Hi there 
!
I’m trying to setup SSO for my users via an Entreprise connection - Azure Active Directory specifically (well, now Entra Id). In this scenario, Azure AD/Entra is the upstream IdP, I intend to only redirect select email domains to Azure, thanks to the identifier-first flow in the new Universal login.
I’ve reviewed the doc (Connect Your App to Microsoft Azure Active Directory, Choose a Connection Type for Azure AD) and some related threads such as this one.
Where I got confused in the doc is whether and how the protocol and grant that powers the connection matters. My app is a native (desktop) app, so I want to leverage the auth code flow with PKCE. My understanding is that the code exchange happens between my native app and the Auth0 server, whilst the Auth0 server and Azure AD may have another authentication channel all together. Is this correct?
Under that hypothesis:
- the application I create in Azure AD/Entra ID (as instructed here) is technically representing my auth0 instance, not my own native client app.
- several Auth0 clients using the same Azure connection would then be represented by the same application on Azure
- I’m not sure I see the value suggested here of using PKCE for an Azure Enterprise Connection, since the client app is a confidential client.
This last point is what triggered a loop of self-doubt, so if anyone can shed light on the topic I’ll be grateful 
.