Connect to Azure AD using an OIDC Enterprise Connection

Knowledge Articles
, ,
1

Last Updated: Sep 16, 2024

Overview

This article details how to connect to Azure AD using an Enterprise OIDC connection.

Applies To

  • Azure AD
  • Enterprise OIDC Connection

Solution

Auth0 offers the Azure AD connection type to connect to Azure AD domains. It works well, but can also use a generic OIDC Enterprise connection to connect to Azure AD.

Why use an OIDC Enterprise connection instead of the built-in Azure AD connection:

  • The OIDC Enterprise connection uses the Implicit grant (*) by default. It does not require a client secret to be configured, which makes configuration easier (no secrets to keep secure).

(*) Auth0 requests an ID Token , with response_mode=form_post . Access Tokens should not be requested using the Implicit grant. For more information on these best practices, refer to the blog post OAuth2 Implicit Grant and SPA 17.

  • Since the ID Token is returned via a form post, inspect the token that Azure AD is providing to Auth0, in the POST to https://{your_auth0_domain}/login/callback, using the browser’s developer tools. The token can be decoded at https://jwt.io 2.
  • Configure the domain to use other Azure AD National Cloud instances (see Microsoft Entra authentication & national clouds - Microsoft identity platform | Microsoft Learn 12).
  • Unlike the Azure AD connection, which accepts a limited set of claims, the OIDC Enterprise will accept any claim included in the ID Token. This is useful if needing a custom claim present in the Auth0 user profile.

Please watch the video or the steps below:

Steps on Azure AD

  1. Create an application registration.
    This will work for single-tenant applications only (only users from the same directory will be able to log in).

    1.jpeg
    1.jpeg1272Ă—1000 70.9 KB

    For the Redirect URI, keep Web as the type and use https://{your_tenant_domain}/login/callback. The tenant’s domain can be found by checking any application created in Auth0.
    If using a custom domain, add a second Redirect URI later, after creating the app.

  2. Click Register. A confirmation page will be displayed. Grab the “Application (client) ID”, this will be needed later.

    2.jpeg
    2.jpeg1380Ă—578 43.6 KB

  3. Click on the Endpoints button, and grab the OpenID Connect metadata document URL . It should look like this:

    https://login.microsoftonline.com/729dfe76-e026-4b14-b5f8-947f2e2af950/v2.0/.well-known/openid-configuration

  4. Go to the Authentication section (on the left).

  5. (Optional) On the Redirect URIs section, add a second callback URL if using Custom Domains:

    3.jpeg
    3.jpeg1380Ă—548 46 KB

  6. Enable ID Token for implicit flow:

    4.jpeg
    4.jpeg1380Ă—352 63.5 KB

  7. Save the changes with the Save button at the top.

  8. Go to the Token configuration section on the left.

  9. Click on Add optional claim. Add “email” and other claims that are needed (“family_name” and “given_name” will be useful).
    When clicking on Add will prompt for permissions for the Microsoft Graph. This is required, so accept this request.

Optionally, click on Add groups claim to add group information to the ID Token (which Auth0 will store in the user profile).

Steps on Auth0

  1. Create an Enterprise OIDc connection.

  2. Give it a connection name.

  3. On the Issuer URL and Client ID text fields, paste the “OpenID Connect metadata document URL” and “Application (Client) ID” values.
    This can be found in the “Overview” section of the application registration in Azure AD.

    5.jpeg
    5.jpeg1138Ă—1000 55.6 KB

  4. Click on Create.

  5. On the Applications tab for the connection, enable the connection for at least one application.

  6. Once the settings are saved, go back to the list of OIDC Enterprise connections and test the connection. Auth0 will store, in the Auth0’s user profile, everything that Azure AD included in the ID Token.

7 Likes