Entra AD users without email cannot accept organization invite

Get Help
,
1

Hello,

This is a follow up question to this thread ( Recommendation on correct auth0 flow ). We have started making some proof of concepts with organizations. Right now we ran into a hitch where if we invite a new user, that has an Entra ID account with just upn and no e-mail, this user cannot accept any invite. We have customers that follow this pattern (having Entra ID users with just upn and no email). Of course we would like these users to be able to join the organization without having to make a username/password.

Is there any recommendation for this?

3

Hi again @marnix_lenoble

Thanks for getting back to us on the matter and I am happy to provide some further guidance again!

The reason these users cannot accept the invite is that Auth0 Organization Invites strictly require the authenticating user’s profile to contain an email attribute to securely validate against the invitation ticket.

To resolve this, you need to configure your Entra ID (Azure AD) application to map and send the user’s UPN as the standard email claim. Alternatively, if these users are authenticating via an Enterprise SSO connection, you can completely bypass the invitation system and use an Auth0 Action to automatically assign them to the Organization based on their UPN domain.

As far as my experience goes, you have two paths to fix this, depending on the user experience you want to provide:

Map UPN to the Email Claim in Entra ID (The Direct Fix)

If you want to continue using the Invitation flow, as I have mentioned above, you must force Entra ID to pass the UPN into the email claim so Auth0 can read it. You should be able to do this entirely within the Microsoft Azure Portal.

  1. Go to the Microsoft Entra admin center .
  2. Navigate to Identity > Applications > App registrations and select the app you configured for Auth0.
  3. Go to Token configuration in the left menu.
  4. Click Add optional claim , select ID (and/or Access), and check the box for email .
  5. Next, go to API permissions , ensure the email scope is granted and admin consent is provided.
  6. If using SAML instead of OIDC: Go to your Enterprise Application → Single sign-on → Attributes & Claims. Edit the emailaddress claim and set the Source attribute to user.userprincipalname .

Once configured, Auth0 will map the incoming UPN to the Auth0 email profile field, and the invitation validation will succeed.

Just-In-Time (JIT) Auto-Assignment

If these users are logging in via a dedicated Entra ID Enterprise Connection tied to their company, you shouldn’t use Auth0 Invites at all.

Instead, configure an Auth0 Post-Login Action to automatically assign them to their company’s Organization the very first time they log in based on their email/UPN domain.

exports.onExecutePostLogin = async (event, api) => {
  if (event.connection.name === "Entra-ID-Customer-X") {
    
    if (!event.organization) {

      const targetOrgId = "org_abc123";       

      api.redirect.sendUserTo("https://your-app.com/api/auth/bounce?org=${targetOrgId}");
    }
  }
};

In order to execute the bounce seamlessly, you need to bounce them to your app which instantly redirects back to /authorize?organization=org_id.

If I can help you out with any other questions, let me now!

Kind Regards,
Nik