Entra AD users without email cannot accept organization invite

Get Help
,
1

Hello,

This is a follow up question to this thread ( Recommendation on correct auth0 flow ). We have started making some proof of concepts with organizations. Right now we ran into a hitch where if we invite a new user, that has an Entra ID account with just upn and no e-mail, this user cannot accept any invite. We have customers that follow this pattern (having Entra ID users with just upn and no email). Of course we would like these users to be able to join the organization without having to make a username/password.

Is there any recommendation for this?

3

Hi again @marnix_lenoble

Thanks for getting back to us on the matter and I am happy to provide some further guidance again!

The reason these users cannot accept the invite is that Auth0 Organization Invites strictly require the authenticating user’s profile to contain an email attribute to securely validate against the invitation ticket.

To resolve this, you need to configure your Entra ID (Azure AD) application to map and send the user’s UPN as the standard email claim. Alternatively, if these users are authenticating via an Enterprise SSO connection, you can completely bypass the invitation system and use an Auth0 Action to automatically assign them to the Organization based on their UPN domain.

As far as my experience goes, you have two paths to fix this, depending on the user experience you want to provide:

Map UPN to the Email Claim in Entra ID (The Direct Fix)

If you want to continue using the Invitation flow, as I have mentioned above, you must force Entra ID to pass the UPN into the email claim so Auth0 can read it. You should be able to do this entirely within the Microsoft Azure Portal.

  1. Go to the Microsoft Entra admin center .
  2. Navigate to Identity > Applications > App registrations and select the app you configured for Auth0.
  3. Go to Token configuration in the left menu.
  4. Click Add optional claim , select ID (and/or Access), and check the box for email .
  5. Next, go to API permissions , ensure the email scope is granted and admin consent is provided.
  6. If using SAML instead of OIDC: Go to your Enterprise Application → Single sign-on → Attributes & Claims. Edit the emailaddress claim and set the Source attribute to user.userprincipalname .

Once configured, Auth0 will map the incoming UPN to the Auth0 email profile field, and the invitation validation will succeed.

Just-In-Time (JIT) Auto-Assignment

If these users are logging in via a dedicated Entra ID Enterprise Connection tied to their company, you shouldn’t use Auth0 Invites at all.

Instead, configure an Auth0 Post-Login Action to automatically assign them to their company’s Organization the very first time they log in based on their email/UPN domain.

exports.onExecutePostLogin = async (event, api) => {
  if (event.connection.name === "Entra-ID-Customer-X") {
    
    if (!event.organization) {

      const targetOrgId = "org_abc123";       

      api.redirect.sendUserTo("https://your-app.com/api/auth/bounce?org=${targetOrgId}");
    }
  }
};

In order to execute the bounce seamlessly, you need to bounce them to your app which instantly redirects back to /authorize?organization=org_id.

If I can help you out with any other questions, let me now!

Kind Regards,
Nik

4

Hi Nik,

We tried these steps but it does not work. The user is still not allowed to accept the invite. We are not using enterprise SSO connections per client and we do not want currently wish to implement this.

What exactly do you mean by and admin consent is provided. Do we need to select “require admin consent”?

5

Hi again!

No, you do not need to select “require admin consent.” Instead, “providing admin consent” refers to an Azure administrator actively clicking a button labeled “Grant admin consent for [Your Organization]” in the Azure Portal.

Without this active grant, Microsoft’s security policies may block the custom claims (like the mapped UPN/email) from ever being sent to Auth0, resulting in the failure you are experiencing.

When an Entra ID user clicks an Auth0 Organization Invite and logs in, Auth0 intercepts the profile data returning from Microsoft. To accept the invite, Auth0 strictly requires the root email property of that returning profile to perfectly match the email address you invited.

If it fails with an error like "the specified account is not allowed to accept the current invitation" , it means one of two things happened:

  1. Entra ID refused to send the email claim because the application lacked administrative consent.
  2. Entra ID sent the UPN, but didn’t output it specifically into the standard email claim, leaving the email field empty on the Auth0 side.

You can confirm this by going to your Auth0 Dashboard > User Management > Users , finding the user who just attempted to log in, and looking at their Raw JSON . You will likely see that the email property is completely missing.

In enterprise environments, standard users often do not have the authority to consent to applications reading their profile data. You must have a Global Admin or Privileged Role Admin grant this on behalf of everyone.

  1. Log into the Azure Portal / Microsoft Entra admin center.
  2. Navigate to Identity > Applications > App registrations and select your Auth0 application.
  3. In the left menu, select API permissions .
  4. Ensure you have email , profile , and User.Read listed.
  5. Click the button at the top of the list that says “✓ Grant admin consent for [Your Tenant Name]” .
  6. The status column for all permissions should change to green checkmarks.

Even with consent granted, if the user physically has no email address configured in Azure, Microsoft might send a null email claim. You must explicitly configure the token to fall back to the UPN.

  1. In your App Registration in the Azure Portal, go to Token configuration in the left menu.
  2. Click Add optional claim
  3. Select ID (and repeat for Access if prompted)
  4. Check the boxes for both email and upn
  5. Click Add

If the Token Configuration step above doesn’t force the UPN into the email field, you can strictly override the claim in the Enterprise Application settings:

  1. In the Azure Portal, go to Enterprise Applications > select your Auth0 app > Single sign-on .
  2. Edit the Attributes & Claims section.
  3. Click on the claim named emailaddress (or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ).
  4. Change the Source attribute to user.userprincipalname .
  5. Save the configuration.

Let me know if that does the trick or not!

Kind Regards,
Nik