An update on this thread: there was a confusion on the setup. All my responses above refer to AD Connections, where the user directory is an on-premises Active Directory or other LDAP server. Auth0 uses the AD-LDAP connector to connect to these servers which are normally not exposed to the internet. As I said before, this setup is only recommended when the AD server is controlled/owned by the same company that controls the Auth0 domain.
@mathias.persson was referring to Azure AD connections. Azure AD is a cloud directory built from the ground-up with federation capabilities. Connecting to customer’s Azure AD domains is perfectly acceptable (usually done by creating a “multi-tenant” application as explained in Connect Your App to Microsoft Azure Active Directory).
As with any other federated authentication protocol, Auth0 gets absolutely no record of invalid credentials attempts or any other kind of attack done directly at the external identity provider. Auth0 only gets a response after the authentication succeeds, or an error response is something is wrong in the configuration.