How to Restrict a Microsoft Azure AD Enterprise Connection to a Specific Organization in Auth0?

stanley.ramakrishnan · June 9, 2025, 3:27pm

Hi team,

We’re implementing a B2B multi-tenant architecture using Auth0 Organizations and Microsoft Azure AD Enterprise Connections.

Our goal is to restrict a specific Azure AD connection (e.g., tied to a customer’s tenant) so that it is only usable by one specific organization in Auth0.

We want to ensure that:

The Azure AD connection is not globally available.
Only users who initiate login through the specific organization login flow can authenticate using this connection.
The application should enforce the use of the organization parameter.

Questions:

What is the correct way to assign and restrict an Azure AD Enterprise connection to a specific organization?
Can we ensure that this connection does not appear or function outside the context of that organization?
Should we disable the connection at the application level and only allow it via organization assignments?

We’ve already enabled “Users must log in through an organization” in the app settings.

Appreciate any best practices or configuration tips!

Thanks in advance.

remus.ivan · June 9, 2025, 6:02pm

Hi @stanley.ramakrishnan,

Welcome to the Auth0 Community !

The restriction for your specific Azure AD connection can be achieved directly within the settings of the Auth0 Dashboard.

You are exactly on point with this one. You can disable the connection at the application level ( so it will not be generally available ) and only enable it for your specific Organization. Only members within that organization will be able to sign in using the specific Azure AD enterprise connection.

That’s great! This way an organization parameter needs to be present in your /authorize URL.

This can be considered best practice, but you could also opt for an alternative approach such as creating a Post-Login Action that makes a query similar to:

if(event.connection.id == "your_AzureAD_connection_id" && event.organization?.id != "your_orgID")
      api.access.deny("This connection can only be used within a specific organization");

I hope this helps, and if you have further questions please let me know!
Thanks,
Remus

Topic		Replies	Views
Azure AD enterprise connection through URL only Get Help auth0 , azure-ad , enterprise , enterprise-connectio	1	3458	November 21, 2020
Auth0 with Azure AD enterprise connection Get Help login-experience , login-prompt-new-experience	2	98	February 26, 2025
Best practices for enterprise connections with Auth0 Organizations: Single or multiple connections for B2B customers? Get Help connections , azure-ad-enterprise-connection	0	192	July 8, 2024
Auth0 / Azure AD: Account does not exist in this organization Get Help connections , azure-ad-enterprise-connection	1	602	January 23, 2024
Different organizations Login with microsoft Get Help connections , azure-ad-enterprise-connection	2	1689	June 15, 2023

How to Restrict a Microsoft Azure AD Enterprise Connection to a Specific Organization in Auth0?

Related topics