enterprise connection uses the Implicit grant (*) by default. It does not require a client secret to be configured, which makes configuration easier (no secrets to keep secure).

(*) Auth0 requests an ID Token, with response_mode=form_post. You shouldn’t request an Access Token using the Implicit grant. Check Vittorio Bertocci’s wonderful blog post on the topic, OAuth2 Implicit Grant and SPA, for more information on these best practices.

  • Since the ID Token is returned via a form post, you can inspect the token that Azure AD is providing to Auth0, in the POST to https://{your_auth0_domain}/login/callback, using the browser’s developer tools. The token can be decoded at https://jwt.io.

  • You can configure the domain, so you can use other Azure AD National Cloud instances (see Microsoft Entra authentication & national clouds - Microsoft identity platform | Microsoft Learn)

  • Unlike the Azure AD connection, which accepts a limited set of claims, the OIDC Enterprise will accept any claim included in the ID Token. This is useful if you need a custom claim present in the Auth0 user profile.

Steps on Azure AD

  1. Create an application registration.
    This will work for single-tenant applications only (only users from the same directory will be able to log in).


    For the Redirect URI, keep “Web” as the type and use https://{your_tenant_domain}/login/callback. You can get your tenant’s domain by checking any application created in Auth0.
    If you use a custom domain, you can add a second Redirect URI later, after creating the app.

  2. Click “Register”. You’ll get a confirmation page. Grab the “Application (client) ID”, you’ll need them later.

  3. Click on the “Endpoints” button, and grab the OpenID Connect metadata document URL. It should look like this:

https://login.microsoftonline.com/729dfe76-e026-4b14-b5f8-947f2e2af950/v2.0/.well-known/openid-configuration
  1. Go to the “Authentication” section (on the left).

  2. (Optional) On the “Redirect URIs” section you can add a second callback URL if you use Custom Domains:

  3. Enable “ID Token” for implicit flow:

  4. Save the changes with the “Save” button at the top.

  5. Go to the “Token configuration” section on the left.

  6. Click on “Add optional claim”. Add “email” and other claims you might be interested in (“family_name” and “given_name” will be useful).
    When clicking on “Add” you’ll be asked for permissions for the Microsoft Graph. This is required, so accept this request.

  7. Optionally, click on “Add groups claim” to add group information to the ID Token (which Auth0 will store in the user profile).

Steps on Auth0

  1. Create an Enterprise OIDc connection.
  2. Give it a connection name.
  3. On the Issuer URL and Client ID text fields paste the “OpenID Connect metadata document URL” and “Application (Client) ID” values you grabbed before.
    If you lost them, grab them from the “Overview” section from the application registration in Azure AD.
  4. Click on Create.
  5. On the Applications tab for the connection, make sure you enable the connection for at least one application.
  6. Once the settings are saved, you can go back to the list of OIDC Enterprise connections and test the connection. Auth0 will store, in the Auth0’s user profile, everything that Azure AD included in the ID Token.

Video Tutorial

7 Likes