Overview
This article will describe why new group information may not be included in “event.user.groups” when logging in using a Microsoft Azure connection after a user has been added to new groups.
Applies To
- Microsoft Azure (Entra ID)
- User Groups
Cause
This issue occurs because the root profile groups attribute name matches the groups attribute name within the user’s app_metadata. This naming conflict causes the app_metadata groups value to overwrite the root profile groups value when accessed within Auth0 Actions.
- The
groupsattribute exists at the root level of the user profile. - The
groupsattribute also exists in the user’sapp_metadata. - When any attribute shares the same name in both
app_metadataand the root profile, the value stored inapp_metadatatakes precedence and is returned when that attribute is accessed within an Auth0 Action, overriding the root profile value.
For more details, refer to the following documentation on Name Collision in Metadata.
Solution
To avoid this issue, do not use the same name for fields in the app_metadata and root profile.
- Rename any fields that may be overwriting a root profile attribute.
- The
app_metadatafield merging into the root profile in Actions means naming them differently ensures that there is no conflict and that the root profile field is not accidentally overridden. - Use distinct names for fields in
app_metadataand the root profile to prevent unintentional overrides. - Use a different name in the
app_metadatafield to avoid collision. - Always verify that field names in
app_metadatado not overlap with root profile fields when using them in Actions.
Following these best practices can prevent the unintended overwriting of root profile data and ensure that the correct values are retrieved.